The Department uses the External Systems Accreditation Framework (ESAF) and the Right Fit for Risk (RFFR) assurance approach to assess and accredit information security management systems of Providers. This also applies to Third Party Employment and Skills (TPES) systems developed by Third Party IT Vendors. The RFFR is a risk-based approach with requirements based on the International Standard ISO/IEC 27001 and Australian Government Information Security Manual (ISM).
The ISM represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). ACSC reviews and updates the ISM controls regularly. In line with the quarterly releases of the ISM by ACSC, the DPO updates the Statement of Applicability (SoA) template for Providers and Vendors to use throughout the RFFR accreditation lifecycle.
In accordance with the ISM September 2022 release by ACSC, we have reviewed and updated the RFFR Statement of Applicability template that incorporates feedback from internal and external stakeholders.
For further guidance on RFFR, visit Right Fit For Risk Cyber Security Accreditation.