Accreditation maintenance

On this page:

Requirements to Maintain Accreditation

During the lifespan of their Deed/s, Providers and their Subcontractors who are Right Fit for Risk (RFFR) accredited are required to maintain their certification status through annual reporting and surveillance audits to ensure compliance to the RFFR standards. Providers with an existing accreditation will need to complete the annual and 3 yearly audits based on the dates when the Department's accreditation was granted. 

If, at any time during the accreditation maintenance period, a change to a Provider’s (or their Subcontractor’s) circumstances alters the risk profile of the organisation, the Department will reassess the Provider’s accreditation status. This includes when the Provider or their Subcontractor:

  • enters a new Deed with the Department
  • changes its subcontracting arrangements (from one Subcontractor to another, or introduces a new Subcontractor)
  • changes its Third Party IT Vendors who are supporting their IT environments
  • has a change in classification from Category Two to Category One

The Provider must notify the Department within 5 Business Days of a change in circumstance.

ISM controls are regularly added and changed. Providers should regularly review these to consider whether the controls are applicable to their business and whether any of the controls should form part of their accredited ISMS. The SoA should be regularly revised to demonstrate the Provider's consideration of new or changed ISM controls. Where a new or changed control is determined to be applicable but has not been fully implemented by the time of the Provider's annual submission, Providers should ensure their SoA also includes details of their planned actions to address these matters and an expected completion date for each.

The following table details the requirements for Providers to maintain their accreditation once accreditation has been granted. Note the timing of the annual and 3 yearly audits applies from the date of accreditation.

Accreditation type


Every 3 years

Certified ISMS (Category 1 Providers and Third Party Employment and Skills System vendors)

  • Surveillance audit or change of scope audit by Certifying Assessment Body (CAB) covering the Provider’s or TPES vendor's updated SoA 
  • Recertification by CAB
  • Provider or TPES vendor reaccreditation by DESE

Self-assessed ISMS

(Category 2A Providers)

  • Self-assessment report (incl. description of changes since last report) covering the Provider’s updated SoA
  • DESE determines whether need to upscale to a Certified ISMS
  • Self-assessment report
  • Reaccreditation by DESE

Management attestation

(Category 2B Providers )

  • Annual Management Assertion Letter (incl. description of changes since last attestation)
  • DESE determines whether need to upscale to a self-assessed ISMS
  • Management Assertion Letter
  • Reaccreditation by DESE

Further details on the Provider classification requirements can be found at the Provider Classification page)