Understanding Right Fit for Risk (RFFR)

Accreditation for providers of Employment skills and Disability Employment Services

By Kent Minchinton

With many of our clients in the not-for-profit sector, we sat down with our information security and Right Fit for Risk experts to discuss the ins and outs of this accreditation.

Here’s what Information Security Manager Kent Minchinton and our Right Fit for Risk Consultant had to say.

Many of our NFP clients have been impacted by the Department of Education, Skills and Employment’s (DESE) RFFR information security compliance regulations.

Navigating the process can be particularly intimidating. And understanding the core requirements and expectations of the department is key to ensuring a positive outcome.

At FUJIFILM CodeBlue we understand the potential impact this has on you as well as on the services we provide. Working together, in partnership, is the best way forward.

The ultimate objective for RFFR accreditation?

For employment service providers and deed holders to be tender ready by September 2021.
If you’re on the ISO 27001 path to accreditation you must consider DESE’s core requirements and expectations, as a standard ISO 27001 certificate may not be seen as meeting all requirements.

  1. Achieving a compliance state equal to level 3 of the Essential Eight (E8) Maturity model. Achieving this should be a joint effort between yourself and your managed service provider (MSP), as many controls will require action within your environment. You’ll also need to define how your MSP implements the model.Another key point for providers: you will need to ensure your chosen certification body is also accredited. At a minimum, the body needs to be at least aware of the customised nature of the ISO 27001 certification process and audit considerations.It is highly recommended that you receive DESE endorsement of both your certification scope and State of Applicability (SoA) before official audits take place.
  2. Including the Government’s Information Security Manual (ISM) controls in your certification scope and SoA.
  3. Having a clearly defined scope around the context of your organisation.
    This extends to:
    – Physical security
    – Legal
    – Business
    – Personnel
    – Logical data boundaries
    – External/interested parties
    – Deed requirements
    – ISM and more.
  4. You are categorised by your case load. A case load greater than 2000 requires a customised ISO 27001 certification by September 2021. If your case load is less than 2000 you can self-assess, but the same process is applicable.

The RFFR requires a customised ISO 27001 certification including a customised ISO 27001 audit.

The three key milestones of Right Fit For Risk (RFFR)

The initial maturity of information security within your organisation is assessed against the Australian Signals Directorate (ASD) E8 maturity model.

It is important to work closely with the DESE through this process, as it will inform the guidance and approach required to advance smoothly to the next milestone.

The entire organisation is responsible for information security as it impacts people, process, and technology.

The RFFR approach requires the implementation of an Information Security Management System. It also seeks to obtain a customised ISO 27001 certification.

This means in addition to the 114 annex A controls related to ISO 27001, your scope should – at a minimum – incorporate all ISM controls.

What are some key considerations for those undertaking this process?

  1. Identify all information security related assets
  2. Set the scope of your certification
  3. Perform threat analysis and risk assessments to determine all unacceptable risks
  4. Perform a gap analysis to determine the required mitigation
  5. Develop your SOA

You’ll need to ensure:

  • You’ve incorporated all the RFFR requirements into your scope
  • You’ve considered all the ISM controls
  • Your certification body is aware of the customised nature of the ISO 27001 certification you require.

Certification audits

ISO 27001 -2013 certification involves three official audits from recognised and JAS-ANZ accredited external certification bodies. Two relate to the official stage 1 and stage 2 audits performed by the same certification body.

You are required to engage a different certification body to perform an “Internal Audit” usually conducted prior to the stage 2 audit.

Going through your RFFR accreditation?

We can partner with you to get you there. We have a team of experts ready to support and advise your transition.

Get to know the experts

Kent Minchinton
Kent MinchintonYour Cyber Security Guru
Kent is our Cyber Security guru, with not only over 25 years’ project implementation experience but industry certified in Cyber Security Management. Through his experience, he has expert knowledge and experience applying security governance via system design and architecture, risk advice and analysis, security audits and compliance – and so much more. Kent joined our team in January 2021 as Information Security Manager and works with our team to ensure you – and our clients – are secure and get the security advice they need.

Speak to an expert about your
Right Fit for Risk journey

Share your details and we’ll be in touch to discuss your requirements.

Need more information?

Get in touch with us