The Department provides additional support resources to guide Providers in undertaking their RFFR journey that are simple and clear for all users.
On this page:
Documentation
| Resource | Description |
|---|---|
| Using ISO/IEC 27001 to meet your RFFR accreditation requirements | Highlights the differences between an industry standard ISO/IEC 27001 and the RFFR requirements. |
| Accredited Bodies Search | Accredited certifying bodies who can issue ISO/IEC 27001 assessment reports and certificates. |
| Right Fit for Risk (RFFR) – Finding the right sponsor | Details the need to identify an internal sponsor to oversee the implementation of the customised ISO/IEC 27001 in all areas of the organisation. |
| ISO/IEC 27001 issues to avoid | Helps Providers avoid missteps the department has seen to date to make this a smooth process. |
| ISO/IEC 27001 risk assessment | Provides a high-level overview of the concept of risk assessment and treatment in an ISO/IEC 27001 context. |
| ISO 27001 gap analysis v risk assessment | Gap analysis and risk assessment are essential and different activities when implementing ISO/IEC 27001. |
| ISO/IEC 27001 importance of the SoA | Details the business need and reasoning for completing a SOA (Statement of Applicability). |
| Management of third parties – overview | Assists Providers in identifying their third parties, who is responsible for them and determining what impact the security of these entities have on a Provider’s environment. |
| Management of third parties – life cycle | Explains the stages in the life cycle of third party vendors and highlights what Providers should think about when contracting with third parties. |
| Managing third parties – resources | Details what assistance is available to assist with Managed Service Providers from the Australian Cyber Security Centre. |
| Right Fit For Risk (RFFR) government resources | Outlines the government resources available to understand and address cyber security risks. |
| DEWR ISMS Scheme | Outlines what the DEWR ISMS Scheme is, who it is for, and key considerations for all applicable stakeholders. |
Templates
| RFFR Questionnaire | Provides a high level view of a Provider's current security posture as a basis for discussion with the Cyber Security Accreditation team at Milestone 1 in the RFFR process. |
| Scope template | Provides example headings and guidance for documenting the ISMS Scope in accordance with ISO/IEC 27001 clause 4, while also communicating key elements of the business, systems and information associated with delivering the Services and describing the Provider’s implementation of the RFFR Core Expectation areas. |
| SoA template | Provides a Statement of Applicability template that identifies controls supporting RFFR Core Expectation areas and guides on how to assess control applicability and status information required at all Milestones. |
| RFFR ISO 27001 self-assessment report template | Provides example headings and guidance to be considered when Category 2A Providers are documenting their self-assessment. |