Australia’s Department of Education, Skills and Employment (DESE) created RFFR (Right Fit for Risk) in late 2019. This certification programme aims to ensure that providers, such as educational institutions, meet DESE’s information security contractual requirements.
The RFFR scheme aims to supplement ISO/IEC 27001’s baseline requirements with additional controls set by the Australian Government’s Information Security Manual (ISM) with the evolving legal, security, and technical requirements for information security management system (ISMS) for providers.
You should also develop a Statement of Applicability (SoA) that considers your company’s unique safety risks and demands and the applicability of safeguards detailed in the Australian Information Security Manual. RFFR core elements should be taken into account, like the Australian Cyber Security Centre’s Essential Eight techniques, data sovereignty, and personnel security.
The DESE has mandated that organisations must be compliant with their Information Security Management System (ISMS) scheme, thus being recognised as a DESE ISMS.
An ISMS provides the tools you need to safeguard and manage your company’s information through effective risk management.
It enables compliance with many laws, regulations, and certification schemes and focuses on protecting three key aspects of information; Confidentiality, Integrity and Availability.
ISO 27001 is a globally-recognised, universal standard. It was created to help organisations protect their information efficiently and systematically.
It provides any organisation, irrespective of size or sector, with a cyber security framework and an approach to protecting your most important information assets.
Our integrated management system includes risk management tools and a pre-populated risk bank, which allows you to adopt, adapt and add to ISO 27001 Annex A per your company requirements.
The ISMS.online risk map tool gives a complete top-down view of organisational risk. It maps the risk factors and opportunities into your organisation’s strategic goals and objectives. Allowing you to conduct a thorough gap analysis.
Furthermore, ISMS.online allows for the monitoring of your organisation’s information security risks, posture and ISO 27001 compliance. The intelligent dashboard is intuitive and accessible through a web browser so that you can view your information security status anytime, anywhere.
During the RFFR ISMS certification process, auditors will examine your systems and supporting documentation. Thus, organisations must check-in at three key milestones throughout the accreditation process.
Providers can use the milestones to determine their organisation’s current cyber security level and identify areas for improvement.
Providers and Subcontractors are classified into categories to obtain accreditation using the Right Fit For Risk (RFFR) approach.
Finding out what category applies to you will mean you will need to consider the following risk factors (among others):
| Category | Category 1 | Category 2A | Category 2B |
|---|---|---|---|
| Annual Case load | 2,000 or more | Under 2,000 | Under 2,000 |
| Risk profile | Greater risk | Medium risk | Low risk |
| Basis of accreditation | ISO 27001 conforming ISMS (Information Security Management System) – independently certified | ISO 27001 conforming ISMS – self-assessed | Management Assertion Letter |
| Accreditation maintenance | Annual surveillance audit and triennial recertification | Annual self-assessment | Annual management assertion letter |
| Milestones to complete | 1, 2 and 3 | 1,2 and 3 | 1 and 3 |
The first milestone and step should always be a business maturity assessment. The Australian Signals Directorate (ASD) Essential Eight maturity model determines how your organisation uses information and manages security. Your organisation’s initial information security maturity is assessed against the ASD Essential Eight maturity model.
To meet milestone 2, you will need a customised Information Security Management System in addition to full ISO 27001 compliance and accreditation.
You will also need a Statement of Applicability (SoA) under milestone 2. ISO 27001 clause 6.1.3 notes the need for SoA, which can be loosely understood as a checklist for the 114 security controls designed to address specific risks to an organisation.
You must demonstrate that the ISMS and ISO 27001 controls (where applicable to the organisation) have been implemented effectively to pass milestone 3.
Find out how easy it is to manage your
compliance with RFFR on ISMS.online
Book your demo
An organisation and all its subcontractors that are RFFR accredited must keep their certification status by submitting annual reports and being monitored for compliance with RFFR standards.
An organisation with an existing accreditation must complete the annual and triennial audits according to the dates when the accreditation was awarded.
| Accreditation Type | Annually | Every 3 Years |
|---|---|---|
| Certified ISMS (Category 1 Providers and Third Party Employment and Skills System vendors) | Surveillance audit or change of scope audit by Certifying Assessment Body (CAB) covering the Provider’s or TPES vendor’s updated SoA | Recertification by CAB (Conformity Assessment Bodies)
Provider or TPES vendor reaccreditation by DESE |
| Self-assessed ISMS (Category 2A Providers) | Self-assessment report (incl. description of changes since last report) covering the Provider’s updated SoA
DESE determines whether need to upscale to a Certified ISMS | Self-assessment report Reaccreditation by DESE |
| Management attestation (Category 2B Providers ) | Annual Management Assertion Letter (incl. description of changes since last attestation)
DESE determines whether need to upscale to a self-assessed ISMS | Management Assertion Letter Reaccreditation by DESE |
The RFFR approach requires you to establish and maintain a set of core security standards in order to maintain and improve your security posture.
The Australian Essential Eight Cyber Security strategies and core expectations will help your organisation create a robust security framework.
Under RFFR requirements, you have certain processes you must adhere to when employing new people:
Organisations must ensure that physical security measures minimise the risk of information and physical assets from being:
All organisations must meet physical security requirements. Facilities must be commercial-quality and located in Australia. Working from home requires organisations to ensure that the home environment is as secure as the office environment in protecting staff, program data, and IT hardware.
Organisations must implement security measures to ensure cyber security, including the ‘Essential Eight’ cyber security strategies, information security risk management, information security monitoring, managing cybersecurity incidents, and restricted access controls.
Book a tailored hands-on session
based on your needs and goals
Book your demo
To help organisations get their information security in order, The Australian Cyber Security Centre (ACSC) developed the ‘Essential Eight’ strategies to help protect businesses.
An organisation’s cyber security risk profile must be determined, and plans must be developed to achieve target levels for each of the Essential Eight cyber security strategies.
It’s important to note that the Essential Eight will be mandatory for all Australian federal government agencies and departments.
Unauthorised programs are prevented from executing on your system by controlling their execution. This prevents unknown and potentially malicious programs from executing on your system.
Applications may be exploited to execute malicious code if they have known security vulnerabilities. Keeping your environment secure requires using the latest version of applications and applying patches promptly after vulnerabilities have been identified.
Only macros from trusted locations with limited write access or those signed with a trusted certificate will be permitted to run. This strategy blocks malicious code delivered by Microsoft Office macros.
Vulnerable functionality must be protected by removing unneeded features in Microsoft Office, web browsers, and PDF viewers. Flash, advertisements, and Java content are common vehicles for delivering malicious code.
Administrator accounts have the keys to your IT infrastructure and therefore require limited access. The number of administrator accounts and the privileges granted to each one should be minimised.
Operating systems may be further compromised through known security vulnerabilities. It is important to remediate these issues as soon as they are identified. You can limit the extent of cyber security breaches by using the most current operating systems and applying security patches as soon as they are identified. Avoid using out-of-date operating systems.
Strong user authentication makes it more difficult for attackers to access information and systems. MFA requires a combination of two or more factors, including secret information (such as a password and ID combination), a data-bound physical device (such as a fingerprint-based authentication app on a registered smartphone or a one-time SMS code), and a data-bound physical person (such as facial recognition or fingerprinting).
A backup strategy is used to preserve critical data and systems. This strategy ensures that information can be accessed after a cybersecurity incident.
Data, software, and configuration settings are backed up and stored separately from your main environment. The backups are routinely tested to ensure that they can be recovered and that all critical data is included in the backup program.
Book a tailored hands-on session
based on your needs and goals
Book your demo
An organisation must develop a formal approach to information security incident management that adheres to the Information Security Manual (ISM) recommendations.
An organisation’s Chief Information Security Officer, Chief Information Officer, cyber security professional, or information technology manager can use the ISM to develop a cyber security framework to protect their information and systems from cyber threats.
Appropriate incident detection and response mechanisms should be implemented to record and report cyber incidents to internal and external stakeholders.
It is essential for organisations to remember that they remain responsible for ensuring that any subcontractors providing services on their behalf fulfil, adhere to, and maintain the organisation’s security standards.
An organisation should recognise that external parties providing services to or on behalf of the organisation may have the potential to access premises, systems, or information that requires protection. Organisations must ensure that RFFR security requirements are in place and function properly throughout their supply chain.
Any company that uses a third-party application or cloud service to process, store, or disseminate confidential data must ensure that the system is secure before putting it to use. Before using any third-party software or service, organisations must assess the risk for themselves and implement appropriate security controls.
ISMS.online can help you meet your organisations information security requirements and compliance requirements by helping you with your information security implementation to assess your security gaps and security processes.
Helping you achieve your RFFR ISMS goals, our key benefits include:
Find out how easy it is with ISMS.online – book a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Since migrating we’ve been able to reduce the time spent on administration.
