IS18:2018 · QGEA · Queensland Government · Brisbane
IS18 is, by its own definition, an ISO 27001-aligned ISMS plus Essential Eight — plus the Queensland obligations neither carries on its own. We deliver all of it as one programme, with every register, control and piece of evidence living in your Microsoft 365 tenant, and the accountable officer's annual return assembled from live data instead of a September scramble.
"Where does our security posture data live?" For most compliance platforms the honest answer is on our servers — a third-party SaaS database holding a detailed map of a government agency's control gaps. Ours is different by architecture, not by policy.
Typical GRC platform
Checkpoint + Compliance365
IS18:2018 isn't a checklist — it's four connected obligations that culminate in an attestation the accountable officer personally signs. We build each one on the shared control set, so nothing is done twice.
Scope, policy set, risk methodology, Statement of Applicability and management review — structured to ISO 27001 as IS18 mandates, so the same programme carries you to certification later if you want it. Governance artefacts are drafted for your context, not templated boilerplate.
All eight strategies assessed against the ACSC maturity model and uplifted to your endorsed target level (typically ML2) using your existing Microsoft 365 tooling — Intune, Entra PIM, Conditional Access, Defender. Automated posture checks keep per-strategy status current between annual reports.
Information assets classified OFFICIAL / SENSITIVE / PROTECTED with Purview sensitivity labels matching the framework, and handling enforced downstream — DLP policies, external sharing governance, and label-driven encryption for material that must not leave agency control.
Incident response with the Cyber Security Unit reporting trigger built in, breach handling aligned to the Information Privacy Act's mandatory notification scheme, and the 30 September annual return assembled from the live registers — posture, Essential Eight maturity, incidents and risk position — ready for the accountable officer's signature.
Every IS18 engagement runs on our Checkpoint console, deployed into your tenant with a dedicated IS18 register — 32 controls across governance, risk, classification, Essential Eight, incidents, suppliers and the annual return, each with implementation guidance and evidence expectations written for Microsoft 365.
25 checks read your tenant's real state — MFA and Conditional Access, application control, patching, macros, privileged access, sensitivity labels, DLP, external sharing, encryption, logging and alerting — and 19 of them map straight onto IS18 controls, suggesting status updates a practitioner confirms with one click.
An optional scheduled monitor (deployed into your own Azure subscription, never ours) re-runs the checks unattended and raises an alert the day a control that passed starts failing — so the posture attested in September is still true in March.
The IS18 module is licensed as a bundle: full ISO 27001 and Essential Eight registers are included because IS18 is built on both. One cross-mapped control set — implement once, evidence once, report three ways.
Departments and statutory bodies carrying the IS18 obligation directly — especially teams facing the annual return with a register that lives in spreadsheets, or an Essential Eight self-assessment they can't currently substantiate.
Panel holders and contractors whose deeds and schedules flow IS18 down to them. An evidence-backed compliance statement — honest about gaps, with a credible roadmap — is what keeps panel eligibility and wins the risk assessment.
Providers hosting or processing OFFICIAL: Sensitive material for agencies, who need IS18 alignment plus the ISO 27001 certification path for their broader market — one programme, both outcomes.
An ISMS aligned to ISO 27001, Essential Eight implementation and maturity reporting, QGISCF information classification, incident reporting to the Cyber Security Unit, and an annual return signed by the accountable officer by 30 September. Suppliers inherit these through contract schedules and panel deeds.
In your own Microsoft 365 tenant, full stop. Checkpoint has no backend and no vendor database — registers are SharePoint lists in your tenant, and posture checks never leave the browser. There is no third-party platform holding your security posture.
Gap assessment with costed roadmap: 3–4 weeks. Full programme to an evidence-backed annual return: typically 8–16 weeks depending on current maturity. Existing ISO 27001 or ASD-aligned programmes move materially faster.
The Queensland-specific layer: QGISCF classification, Essential Eight reporting against endorsed targets, CSU incident reporting, mandatory breach notification under the Information Privacy Act, and the annual return. We map your existing ISMS across so only the new work gets done.
Agencies target ML2 as the standard baseline; suppliers handling OFFICIAL: Sensitive or PROTECTED information are increasingly expected to match it. Target levels are endorsed by your accountable officer as part of the programme, then reported against annually.
That's the model. We deliver senior-led and hands-on, but the registers, the console and the evidence pipeline are built to be operated by your team after handover — with the automated checks doing the between-audit maintenance.
Panel renewal at risk. IS18 assessment, E8 ML2 gap analysis, and documented roadmap delivered in four weeks — panel eligibility retained, 65% of revenue protected.
Read case study →Everything in one place: the four pillars, what a compliance statement needs to contain, IS18 vs ISO 27001 vs PSPF, and how much of it Microsoft 365 already covers.
Read the guide →IS18 shares most of its control surface with ISO 27001 and the Essential Eight — and pairs with DISP/IRAP for organisations working across state and federal government.
Three questions. Instant estimate including the third-party platform licence costs you'll avoid. No sign-up.
Estimate based on typical engagement patterns. Precise scope confirmed on call after reviewing your environment.
A free 30-minute call will give you an honest read on your position against all four IS18 pillars, the gaps that matter for this year's return, and what a realistic programme looks like — whether you're an agency, a statutory body, or a supplier whose panel deed just grew an IS18 schedule.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
Messages are sent to our AI assistant (Claude, by Anthropic) to generate a reply — not stored as part of your account and not used to train AI models.