Queensland Government — IS18 Reporting & Assurance

At a glance

• Client: Queensland Government agency
• Scope: Produce an IS18 assurance report integrating ISO 27001 (governance/risk) and the ASD Essential Eight (technical controls), with Microsoft 365 as the primary evidence source.
• Why now: Funding and executive reporting required a single, defensible status across frameworks.

Problem

The agency had pockets of assurance work underway (policy refresh, risk register drafts, Microsoft 365 hardening), but no single view across IS18, ISO 27001 and the Essential Eight. The executive team needed a consolidated report that:

• Mapped control status and gaps across frameworks
• Was backed by verifiable evidence (not self-attestations)
• Produced a prioritised uplift plan with effort and risk impact

Approach

1. Scoping & control mapping

   • Agreed IS18 scope and context, then aligned each IS18 clause with ISO 27001 domains and Essential Eight strategies.
   • Defined evidence locations across SharePoint, Entra, Defender, Intune and Purview.

2. Rapid gap assessment (4 weeks)

   • Ran interviews and targeted sampling against ISO 27001 (scope, parties, roles, SoA) and E8 (AC, patching, macros, hardening, admin, OS patching, MFA, backups).
   • Tagged each control as Yes / Partial / No with rationale and links to source evidence.

3. Evidence automation

   • Implemented a light-weight evidence register and scheduled exports (M365 logs, policy approvals, change records, backup reports) to support repeatable IS18 reporting.

4. Uplift roadmap

   • Prioritised actions by risk reduction and delivery effort.
   • Sequenced activities that unlock multiple control wins (e.g., conditional access + MFA coverage; GPO/Intune baselines).

Outcome

• Single IS18 report consolidating ISO 27001 & Essential Eight status with reliable evidence references
• Executive dashboard for status, gaps, and trend
• Repeatable evidence cadence from Microsoft 365
• Uplift plan that raised readiness from 48% → 82% in one quarter

Key Results

• Report delivered in 4 weeks
• 68 controls mapped and assessed
• 55% reduction in evidence collection effort
• Approved 12-week uplift plan with budget confidence

What we delivered

• IS18 assurance report (with ISO 27001 & E8 cross-references)
• Evidence register & scheduled exports (SharePoint, Entra, Defender, Intune, Purview)
• Prioritised roadmap and delivery playbooks
• Executive brief & Q&A pack