Accreditation maintenance

On this page:

Requirements to Maintain Accreditation

During the lifespan of their Deed/s, Providers and their subcontractors who have achieved Right Fit for Risk (RFFR) accreditation are required to maintain their accreditation status through an annual submission of updated documentation and surveillance audit (where applicable). Providers with an existing accreditation will need to complete their annual submission based on the date when RFFR accreditation was initially granted.

If, at any time during the accreditation maintenance period, a change to a Provider’s or their subcontractor’s circumstances alter the risk profile of the organisation, the department may need to conduct a categorisation re-assessment. This includes when a Provider or their subcontractor:

  • enters a new Deed, or ceases delivery of a Deed with the department
  • changes its subcontracting arrangements (from one Subcontractor to another, or introduces a new Subcontractor)
  • changes its Third Party IT Vendors who are supporting their IT environments.

Providers must notify the department within 5 Business Days of a change in circumstance. Further details on the Provider classification requirements can be found at the Provider Classification page.

The following table details the requirements for Providers to maintain their accreditation once accreditation has been granted. 

Accreditation typeAnnually
(Submission is required 6 weeks prior to Annual Anniversary of Accreditation)		 

Certified ISMS

(Category 1 Providers and TPES System vendors)

  • Updated Scope document describing any changes to the Provider’s operating environment
  • Updated Statement of Applicability with consideration made for any new or updated controls*
  • Annual surveillance report
  • ISO/IEC 27001 or DEWR ISMS Certificate
  • Details of Corrective Action Plans (if applicable).
 
Self-assessed ISMS
(Category 2A Providers)
  • Updated Scope document describing any changes to the Provider’s operating environment
  • Updated Statement of Applicability with consideration made for any new or updated controls*
  • Updated ISO/IEC 27001 Self-assessment report (referencing your current SoA version)
 
Management Assertion
(Category 2B Providers)
  • Management Assertion Letter which includes annual declaration from the Provider
  • Updated Statement of Applicability with consideration made for any new or changed controls 
 

*ISM controls are regularly added and changed each quarter. Providers should review these to consider whether the controls are applicable to their organisation and whether they should form part of their accredited ISMS as documented within their SoA. Where a new or updated control is determined to be applicable but has not been fully implemented by the time of a Provider's annual submission, Providers should ensure their SoA also includes details of their implementation plans, including expected date of completion and person(s) responsible.