IS18:2018 · QGEA · Queensland Government · Brisbane

IS18 compliance that never leaves your tenant.

IS18 is, by its own definition, an ISO 27001-aligned ISMS plus Essential Eight — plus the Queensland obligations neither carries on its own. We deliver all of it as one programme, with every register, control and piece of evidence living in your Microsoft 365 tenant, and the accountable officer's annual return assembled from live data instead of a September scramble.

  • All four IS18 pillars, one programme
  • Data sovereignty — no external platform
  • Essential Eight ML2 included
  • Annual return ready by design
  • Brisbane-based, senior-led, fixed-price
Illustration of a government security compliance programme spanning governance, controls and reporting

The question every agency should ask a GRC vendor first

"Where does our security posture data live?" For most compliance platforms the honest answer is on our servers — a third-party SaaS database holding a detailed map of a government agency's control gaps. Ours is different by architecture, not by policy.

Typical GRC platform

Your gaps, on their servers

  • Registers and evidence copied into a vendor SaaS database
  • Hosting location and access controlled by the vendor
  • Another supplier to security-assess and contract-manage
  • Per-seat platform licensing, forever
  • Offboarding means exporting and hoping

Checkpoint + Compliance365

Your gaps, in your tenant

  • Every register is a SharePoint list inside your own Microsoft 365 tenant
  • No backend, no vendor database — posture checks are read at scan time and never leave the browser
  • Access governed by your existing Entra ID and SharePoint permissions
  • Read-only Microsoft Graph permissions, consented incrementally by your admin
  • Everything stays yours on day one and on the day we leave

The four pillars of IS18 — and how each is delivered

IS18:2018 isn't a checklist — it's four connected obligations that culminate in an attestation the accountable officer personally signs. We build each one on the shared control set, so nothing is done twice.

1. ISMS aligned to ISO 27001

Scope, policy set, risk methodology, Statement of Applicability and management review — structured to ISO 27001 as IS18 mandates, so the same programme carries you to certification later if you want it. Governance artefacts are drafted for your context, not templated boilerplate.

2. Essential Eight maturity

All eight strategies assessed against the ACSC maturity model and uplifted to your endorsed target level (typically ML2) using your existing Microsoft 365 tooling — Intune, Entra PIM, Conditional Access, Defender. Automated posture checks keep per-strategy status current between annual reports.

3. QGISCF classification & handling

Information assets classified OFFICIAL / SENSITIVE / PROTECTED with Purview sensitivity labels matching the framework, and handling enforced downstream — DLP policies, external sharing governance, and label-driven encryption for material that must not leave agency control.

4. Incidents, breaches & the annual return

Incident response with the Cyber Security Unit reporting trigger built in, breach handling aligned to the Information Privacy Act's mandatory notification scheme, and the 30 September annual return assembled from the live registers — posture, Essential Eight maturity, incidents and risk position — ready for the accountable officer's signature.

The Checkpoint IS18 module — compliance that maintains itself

Every IS18 engagement runs on our Checkpoint console, deployed into your tenant with a dedicated IS18 register — 32 controls across governance, risk, classification, Essential Eight, incidents, suppliers and the annual return, each with implementation guidance and evidence expectations written for Microsoft 365.

Automated posture checks

25 checks read your tenant's real state — MFA and Conditional Access, application control, patching, macros, privileged access, sensitivity labels, DLP, external sharing, encryption, logging and alerting — and 19 of them map straight onto IS18 controls, suggesting status updates a practitioner confirms with one click.

Drift detection between returns

An optional scheduled monitor (deployed into your own Azure subscription, never ours) re-runs the checks unattended and raises an alert the day a control that passed starts failing — so the posture attested in September is still true in March.

ISO 27001 + Essential Eight included

The IS18 module is licensed as a bundle: full ISO 27001 and Essential Eight registers are included because IS18 is built on both. One cross-mapped control set — implement once, evidence once, report three ways.

Who this is for

Queensland agencies & statutory bodies

Departments and statutory bodies carrying the IS18 obligation directly — especially teams facing the annual return with a register that lives in spreadsheets, or an Essential Eight self-assessment they can't currently substantiate.

ICT suppliers to QLD Government

Panel holders and contractors whose deeds and schedules flow IS18 down to them. An evidence-backed compliance statement — honest about gaps, with a credible roadmap — is what keeps panel eligibility and wins the risk assessment.

Managed service & SaaS providers

Providers hosting or processing OFFICIAL: Sensitive material for agencies, who need IS18 alignment plus the ISO 27001 certification path for their broader market — one programme, both outcomes.

Common questions

What does IS18 actually require?

An ISMS aligned to ISO 27001, Essential Eight implementation and maturity reporting, QGISCF information classification, incident reporting to the Cyber Security Unit, and an annual return signed by the accountable officer by 30 September. Suppliers inherit these through contract schedules and panel deeds.

Where does our data live?

In your own Microsoft 365 tenant, full stop. Checkpoint has no backend and no vendor database — registers are SharePoint lists in your tenant, and posture checks never leave the browser. There is no third-party platform holding your security posture.

How long does it take?

Gap assessment with costed roadmap: 3–4 weeks. Full programme to an evidence-backed annual return: typically 8–16 weeks depending on current maturity. Existing ISO 27001 or ASD-aligned programmes move materially faster.

We already hold ISO 27001 — what's left?

The Queensland-specific layer: QGISCF classification, Essential Eight reporting against endorsed targets, CSU incident reporting, mandatory breach notification under the Information Privacy Act, and the annual return. We map your existing ISMS across so only the new work gets done.

What Essential Eight level do we need?

Agencies target ML2 as the standard baseline; suppliers handling OFFICIAL: Sensitive or PROTECTED information are increasingly expected to match it. Target levels are endorsed by your accountable officer as part of the programme, then reported against annually.

Can you work with our existing security team?

That's the model. We deliver senior-led and hands-on, but the registers, the console and the evidence pipeline are built to be operated by your team after handover — with the automated checks doing the between-audit maintenance.

Proof it works

Related frameworks

IS18 shares most of its control surface with ISO 27001 and the Essential Eight — and pairs with DISP/IRAP for organisations working across state and federal government.

365 Free scoping tool

Get a realistic scope in 30 seconds

Three questions. Instant estimate including the third-party platform licence costs you'll avoid. No sign-up.

Pick one from each row to unlock

The annual return is due 30 September. Where do you actually stand?

A free 30-minute call will give you an honest read on your position against all four IS18 pillars, the gaps that matter for this year's return, and what a realistic programme looks like — whether you're an agency, a statutory body, or a supplier whose panel deed just grew an IS18 schedule.

Microsoft Teams