Accreditation overview

The Department uses the External Systems Accreditation Framework and the Right Fit for Risk (RFFR) assurance approach to assess and accredit Providers Information Security Management Systems. The process for accreditation can vary based on the organisation type, risk profile and Deed with the Department. This accreditation process is applicable to:

  • Service Providers.
  • Third Party Employment and Skills (TPES) Systems.

On this page:

External Systems Assurance Framework overview

To provide assurance that the risks to the Department’s systems and the confidential data stored outside of the Department’s ICT environment is secure and is managed responsibly the Department has established and maintains an External Systems Assurance Framework (ESAF).

This is based on the whole of Government Protective Security Policy Framework (PSPF). As part of this framework, the Department is accountable for ensuring all contracted Providers used in the delivery of the Department programs and TPES systems connecting to the Department's environment or storing Providers program related data also comply with PSPF requirements.  Provider accreditation under the ESAF provides assurance that the department’s IT systems and data is safeguarded when accessed by Providers. TPES system accreditation signifies that the vendor has implemented controls in and around their system that are consistent with RFFR requirements.

There are two areas of assurance covered in the ESAF that include:

  1. Service Providers: The Accreditation of Providers’ information security management systems provides assurance to the Department that sufficient security measures are in place to manage Provider security risks. Provider accreditation forms part of the ESAF and is underpinned by the Department’s Right Fit For Risk (RFFR) approach that is designed to meet the needs of all Provider organisations.
  1. TPES systems: TPES systems are specialised systems that may interface with the Department’s systems and make employment industry specific functionality available to licensed users. TPES system accreditation forms part of the ESAF and is also underpinned by the RFFR approach.  The Department accredits certain TPES systems as a prerequisite for the TPES system to connect to the Department’s IT systems.  Providers can also use the Department’s accreditation as an indication that the TPES system can provide an appropriate level of security over data that is stewarded by a Provider. However, it is up to each Provider to determine whether their instance of an accredited TPES system is configured and operated in a manner that effectively mitigates their information security risks.   The Department accredits certain TPES for use by Providers as an indication that the TPES can provide an appropriate level of security over data that is stewarded by a Provider. 

Right Fit for Risk program

The RFFR is the Department’s risk-based approach to gain comfort about the state of cyber security for contracted Providers and TPES systems. It includes requirements in relation to Provider accreditation and TPES system accreditation based on the:

  1. International Standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001) – the international standard outlining the core requirements of an Information Security Management System.
  2. Australian Government Information Security Manual (ISM) – the Australian Government’s cyber security framework to protect systems and data from cyber threats.

Application of the RFFR approach using ISO 27001

The RFFR approach includes a requirement that Providers and TPES system vendors design and implement an Information Security Management System (ISMS) that is consistent with the requirements of ISO 27001. An ISMS is a systematic approach to managing business information so that it remains secure and available when staff need it. It secures people, premises, IT systems and information by applying a risk management process to information security

The RFFR program extends ISO 27001 in two key areas: 

  1. ISO 27001 requires organisations to consider the set of security controls presented in Annex A to the standard and identify which are applicable to mitigating their security risks. RFFR extends this requirement by asking Providers and TPES system vendors to also consider the set of security controls presented in the ISM that are relevant to securing OFFICIAL information.
  2. the Department has identified core expectation areas that are particularly important to security posture at all organisations. All Providers and TPES system vendors are expected to include security controls that support the core expectation areas when identifying applicable controls for inclusion in their ISMS. Additional information on the RFFR core expectations can be found at Core Expectations

The Department is the accrediting authority for Providers and TPES systems. To accredit Providers, the Department seeks assurance that the Provider and their Subcontractors have implemented an appropriate standard of security over their information and their IT environment. The accreditation process for each Provider depends on their size and risk profile.

To accredit TPES systems, the Department seeks assurance that the TPES system vendor has implemented an appropriate standard of security over the Information Security Management System that encompasses the TPES system.

To demonstrate that Providers meet RFFR requirements, the Department requires Providers and their Subcontractors, and TPES vendors, to follow the RFFR approach. The RFFR approach requires Providers and TPES vendors to complete a set of milestones within a prescribed time period. At each milestone, Providers and TPES vendors check in with the Department to review progress, assess risk and provide guidance on meeting the RFFR requirements.

The milestones are designed to allow Providers and TPES vendors to assess their organisation’s level of cyber security measures in place and implement any improvements identified at the same time as gaining a customised ISMS that conforms with ISO 27001.

Detail regarding the Department’s document submission requirements at each Milestone in the accreditation process can be found at Process for Accreditation.

Transition period for upgrading to ISO27001:2022

Providers looking to certify to ISO27001 for the first time must apply for the certification to be assessed against the 2022 version.

Providers who are already certified to ISO27001:2013 and planning on transitioning to ISO27001:2022 can refer to the transition guidelines below:

Key date


25 October 2022 

ISO27001:2022 release date.

31 October 2022 

Beginning of transition period to ISO27001:2022.

31 October 2023

For any certification or annual surveillance audit scheduled after this date, Providers are highly recommended to use ISO27001:2022.

30 April 2024 

After this date, all ISO27001 audits must utilise the 2022 version.

31 October 2025 

The end date of the transition period to ISO27001:2022. Certificates for ISO27001:2013 will no longer be valid after this date.


All Providers requiring ISO27001 certification must have valid and current ISO27001:2022 certificate from 1 November 2025.