Process for accreditation

The department is the accrediting authority and is required to assess and verify Providers as meeting the requirements under the Right Fit For Risk (RFFR) accreditation approach. To demonstrate that a Provider is meeting the requirements under the RFFR accreditation approach, an Information Security Management System (ISMS) is to be designed and implemented.

On this page:

Process Overview

The department requires Providers and Vendors to complete three milestones in the accreditation process. The milestones are designed to allow Providers to assess their organisation’s level of ISMS maturity, including any existing cyber security measures in place, and implement any improvements identified. Once the Provider has demonstrated that risks to systems and information are being managed after completing the final milestone, the Department will issue the required accreditation.

This process is applicable to:

  • Employment Services Providers
  • Apprentice Connect Australia Providers
  • Certain Skills program Providers, and
  • Third Party Employment and Skills (TPES) system Vendors.

Milestone 1 - Scope/context

Milestone 1 is initiated through the submission of a RFFR questionnaire to the department, required as part of a respondents relevant Request for Proposal or Tender (RFP or RFT) response.. The completed questionnaire provides the department with information regarding the respondent’s organisation, IT environment, current cyber security maturity, subcontracting arrangements, and readiness to meet RFFR requirements.

On the execution of a Deed, the department will engage with the Provider to discuss their IT security posture and next steps toward RFFR accreditation.

Milestone 1 requirements

Assessment methodReview of submitted RFFR Questionnaire and discussion
Submission deliverablesRFFR Questionnaire submitted by the Provider
Key actions and outcomes
  • The Provider and department representatives will discuss the Provider’s business, stakeholders, contractual obligations, information, systems and practices to assist the Provider to determine the scope of their ISMS. This discussion will also allow the department to consider Provider risks and assign them to a Category.
  • Unaccredited Providers: The department will confirm the Provider’s categorisation and the associated RFFR requirements for completing Milestone 2 and 3.
  • Providers part way through an existing accreditation process: Existing Providers who are part way through an accreditation process for delivering Services under an existing Deed requiring RFFR should take steps as advised in the RFP or RFT documentation.
  • Accredited Providers with new Deeds: The department will review the extent of changes to the Provider’s scope of Services and determine if the Provider should be recategorised. If no significant changes have occurred, accredited Providers do not need to complete Milestones 2 and 3 and need only maintain their RFFR accreditation.
Next Steps
  • Commence development of documentation required by the Provider’s category (see Provider Classification for Accreditation for details).
  • Identify where existing security controls meet RFFR requirements, and where there are gaps requiring that additional controls be implemented.
  • It is recommended Providers appoint a ‘champion’ within the organisation to ensure RFFR requirements are met.
Due dates
  • Employment Service Providers and Apprentice Connect Australia Providers: Completed within one month of Deed execution by the department.
  • Other programs: As advised by the relevant Program Manager.
  • TPES System Vendors: No required timeframe for completion.

Milestone 2 - Design

Milestone 2 requires Providers to demonstrate their ISMS has been designed to reflect RFFR requirements applicable for their Category (as advised at Milestone 1). Providers are required to demonstrate that appropriate security controls are planned to be implemented within the organisation through submission of required documentation.

Reference guides, materials and templates to support Milestone 2 written submissions are available below. It is mandatory to use the department’s templates including the Scope document, Statement of Applicability (SoA), and Self-assessment template, to progress with an RFFR assessment.

The process for completing Milestone 2 depends on the Provider’s Category. Please note, this milestone does not apply to Category 2B Providers who instead proceed directly to Milestone 3. The table below details the requirements for Providers to achieve Milestone 2.

Milestone 2 requirements

 Category 1 Provider and TPES System VendorCategory 2A Provider
Submission deliverables
  • ISMS scope
  • Statement of Applicability (SoA) reflecting RFFR requirements
  • Independent assessor’s “Stage 1” report.
    This can be either an ISO/IEC 27001 or DEWR ISMS Scheme report. RFFR does not require a Provider to have both audits completed
  • ISMS scope
  • SoA reflecting RFFR requirements
  • ISMS Self-assessment report (conformance)
Implementation status
  • Provider’s ISMS expected to substantially conform with ISO/IEC 27001 requirements, however applicable controls sourced from ISO/IEC 27001 Annex A and the Australian Government ISM are not expected to be implemented at this stage
  • Provider’s ISMS expected to substantially conform with ISO/IEC 27001 requirements, however applicable controls sourced from the Australian Government ISM are not expected to be implemented at this stage
Assessment method
  • Independently assessed by a JAS-ANZ accredited ISO/IEC 27001 or DEWR ISMS Conformance Assessment Body
  • Self-assessed
Outcomes to progress to Milestone 3
  • Department acceptance of submission deliverables.
  • Department acceptance of submission deliverables.
Next steps
  • Implement the ISMS in accordance with its design
  • Implement the ISMS in accordance with its design
Due dates
  • Employment Service Providers and Apprentice Connect Australia Providers: Completed within 3 months from the Deed Commencement Date.
  • Other programs: As advised by the Department’s Program Manager.
  • TPES System Vendors: No required timeframe for completion.
  • Employment Service Providers and Apprentice Connect Australia Providers: Completed within 3 months from the Deed Commencement Date.
  • Other programs: As advised by the Department’s Program Manager.

Milestone 3 - Implementation

Milestone 3 emphasises the Provider’s progress to conforming with ISO/IEC 27001 and implementing the security controls applicable to the organisation. While all applicable controls are important, priority should be on ensuring conformance with controls that support the RFFR core expectations.

If not fully implemented at the point of the Milestone 3 submission, Providers are required to inform the department of their expectation as to when each applicable control will be fully in place and when any remaining areas of non-conformance will be addressed.

Providers should be aware that applicable but unimplemented controls (and remaining areas of non-conformance) will impact the department’s assessment of residual risk associated with the Provider, and the department’s decision to accredit the Provider.

The department does not discourage any Category 2A and 2B Providers from seeking ISO/IEC 27001 or DEWR ISMS certification as there may be significant perceived or actual benefits to other aspects of the Provider’s business.

The table below lists the requirements for Providers to achieve Milestone 3.

Milestone 3 requirements

 Category 1 Provider and TPES System VendorCategory 2A ProviderCategory 2B Provider
Submission deliverables
  • Updated Scope document describing any changes to the Provider’s operating environment
  • Updated SoA with consideration made for any new or updated controls
  • Independent assessor’s “Stage 2” report. This can be either an ISO/IEC 27001 or DEWR ISMS Scheme report. RFFR does not require a Provider to have both audits completed
  • ISO/IEC 27001 or DEWR ISMS Certificate (when available)
  • Updated Scope document describing any changes to the Provider’s operating environment
  • Updated SoA with consideration made for any new or updated controls
  • ISMS self-assessment report (implementation)
  • Management Assertion Letter
  • Completed SoA
Implementation status
  • Provider’s ISMS conforms with ISO/IEC 27001 and controls applicable to the organisation have been implemented
  • Provider’s ISMS conforms with ISO/IEC 27001 and controls applicable to the organisation have been implemented
  • Controls supporting specific security objectives have been implemented
Assessment method
  • Independently assessed
  • Self-assessed
  • Self-assessed
Outcomes to complete process
  • Department acceptance of submission deliverables
  • RFFR accreditation
  • Department acceptance of submission deliverables
  • RFFR accreditation
  • Department acceptance of submission deliverables
  • RFFR accreditation
Next steps
  • Address any remaining minor non-conformances
  • Implement remaining applicable controls (if any)
  • Monitor the ISMS
  • Address any remaining minor non-conformances
  • Implement remaining applicable controls (if any)
  • Monitor the ISMS
  • Monitor performance of security controls
Due dates
  • Employment Service Providers and Australian Connect Australia Providers: Completed within 9 months from the Deed Commencement Date.
  • Other programs: As advised by the Department’s Program Manager.
  • TPES System Vendors: No required timeframe for completion.
  • Employment Service Providers and Apprentice Connect Australia Providers: Completed within 9 months from the Deed Commencement Date.
  • Other programs: As advised by the Department’s Program Manager.
  • Employment Service Providers and Apprentice Connect Australia Providers: Completed within 9 months from the Deed Commencement Date.
  • Other programs: As advised by the Department’s Program Manager.

 

Templates for submission

To assist Providers in completing the accreditation Milestones, standardised RFFR templates have been created for Providers.

The use of these templates is mandatory for RFFR accreditation. Providers cannot use their own modified or tailored version of the SoA, as they will not be accepted as part of the RFFR assessment process.

Note: Templates for a Category 2B Provider submission will be provided by the Department on confirmation of the Provider’s category.

Provider CategoryApplicable MilestoneTemplate
AllMilestone 1
  1. RFFR Questionnaire
Category 1Milestone 2 and Milestone 3
  1. ISMS Scope
  2. Statement of Applicability
Category 2AMilestone 2 and Milestone 3
  1. ISMS Scope
  2. ISMS Self-assessment report
  3. Statement of Applicability
Category 2BMilestone 3
  1. Management assertion letter
  2. Statement of Applicability 
TPES System VendorMilestone 2 and Milestone 3
  1. ISMS Scope
  2. Statement of Applicability (template will be provided directly on request by TPES Vendors)