Provider classification for accreditation

On this page:

The Right Fit For Risk (RFFR) approach classifies Providers and Subcontractors into categories to obtain accreditation.

  • Category One: Providers and Subcontractors delivering Services to 2,000 or more individuals per annum because of all their Deeds.  Third Party Employment and Skills (TPES) System vendors obtaining accreditation are also classified as Category one.
  • Category Two: Providers and Subcontractors delivering Services to fewer than 2,000 individuals per annum because of all their Deeds. This category includes two sub-categories referred to as “Category 2A” and “Category 2B” below. 

When determining whether a Provider is in Category 2A or 2B, the Department will consider a range of risk factors including the:

  • IT environment
  • level of outsourcing
  • subcontracting arrangements
  • organisational structure
  • level of security maturity
  • the extent of sensitive information held and level of access to departmental systems
  • other relevant factors.

The Department considers the number of individuals receiving services from the Provider and any subcontractors (“case load”) taken together across all Deeds. Should the Provider or Subcontractor enter new Deeds with the Department that alters the caseload volume, the Department will reassess their categorisation and may require the accreditation to be updated if the categorisation changes.

Each of the Provider categories is associated with its own assurance pathway under the RFFR approach. 

The Department will categorise a Provider based on their RFFR questionnaire submission (or equivalent), and additional information obtained through an interview with the Provider. Completion of this interview and categorisation activity marks Milestone 1 in the RFFR process.

The below table provides guidance to Providers on the classification requirements.


Category 1

Category 2A

Category 2B

Annual Case load

2,000 or more

Under 2,000

Under 2,000

Risk profile

Greater risk

Medium risk

Low risk

Basis of accreditation

ISO 27001 conforming ISMS (Information Security Management System) - independently certified

ISO 27001 conforming ISMS - self-assessed

Management Assertion Letter

Accreditation maintenance

Annual surveillance audit and triennial recertification

Annual self-assessment

Annual management assertion letter

Milestones to complete

1, 2 and 3

1,2 and 3

1 and 3