Queensland Corrective Services seeks cyber security GRC solution

Queensland Corrective Services (QCS) Digital Services and Information Technology Command’s (DSITC) Cyber Security Unit (CSU) are seeking a cyber security GRC and supply chain management solution.

This solution is specifically intended for managing official government information classified as OFFICIAL, SENSITIVE or PROTECTED under the Queensland Government Information Security Classification Framework.

QCS DSITC is responsible for establishing, leading and managing the digital and technology functions within QCS and works with business areas to ensure ICT investment aligns and supports the agency’s strategic direction, exploring emerging digital solutions whilst leveraging and managing existing business critical ICT environments.

GRC activities are currently managed and tracked through individual Excel documents.

"This is ineffective, and the documents requires constant upkeep from a team that is already under resourced," the QCS said.

DSITC CSU requires a centralised point of reference to accurately track, record and recommend GRC activities that directly relate to the compliance and security posture of QCS’ Information Security Management System and alignment to frameworks such as ISO27001 and the Australian Signals Directorate Information Security Manual.

The cyber security GRC and supply chain management solution will provide the QCS CSU with the ability to proactively and continuously improve the governance, compliance and risk related activities within QCS’s corporate and operational technology environments.

It will be the central hub used to track and allocate information security/cyber security risks, controls, policies and assurance related activities and will aim to enable QCS to substantially increase information security/cyber security regulatory compliance and reduce cyber security risks over our supply chain.

The solution is expected to undertake detailed information security threat and risk assessments of suppliers and internally hosted systems; record, track and monitor information security risks and treatments and assign both risk and treatment owners; and establish a policy lifecycle management capability so that all DSITC Policies and Procedures are assigned owners and updated in a timely manner.

It will also need to provide dashboarding or reporting to relevant committees on the security posture of the agency’s suppliers/supply chain; streamline the ongoing management of the agencies Information Security Management System, including the ability to centrally manage a Statement of Applicability and record corrective actions; record internal controls and monitors their efficacy; and import lists of existing suppliers and automate annual cyber security questionnaires requesting evidence/assurance from the suppliers over the security posture of their systems relevant to QCS.

The tender closes on 3 December 2025 at 1:00 PM (AEDT).