IS18 · Queensland Government · Complete Guide · Updated June 2026
Information Standard 18 is Queensland Government's mandatory information security framework. If you supply ICT services to QLD agencies, hold a government panel position, or manage government infrastructure, IS18 compliance obligations almost certainly flow to you through your contracts. This guide covers what IS18 requires, how it maps to the Essential Eight and ISO 27001, what an IS18 Compliance Statement must contain, and how to achieve compliance in 4 to 12 weeks.
Section 1
Information Standard 18 — commonly referred to as IS18 — is the Queensland Government's mandatory information security standard. It is issued under the Financial Accountability Act 2009 and governs how Queensland Government agencies protect the information they hold, create, and share. IS18 is maintained and administered by the Queensland Government Chief Information Officer (QGCIO), which sits within the Department of Housing, Local Government, Planning and Public Works.
IS18 is not a certification standard. There is no IS18 certificate to obtain and no third-party body that issues accreditations. It is a compliance framework with an attestation-based evidence model: organisations demonstrate compliance by producing an IS18 Compliance Statement — a structured document that declares their current posture against each IS18 requirement area, identifies known gaps, and commits to a remediation timeline.
The framework is built on two internationally recognised foundations. First, it adopts the governance principles of ISO/IEC 27001 — requiring agencies and suppliers to operate an Information Security Management System (ISMS) covering policy, risk management, asset management, access control, incident management, and management review. Second, it mandates implementation of the Australian Signals Directorate's Essential Eight mitigation strategies, making IS18 one of the few state-level frameworks to explicitly incorporate a national technical control baseline into its requirements.
IS18 also incorporates Queensland Government's information classification scheme. This scheme maps to the Australian Government's national classification scheme — OFFICIAL, OFFICIAL: Sensitive, and PROTECTED — and requires agencies and their ICT suppliers to handle information consistently with its classification level throughout its lifecycle.
What makes IS18 practically important for ICT suppliers is its contractual reach. IS18 is not just an internal government obligation — it flows directly to suppliers through contract schedules, whole-of-government panel deeds, and procurement requirements. If you supply managed services, software, cloud platforms, or professional services to Queensland Government agencies, your contractual obligations almost certainly include IS18 compliance requirements, whether or not the word "IS18" appears explicitly in your contract.
Section 2
IS18 compliance obligations extend well beyond Queensland Government agencies. Understanding exactly who bears these obligations — and how they flow through supply chains — is the first step in scoping your compliance programme.
Queensland Government agencies
All Queensland Government departments, statutory bodies, and government-owned corporations are subject to IS18 as a mandatory standard under the Financial Accountability Act 2009. Agencies must implement IS18, maintain a current IS18 Compliance Statement, and report their compliance posture to the QGCIO. Senior responsible officers bear personal accountability for agency IS18 compliance.
ICT managed service providers on QLD Government panels
Organisations holding positions on Queensland Government ICT procurement panels — including the GITC (Government ICT Conditions) framework and sector-specific panels — carry IS18 compliance obligations as a standing deed condition. Compliance is not assessed per-contract; it is a continuous requirement for maintaining panel eligibility. Panel coordinators are increasingly requesting Compliance Statements as part of periodic panel review processes.
Software and SaaS providers with QLD agency clients
Software vendors and SaaS platforms supplying Queensland Government agencies are typically required to demonstrate IS18-aligned security controls as part of vendor assessment and contract execution. The depth of assessment scales with the classification of information the platform will process or store — solutions handling OFFICIAL: Sensitive or PROTECTED information face the most rigorous requirements.
Subcontractors to primary ICT suppliers
Organisations that subcontract to a primary QLD Government ICT supplier — providing development, operations, security, or support services — commonly inherit IS18 obligations through their subcontract arrangement. Primary suppliers are responsible for their supply chain security under IS18, and most pass this obligation through to subcontractors contractually.
Government-adjacent organisations
Organisations that regularly exchange OFFICIAL: Sensitive information with Queensland Government — such as peak bodies, funded service providers, or regulatory bodies — are increasingly asked to demonstrate IS18-aligned practices as a condition of their information sharing arrangements, even where no formal contract exists.
Section 3
IS18 organises its requirements into four core areas. Understanding each pillar — and what it actually requires — is essential before attempting to produce an IS18 Compliance Statement or scope a compliance programme.
Pillar 1
IS18 requires organisations to operate a structured Information Security Management System (ISMS) aligned to ISO 27001 principles. This does not require ISO 27001 certification, but it does require a documented, functional ISMS that covers the following components:
Organisations with existing ISO 27001 certification satisfy this pillar comprehensively. Organisations without ISO 27001 must demonstrate equivalent governance through their own ISMS documentation.
Pillar 2
IS18 mandates implementation of the ASD's Essential Eight mitigation strategies. For Queensland Government agencies, the target is Maturity Level 2 (ML2). For ICT suppliers, the expectation is converging on ML2 as well — particularly for any supplier managing government infrastructure, operating cloud services that process government data, or providing managed security services.
The eight controls span two defensive categories:
Preventing malware delivery and execution:
Limiting the impact of incidents:
For organisations on Microsoft 365 E5, approximately 80-85% of ML2 is achievable through native tooling. The exception is Regular Backups, which requires third-party backup tooling as M365 does not include enterprise backup.
Pillar 3
IS18 requires organisations to classify information consistent with the Queensland Government information classification scheme, which aligns to the Australian Government's national classification scheme. The three operational classifications are:
ICT suppliers are required to handle government information consistent with its classification. This means understanding what classification your clients' information carries, configuring your systems appropriately, and ensuring your staff are trained on classification-aware handling practices. For organisations on Microsoft 365, Microsoft Purview Information Protection provides the native tooling for classification labelling and policy enforcement.
Pillar 4
IS18 requires organisations to have operational incident response and business continuity capabilities — not just documented plans. The key requirements are:
The tested IR plan and DR capability are what separates a functional IS18 programme from a paper-based one. Procurement teams increasingly ask for evidence of testing, not just the existence of plans.
Section 4
The IS18 Compliance Statement is the document that panel coordinators, procurement teams, and agency security leads actually read when assessing a supplier's security posture. It is not a certification, not a technical report — it is a structured attestation that declares where you stand against each IS18 requirement, what gaps exist, and what you are doing about them.
A well-structured IS18 Compliance Statement follows a consistent format. The sections below represent the components that should appear in every supplier Compliance Statement.
Identify the legal entity, the scope of systems and services covered by the Compliance Statement, and the date of the assessment. Where the statement covers a specific system or service rather than the whole organisation, the scope must be explicitly defined. Ambiguous scope is one of the most common reasons procurement teams send Compliance Statements back for revision.
State whether a documented ISMS is in place, when the information security policy was last reviewed and approved, whether ISO 27001 certification is held (and if so, the scope and expiry of the certificate), and whether management review has been conducted in the past 12 months. Include the date of the last management review as evidence of an active programme.
Declare the assessed maturity level for each of the eight controls — either self-assessed or assessor-verified. For each control at ML0 or ML1, include a brief explanation of the gap and the remediation timeline. Avoid blanket ML2 assertions without substantiation; procurement teams are trained to probe unsupported maturity claims. If you have assessor-produced evidence, reference it here.
Confirm that your systems and staff handling QLD Government information apply the Queensland/Australian Government classification scheme. State the highest classification of information your organisation handles, and describe the controls applied to that classification tier. For OFFICIAL: Sensitive and PROTECTED, describe the specific access, transmission, and storage controls in place.
Confirm that a current IR plan exists, state when it was last tested (and the test method — tabletop vs. live), and confirm that QGCIO notification obligations are incorporated. State when the last tabletop or live IR test was conducted. Describe your DR capability and the last restoration or failover test date. This section is increasingly scrutinised — a plan with no test date is treated as non-compliant.
List identified gaps against each IS18 pillar with a realistic remediation timeline. Include the risk rating of each gap, the proposed remediation action, the responsible owner, and the target completion date. An honest gap register with a credible plan signals a mature organisation — procurement teams understand that few suppliers are fully IS18 compliant and a transparent gap register demonstrates that you know your posture and are managing it.
The Compliance Statement must be signed by a senior responsible officer — a C-level executive, Managing Director, or delegated security lead at an appropriate seniority level. The attestation confirms that the information in the statement is accurate and complete to the best of the signatory's knowledge. Unsigned or unsigned-equivalent statements (e.g., signed by an analyst) are routinely returned.
Include a document version number, issue date, and review date. IS18 Compliance Statements should be updated at least annually, or whenever there is a material change to the organisation's security posture or the services in scope. A statement more than 12 months old is unlikely to be accepted in a procurement assessment without an explicit explanation of why it has not been reviewed.
A common mistake is treating the IS18 Compliance Statement as a marketing document — presenting the most favourable possible picture to avoid raising procurement concerns. This approach is counterproductive. Procurement teams and panel coordinators read many Compliance Statements. They can identify vague, unsupported claims. A statement that declares all controls at ML2 with no gaps and no substantiation will raise more suspicion than one that acknowledges gaps and provides a credible remediation plan with named owners and realistic dates.
The principle for a well-received IS18 Compliance Statement is: be honest about your current state, credible about your gap remediation, and precise about your scope. A supplier with ML1 overall but a clear ML2 roadmap and demonstrated governance maturity is often more approvable than a supplier with an unsubstantiated ML2 declaration.
Section 5
After assessing many ICT suppliers against IS18 requirements, these are the gaps that appear most consistently — and the ones that most frequently cause problems during procurement assessments.
The policy exists, but it was last reviewed three years ago and has not been re-approved by current senior management. IS18 requires the policy to be current (reviewed at least annually) and explicitly approved by management. A policy signed by a CTO who left the organisation two years ago is not compliant. This is an easy fix — but it requires senior management time to review and re-approve, which makes it harder to address quickly without a structured programme.
The organisation has a risk register, but it catalogues IT assets (servers, workstations, cloud services) rather than information risks. IS18 requires an information-risk methodology — identifying the information assets that matter, the threats and vulnerabilities relevant to those assets, and the likelihood and impact of each risk materialising. Reframing a hardware asset register as an information risk register is not sufficient; the methodology itself must change.
The organisation uses third-party cloud services, SaaS platforms, and subcontractors that process or access government information — but has no documented process for assessing these suppliers' security posture. IS18 requires a supply chain security process. The process does not need to be complex, but it must exist and be evidenced: a supplier security questionnaire, a review checklist, or a documented assessment cycle with records of completed assessments.
The IR plan was created during an earlier compliance exercise and has never been tested. Contact details are outdated. The QGCIO notification process is not referenced. Incident response plans that have never been exercised — even via a 90-minute tabletop — are not considered compliant under IS18. The test does not need to be elaborate, but it must be documented and the lessons learned must be incorporated into the plan.
One of the most consistently missing artefacts. IS18 requires documented evidence of senior management reviewing the security programme — including the risk register, incident history, and compliance status — at least annually. Many organisations perform this review informally but have no meeting minutes, no documented agenda, and no record that it occurred. Without a documented management review, this IS18 requirement cannot be evidenced regardless of how good the underlying security programme is.
The organisation acknowledges that its Essential Eight maturity is low but has no documented roadmap for improvement. IS18 procurement assessments are partly about current state, but also about trajectory. A supplier at ML1 with a credible, resourced ML2 roadmap is in a materially better position than one at ML1 with no plan. The roadmap must be specific: named controls, target maturity levels, responsible owners, and realistic completion dates.
The most basic gap: the organisation has never produced an IS18 Compliance Statement. When asked by a procurement team or panel coordinator for IS18 evidence, they have nothing to provide. This is more common than it should be — many ICT suppliers first become aware of their IS18 obligations during a procurement assessment, at which point the timeline to produce a credible statement is compressed. Having a current Compliance Statement ready before you need it is basic procurement hygiene for any QLD Government supplier.
The organisation knows about the Queensland/Australian Government classification scheme but has not operationalised it: staff do not classify the government information they handle, systems do not enforce classification-based controls, and there is no training programme. Classification compliance is particularly important for suppliers handling OFFICIAL: Sensitive data — procurement assessments increasingly ask suppliers to demonstrate that their staff understand and apply classification requirements in practice, not just in policy.
Section 6
Queensland Government ICT suppliers frequently need to understand how IS18 relates to other frameworks — particularly when they also sell into the federal government market or have international customers. Here is a direct comparison of the three most relevant frameworks.
| Dimension | IS18 (QLD) | ISO 27001 | PSPF / ISM (Federal) |
|---|---|---|---|
| Jurisdiction | Queensland Government | International (ISO/IEC) | Australian Commonwealth Government |
| Type | Compliance framework — attestation-based | Certification standard — third-party audit | Policy framework + technical manual |
| Essential Eight | Mandated (ML2 target for agencies) | Not required (controls are risk-based) | Mandated under PSPF Policy 10 |
| Governance scope | ISO 27001-aligned ISMS principles | Full ISMS — 93 Annex A controls | Protective security + ISM technical controls |
| Classification | QLD/Australian Government scheme (OFFICIAL, OFFICIAL: Sensitive, PROTECTED) | Organisation-defined (risk-based) | Australian Government classification scheme |
| Output | IS18 Compliance Statement | ISO 27001 certificate (accredited body) | IRAP assessment report (ISM); PSPF self-assessment |
| Timeline | Assessment 3-4 weeks; full programme 8-16 weeks | 6-12 months for initial certification | IRAP assessment 4-8 weeks; PSPF reporting ongoing |
| Recognised by | QLD Government agencies and panels | International enterprise, US/UK/EU procurement | Commonwealth agencies, Defence, federal procurement |
ISO 27001 certification satisfies IS18's governance pillar in full. An ISO 27001-certified organisation can reference its certificate in its IS18 Compliance Statement and need not separately document an ISMS for IS18 purposes. However, ISO 27001 alone does not satisfy IS18 — the Essential Eight implementation and information classification requirements still need to be addressed separately.
Conversely, an IS18-compliant programme is roughly 60-70% of the way to ISO 27001. The IS18 governance requirements, risk management process, and documentation artefacts closely mirror the ISO 27001 ISMS requirements. Organisations that have invested in IS18 compliance are well positioned to pursue ISO 27001 certification with incremental additional effort — primarily addressing the additional Annex A controls not covered by IS18 and engaging an accredited certification body for audit.
If you primarily sell into QLD Government — start with IS18. If you also have private sector or federal government customers — run IS18 and ISO 27001 as a combined programme from the outset for maximum cost efficiency.
The PSPF (Protective Security Policy Framework) is the federal government's equivalent of IS18 — it applies to Commonwealth entities and flows to federal ICT suppliers. The ISM (Information Security Manual) is ASD's technical control manual for Commonwealth and Defence systems, and underpins IRAP (Infosec Registered Assessors Program) assessments.
IS18 and PSPF share the same classification scheme (OFFICIAL, OFFICIAL: Sensitive, PROTECTED) and both mandate the Essential Eight. This means a significant portion of an IS18 compliance programme directly supports PSPF compliance as well. The primary differences are in the governance structure and reporting — PSPF reporting goes to the Attorney-General's Department, IS18 reporting goes to the QGCIO, and the specific documentation requirements differ between jurisdictions.
For organisations supplying both Queensland and Commonwealth agencies, a shared control set designed to satisfy both frameworks is achievable and cost-efficient. This requires a compliance programme designed with both frameworks in mind from the outset — retrofitting one framework's requirements onto a programme designed purely for the other adds significant rework.
Section 7
IS18 compliance follows a structured pathway. The right scope depends on whether you need an assessment and Compliance Statement only, or a full programme including documentation uplift and Essential Eight implementation. Here are the three common programme types.
For suppliers who need to respond to a procurement request, demonstrate panel eligibility, or understand their current IS18 posture before a contract negotiation. Covers a structured assessment against all four IS18 pillars, an Essential Eight maturity assessment against ASD criteria, and production of a current IS18 Compliance Statement. The output is a defensible statement your legal and commercial teams can use in procurement contexts.
What it includes: IS18 pillar assessment against QGCIO requirements, E8 maturity assessment for all eight controls, gap register with prioritised remediation recommendations, draft IS18 Compliance Statement ready for senior management review and sign-off.
For suppliers who need to achieve genuine IS18 compliance — not just a Compliance Statement — and close the gaps identified in assessment. Covers assessment, documentation uplift across all four pillars, ISMS documentation (policy, risk register, asset register, supplier assessment process, IR plan), and an Essential Eight ML2 roadmap with implementation guidance.
What it includes: Everything in Programme A, plus: ISMS documentation suite (6-10 documents), information risk register refresh, supplier security assessment process design, IR plan update and tabletop exercise facilitation, management review facilitation and documentation, E8 ML2 configuration roadmap, and a final IS18 Compliance Statement signed off against the delivered programme.
For suppliers who need both the IS18 governance programme and actual Essential Eight ML2 implementation — including the Microsoft 365 configuration uplift, evidence pack assembly, and continuous monitoring capability. This is the full end-to-end programme that delivers both a compliant IS18 programme and a defensible E8 ML2 evidence pack.
What it includes: Everything in Programme B, plus: M365 E8 technical implementation (Intune configuration, Conditional Access policies, PIM deployment, WDAC/AppLocker policy, Defender Vulnerability Management, backup platform deployment and testing), full ML2 evidence pack assembly, and an IS18 Compliance Statement referencing assessor-verified E8 maturity.
01
Weeks 1–3
Gap analysis against all four IS18 pillars and all eight Essential Eight controls. Asset inventory review. Documentation inventory. Senior stakeholder interviews to understand current governance practices. Output: prioritised gap register and assessment report.
02
Weeks 4–7
ISMS documentation uplift — information security policy, risk register, asset register, supplier assessment process, IR plan refresh. IR tabletop exercise. Management review facilitation. Output: IS18-compliant documentation suite.
03
Weeks 8–13
Essential Eight technical controls deployed in M365 — Conditional Access, PIM, Intune compliance baselines, WDAC policy, Defender VM dashboards, backup platform. Evidence collected at each control throughout implementation.
04
Weeks 14–16
E8 evidence pack assembled and QA reviewed. IS18 Compliance Statement drafted and reviewed. Senior management sign-off facilitated. Compliance Statement delivered in final form, ready for procurement and panel submissions.
Section 8
Whether you are responding to an urgent procurement request or building a long-term IS18 compliance programme, these three starting points will give you an accurate picture of where you actually stand.
01
Our automated posture scan checks your Microsoft 365 environment against the key Essential Eight ML2 criteria — Conditional Access enforcement, MFA coverage, legacy authentication status, Intune compliance policy configuration, privileged role assignments, and audit log retention. It takes 15 minutes to run and produces a prioritised gap report against ML1 and ML2 criteria. For IS18 purposes, this gives you an objective baseline for the Essential Eight pillar — the fastest IS18 gap to identify and the one most commonly misrepresented in self-assessments.
Run the free posture scan02
If you supply to Queensland Government — or are considering it — review your contract schedule and deed of standing offer for IS18 obligations. Look for references to IS18, QGCIO, information security standards, or Essential Eight compliance. If your contract is silent on IS18 but references "applicable Queensland Government information security requirements," IS18 applies. Understanding your contractual obligations before your customer asks for a Compliance Statement is essential for managing compliance risk proactively.
Book a contract review call03
A 30-minute call gives you a realistic assessment of your IS18 posture — covering all four pillars and your Essential Eight maturity — and a clear programme pathway with timeline and fixed-price estimate. We cover what a compliant Compliance Statement needs to contain for your specific supply context, the highest-priority gaps in your programme, and whether you need Assessment only, Programme B, or the full IS18 + E8 implementation scope. No obligation, no pitch — just a clear picture of where you stand and what it takes to get compliant.
Book a 30-min scoping callFAQ
The questions we are most commonly asked by Queensland Government ICT suppliers about IS18 obligations, Compliance Statements, and achieving compliance efficiently.
IS18 is directly mandatory for Queensland Government agencies. However, it flows to ICT suppliers through contract schedules and panel deed requirements. If you hold a position on a Queensland Government ICT panel — or are supplying directly to a QLD agency under a contract — your agreement almost certainly contains IS18 compliance obligations. Subcontractors to primary ICT suppliers may also inherit these requirements through their subcontract arrangements. If you are unsure whether your specific contract carries IS18 obligations, the safest approach is to review your contract schedule or seek legal advice on information security obligation clauses.
IS18 is Queensland Government's mandatory information security compliance framework — attestation-based, not certification-based, and it mandates Essential Eight implementation as a core requirement. ISO 27001 is an international certification standard for information security management systems. ISO 27001 certification satisfies IS18's governance pillar but is not required — IS18 compliance is achievable without it. An IS18-aligned programme is roughly 60-70% of the way to ISO 27001 certification. If you also sell into private sector or federal government, the additional investment to achieve ISO 27001 is usually worthwhile. For QLD Government only, IS18 is the more direct and faster path.
An IS18 Compliance Statement should cover: organisation and scope identification; governance status (ISMS, policy, management review); Essential Eight maturity level for each control with gap explanations; information classification alignment; incident management capability and test dates; a gap register with remediation plan and timelines; and a senior management attestation (signed by a C-level or equivalent). Procurement teams read the Compliance Statement to make risk decisions. An honest statement that acknowledges gaps but provides a credible roadmap is more approvable than a vague clean-looking attestation that cannot be substantiated.
IS18 mandates Essential Eight implementation. For Queensland Government agencies, the target is Maturity Level 2 (ML2). For ICT suppliers, the expectation is increasingly ML2 as well — particularly for managed service providers, cloud and SaaS providers, and suppliers handling OFFICIAL: Sensitive or PROTECTED information. Suppliers currently at ML0 or ML1 with no documented roadmap are the highest-risk category in procurement assessments. A supplier at ML1 with a credible ML2 roadmap and realistic delivery dates is in a materially better procurement position than one with no roadmap.
An IS18 gap analysis, Essential Eight assessment, and Compliance Statement typically takes 3-4 weeks. A full IS18 compliance programme covering documentation uplift and an Essential Eight ML2 roadmap runs 8-12 weeks. Full IS18 compliance including Essential Eight ML2 technical implementation takes 12-16 weeks for most organisations on Microsoft 365 E5. Timelines depend heavily on your current maturity — organisations with existing ISO 27001 or ASD-aligned programmes will move faster. The governance documentation work (policy, risk register, IR plan refresh, management review) is typically on the critical path, not the technical implementation.
IS18 is Queensland Government's state-level information security standard. The PSPF (Protective Security Policy Framework) is the federal government's equivalent — it applies to Commonwealth entities and flows to federal ICT suppliers. The ISM (Information Security Manual) is ASD's technical control manual primarily for Commonwealth and defence systems. IS18 and PSPF share the same classification scheme and both mandate the Essential Eight, so a properly designed compliance programme satisfies both without redundant effort. If you work across both federal and state government, design your compliance programme against both frameworks from the outset.
Not necessarily for every contract — but any contract for ICT services, managed services, or information handling will almost certainly include IS18 obligations. The risk tier of the information you handle affects the depth of compliance expected: contracts involving OFFICIAL: Sensitive or PROTECTED information carry stricter requirements. If you hold a whole-of-government panel position (e.g., GITC), IS18 compliance is a standing obligation, not a per-contract assessment. The safest approach is to treat IS18 compliance as a baseline capability rather than a per-procurement exercise — you will need it eventually and it is better to be ready before a procurement deadline forces the issue.
Optimistic self-assessment is one of the most common IS18 compliance risks. If a procurement team or panel coordinator requests substantiation and your evidence does not match your stated maturity, this creates both a procurement risk (potential disqualification) and a contractual liability risk (misrepresentation of security posture). The safer approach is an honest Compliance Statement with identified gaps and a credible remediation timeline. Procurement teams are accustomed to suppliers with gaps — what they cannot accept is unsubstantiated claims. If you are unsure whether your self-assessment is accurate, an independent E8 assessment produces a defensible baseline you can stand behind.
For the Essential Eight pillar, yes — organisations on Microsoft 365 E5 can achieve approximately 80-85% of ML2 through native tooling (Intune, Entra ID PIM, Defender for Endpoint, Conditional Access). The exception is Regular Backups, which always requires third-party tooling (Veeam, AvePoint, HYCU, or similar) as Microsoft 365 does not include enterprise backup. For IS18's governance, information classification, and incident management pillars, M365 provides enabling tools (Purview for classification, Sentinel for incident detection) but the programme design, policy documentation, and management review processes require professional services support regardless of tooling.
If your primary market is Queensland Government or state government more broadly — start with IS18. It is the direct procurement requirement and you can achieve compliance faster and at lower cost than ISO 27001. If you are also targeting federal government, private sector enterprise, or international customers — ISO 27001 provides broader recognition and an IS18-aligned programme is roughly 60-70% of the way there. The most cost-efficient approach for organisations needing both is a combined IS18 + ISO 27001 programme designed from the outset to satisfy both frameworks simultaneously — typically 30-40% cheaper than running them sequentially.
Run our free automated posture scan to get an objective baseline for your Essential Eight maturity in 15 minutes — or book a 30-minute call to walk through your IS18 obligations, identify your highest-priority gaps, and get a realistic pathway to compliance with a fixed-price estimate.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
Messages are sent to our AI assistant (Claude, by Anthropic) to generate a reply — not stored as part of your account and not used to train AI models.