Accreditation support resources

The Department provides additional support resources to guide Providers in undertaking their RFFR journey that are simple and clear for all users.

On this page:




Using ISO 27001 to meet your RFFR accreditation requirements

Highlights the differences between an industry standard ISO 27001 and the RFFR requirements.

Accredited Bodies Search

Accredited certifying bodies who can issue ISO 27001 assessment reports and certificates.

Right Fit for Risk (RFFR) – Finding the right sponsor

Details the need to identify an internal sponsor to oversee the implementation of the customised ISO 27001 in all areas of the organisation.

ISO 27001 issues to avoid

Helps Providers avoid missteps the department has seen to date to make this a smooth process.

ISO 27001 risk assessment

Provides a high-level overview of the concept of risk assessment and treatment in an ISO 27001 context.

ISO 27001 gap analysis v risk assessment 

Gap analysis and risk assessment are essential, and different, activities when implementing ISO 27001.

ISO 27001 importance of the SoA

Details the business need and reasoning for completing a SOA (Statement of Applicability).

Management of third parties – overview

Assists Providers identify their third parties, who is responsible for them and determining what impact the security of these entities have on a Provider’s environment.

Management of third parties – life cycle

Explains the stages in the life cycle of third party vendors and highlights what Providers should think about when contracting with third parties.

Managing third parties – resources

Details what assistance is available to assist with Managed Service Providers from the Australian Cyber Security Centre.

Right Fit For Risk (RFFR) government resources

Outlines the government resources available to assist, understand and address cyber security risks.


RFFR Questionnaire Provides a high level view of a Provider's current security posture as a basis for discussion with the Cyber Security team at Milestone 1 in the RFFR process.
Scope template Provides example headings and guidance for documenting the ISMS Scope in accordance with ISO 27001 clause 4, while also communicating key elements of the business, systems and information associated with delivering the Services and describing the Provider’s implementation of the RFFR Core Expectation areas.
SoA template (ISM to ISO Map) Provides a Statement of Applicability template that identifies the ISM-sourced controls relevant to each ISO 27001 Annex A control heading. The template also identifies controls that support RFFR Core Expectation areas and prompts for control applicability and status information required at Milestone 2 and Milestone 3.

RFFR ISO 27001 self-assessment report template

Provides example headings and guidance to be considered when Category 2A Providers are documenting their self-assessment.