Cyber security in Queensland

Report cyber security incidents to ASD (SOCI)

Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.

Adopt Essential Eight Maturity Level 2 (federal subcontractors)

Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.

Comply with Serious Incident Response Scheme (aged care)

Residential and home-care providers must notify Aged Care Quality and Safety Commission of priority 1 incidents within 24 hours.

Comply with SOCI Positive Security Obligation (PSO) per sector

Sector-specific cyber + risk obligations under SOCI Part 2.

Comply with APRA CPS 220 (Risk Management)

APRA-regulated entities must have a comprehensive risk management framework.

Comply with APRA CPS 234 (Information Security)

APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.

Report serious NDIS incidents to the NDIS Commission

Death, serious injury, abuse, neglect, unauthorised restrictive practices, and sexual misconduct must be notified.

Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)

Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.

ISO/IEC 27001 ISMS certification — increasingly customer-mandated

Information Security Management System per ISO 27001 increasingly required by customers + government.

Register as a responsible entity / direct interest holder under SOCI

Captured critical-infrastructure assets must be registered with Home Affairs.

Government cyber incident reporting via ASD ACSC

Federal entities + critical infrastructure report cyber incidents to ASD ACSC.