Understanding Right Fit for Risk (RFFR)

Accreditation for providers of Employment skills and Disability Employment Services

By Pankit Mehta

With many of our clients in the not-for-profit sector, we sat down with our information security and Right Fit for Risk experts to discuss the ins and outs of this accreditation.

Here’s what Information Security Manager Pankit Mehta and our Right Fit for Risk Consultant had to say.

Many of our NFP clients have been impacted by the Department of Education, Skills and Employment’s (DESE) RFFR information security compliance regulations.

Navigating the process can be particularly intimidating. And understanding the core requirements and expectations of the department is key to ensuring a positive outcome.

At FUJIFILM CodeBlue we understand the potential impact this has on you as well as on the services we provide. Working together, in partnership, is the best way forward.

The ultimate objective for RFFR accreditation?

For employment service providers and deed holders to be tender ready by September 2021.
If you’re on the ISO 27001 path to accreditation you must consider DESE’s core requirements and expectations, as a standard ISO 27001 certificate may not be seen as meeting all requirements.

ISO 27001 Considerations

Achieving a compliance state equal to level 3 of the Essential Eight (E8) Maturity model. Achieving this should be a joint effort between yourself and your managed service provider (MSP), as many controls will require action within your environment. You’ll also need to define how your MSP implements the model.Another key point for providers: you will need to ensure your chosen certification body is also accredited. At a minimum, the body needs to be at least aware of the customised nature of the ISO 27001 certification process and audit considerations.It is highly recommended that you receive DESE endorsement of both your certification scope and State of Applicability (SoA) before official audits take place.
Including the Government’s Information Security Manual (ISM) controls in your certification scope and SoA.
Having a clearly defined scope around the context of your organisation.
This extends to:
– Physical security
– Legal
– Business
– Personnel
– Logical data boundaries
– External/interested parties
– Deed requirements
– ISM and more.
You are categorised by your case load. A case load greater than 2000 requires a customised ISO 27001 certification by September 2021. If your case load is less than 2000 you can self-assess, but the same process is applicable.

The RFFR requires a customised ISO 27001 certification including a customised ISO 27001 audit.

The three key milestones of Right Fit For Risk (RFFR)

Milestone 1: Business Maturity Assessment

The initial maturity of information security within your organisation is assessed against the Australian Signals Directorate (ASD) E8 maturity model.

It is important to work closely with the DESE through this process, as it will inform the guidance and approach required to advance smoothly to the next milestone.

Milestone 2: Implementing a customised ISO27001 standard

The entire organisation is responsible for information security as it impacts people, process, and technology.

The RFFR approach requires the implementation of an Information Security Management System. It also seeks to obtain a customised ISO 27001 certification.

This means in addition to the 114 annex A controls related to ISO 27001, your scope should – at a minimum – incorporate all ISM controls.

What are some key considerations for those undertaking this process?

Identify all information security related assets
Set the scope of your certification
Perform threat analysis and risk assessments to determine all unacceptable risks
Perform a gap analysis to determine the required mitigation
Develop your SOA

Milestone 3: RFFR Accreditation

You’ll need to ensure:

You’ve incorporated all the RFFR requirements into your scope
You’ve considered all the ISM controls
Your certification body is aware of the customised nature of the ISO 27001 certification you require.

Certification audits

ISO 27001 -2013 certification involves three official audits from recognised and JAS-ANZ accredited external certification bodies. Two relate to the official stage 1 and stage 2 audits performed by the same certification body.

You are required to engage a different certification body to perform an “Internal Audit” usually conducted prior to the stage 2 audit.

Going through your RFFR accreditation?

We can partner with you to get you there. We have a team of experts ready to support and advise your transition.

Speak to our experts now

Get to know the experts

Pankit MehtaCyber Security Practice Lead

Pankit Mehta is a seasoned cybersecurity professional with extensive experience in managing and delivering comprehensive solutions. As the Cybersecurity Practice Manager, he leads a team dedicated to developing and implementing robust security strategies that protect clients from evolving threats.

With a strong background in threat intelligence, risk assessment, and incident response, Pankit focuses on enhancing organisational security through innovative and proactive measures. A skilled communicator, he collaborates closely with clients to address unique challenges and deliver tailored services that ensure business continuity and compliance.