Process for accreditation

To demonstrate that a secure ICT environment has been implemented all Providers are required to undertake an accreditation process with the Department.

On this page:

The Department is the accrediting authority and is required to assess and verify Providers as meeting the requirements under the Right Fit for Risk (RFFR) framework.  This accreditation process is applicable to:

  • Employment Services Providers
  • Australian Apprenticeships Support Network Providers
  • Certain Skills program Providers and
  • Third Party Employment and Skills systems (TPES) vendors.

Process Overview

The RFFR requires Providers to complete a set of milestones and check in with the Department for progress to be reviewed, risk assessed and to seek guidance on meeting the Department’s requirements.

The milestones are designed to allow Providers to assess their organisation’s level of cyber security measures in place and implement any improvements identified. This is done at the same time as gaining a customised Information Services Management System (ISMS) in their business that conforms with ISO 27001.

The Department requires Providers to complete three milestones in the accreditation process. Once the Provider has demonstrated that risks to systems and government information are low after completing the final milestone, the Department will provide the required accreditation.

Milestone 1 - Scope/context

Milestone 1 requirements

Respondents to relevant Requests for Proposal or Tender (RFP or RFT) are required to submit a completed RFFR questionnaire to the Department on how they use information and manage security. The completed questionnaire provides the Department with information regarding the respondent’s business, IT security posture, subcontracting arrangements, and readiness to meet RFFR requirements.

Milestone 1 is initiated through the submission of a RFFR questionnaire required as part of a Provider’s RFP/RFT response. The Department will review the RFFR questionnaire, assess risk and provide guidance to Providers on completing subsequent Milestones of the RFFR accreditation process as relevant.

On the execution of a Deed, the Department will engage with the Provider to discuss their IT security posture and next steps toward RFFR accreditation.

Assessment method

Review of submitted RFFR Questionnaire and discussion

Submission deliverables

RFFR Questionnaire submitted by the Provider

Key actions and outcomes

The Provider and Department representatives will discuss the Provider’s business, stakeholders, contractual obligations, information, systems and practices to assist the Provider to determine the scope of their Information Security Management System. This discussion will also allow the department to consider Provider risks and assign them to a Category

Unaccredited Providers: The Department will confirm the Provider’s categorisation and the associated RFFR assurance requirements for completing Milestone 2 and 3.  Providers intending to deliver Services to fewer than 2,000 individuals will review additional risk factors with the Department to determine whether the Provider should be classified into Category 2A or 2B.

Providers part way through an existing accreditation process: Existing Providers who are part way through an accreditation process for delivering Services under an existing Employment Deed should take steps as advised in the purchasing documentation.

Accredited Providers with new Deeds: The Department will review the extent of changes to the Provider’s scope of Services and determine if the Provider should be in a different category. If no significant changes have occurred, accredited Providers do not need to complete Milestones 2 and 3 and need only maintain their RFFR accreditation.

Next Steps

For large organisations it is recommended Providers appoint a champion within the organisation to ensure compliance with the RFFR.

Commence development of documentation required by the Provider’s category (see Provider Classification for Accreditation for details).

Identify where existing security controls meet RFFR requirements, and where there are gaps requiring that additional controls be implemented.

Due dates

Employment Service Providers - Completed within one month of Deed execution by the Department.  

Australian Apprenticeships Support Network Providers - Completed within one month of Deed execution by the Department

Other programs – as advised by the Department’s Program Manager

Third Party Employment and Skills Systems Vendors – No required timeframe for completion.

Milestone 2 - Design

Milestone 2 requires Providers to demonstrate their ISMS has been designed to reflect RFFR requirements applicable for their Category (as advised at Milestone 1). Providers are required to demonstrate that appropriate security controls are planned to be implemented within the organisation through submission of required documentation.

The process for completing Milestone 2 depends on the Provider’s Category.  This Milestone does not apply to Category 2B Providers who instead proceed directly to Milestone 3.

Reference guides, materials and templates to support Milestone 2 written submissions are available below. It is not mandatory to use the Department’s templates. 

The table below details the requirements for Providers to achieve Milestone 2.

Milestone 2 requirements

 

Category 1 Provider including TPES

Category 2A Provider

Category 2B Provider

Submission deliverables

  • ISMS scope
  • Statement of Applicability (SoA) reflecting RFFR requirements
  • Independent assessor’s Stage 1 report
  • ISMS scope
  • SoA reflecting RFFR requirements
  • ISMS Self-assessment report (conformance)

Does not apply to Category 2B Providers who instead proceed directly to Milestone 3.

Implementation status

Provider’s ISMS expected to substantially conform with ISO 27001 requirements, however applicable controls sourced from ISO27001 Annex A and the Australian Government Information Security Manual are not expected to be implemented at this stage

Provider’s ISMS expected to substantially conform with ISO 27001 requirements, however applicable controls sourced from ISO27001 Annex A and the Australian Government Information Security Manual are not expected to be implemented at this stage

Assessment method

Independently assessed by a JAS-ANZ accredited ISO 27001 Conformance Assessment Body

Self-assessed by business owners

Outcomes to progress to Milestone 3

Department acceptance of submission deliverables.  

Department acceptance of submission deliverables.  

Next steps

Implement the ISMS in accordance with its design

Implement the ISMS in accordance with its design

Due dates

Employment Service Providers - Completed within 3 months from the Deed Commencement Date.

Australian Apprenticeships Support Network Providers - Completed within 3 months from the Deed Commencement Date.

Other programs – as advised by the Department’s Program Manager

Third Party Employment and Skills Systems Vendors – No required timeframe for completion.

Employment Service Providers - Completed within 3 months from the Deed Commencement Date.

Australian Apprenticeships Support Network Providers - Completed within 3 months from the Deed Commencement Date.

Other programs – as advised by the Department’s Program Manager

Third Party Employment and Skills Systems Vendors – No required timeframe for completion.

Milestone 3: Implementation

Milestone 3 emphasises the Provider’s progress to conforming with ISO 27001 and implementing the controls applicable to the organisation. While all applicable controls are important, priority should be on ensuring conformance with controls that support the RFFR core expectations.

If not fully implemented at the point of the Milestone 3 submission, Providers are required to inform the Department of their expectation as to when each applicable control will be fully in place and when any remaining areas of non-conformance will be addressed. 

Providers should be aware that applicable but unimplemented controls (and remaining areas of non-conformance) will impact the Department’s assessment of residual risk associated with the Provider, and the Department’s decision to accredit the Provider.

The Department does not discourage any Category 2A and 2B Providers from seeking ISO 27001 certification as there may be significant perceived or actual benefits to other aspects of the Provider’s business. 

The table below lists the requirements for Providers to achieve Milestone 3.

Milestone 3 requirements

Category 1 Provider including TPES

Category 2A Provider

Category 2B Provider

Submission deliverables

  • Updated SoA identifying the current implementation status of applicable controls and the applicability decision for new or changed controls published since the SoA’s last review
  • Independent assessor’s “Stage 2” report attesting to the Provider’s conformance with ISO 27001 and the status of all applicable controls in the Provider’s SoA
  • ISO 27001 or DESE ISMS Certificate (when available)
  • Updated SoA as at left
  • ISMS self-assessment report (implementation)

Management Assertion Letter

Implementation status

Provider’s ISMS conforms with ISO 27001 and controls applicable to the organisation have been implemented

Provider’s ISMS conforms with ISO 27001 and controls applicable to the organisation have been implemented

Controls supporting specific security objectives have been implemented

Assessment method

Independently assessed

Self-assessed

Self-assessed

Outcomes to complete process

  • Department acceptance of submission deliverables
  • RFFR accreditation
  • Department acceptance of submission deliverables
  • RFFR accreditation
  • Department acceptance of submission deliverables
  • RFFR accreditation

Next steps

  • Address any remaining minor non-conformances
  • Implement remaining applicable controls (if any)
  • Monitor the ISMS
  • Address any remaining minor non-conformances
  • Implement remaining applicable controls (if any)
  • Monitor the ISMS

Monitor performance of security controls

Due dates

Employment Service Providers - Completed within 9 months from the Deed Commencement Date.

Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date.

Other programs – as advised by the Department’s Program Manager

Third Party Employment Systems Providers – No required timeframe for completion.

Employment Service Providers - Completed within 9 months from the Deed Commencement Date.

Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date.

Other programs – as advised by the Department’s Program Manager

Third Party Employment Systems and Skills System Vendors – No required timeframe for completion.

Employment Service Providers - Completed within 9 months from the Deed Commencement Date.

Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date.

Other programs – as advised by the Department’s Program Manager

Third Party Employment Systems and Skills System Vendors – No required timeframe for completion.

Templates for submission

To assist Providers in completing the accreditation Milestones, standard templates are available for Providers to use by the Department.  

The department does not require the use of any specific template from Providers, except for the RFFR questionnaire.  Providers can use alternative templates in compliance with the ISO 27001 requirements, supplemented to reflect RFFR requirements.

Templates for a Category 2B Provider submission will be provided by the Department on confirmation of the Provider’s category.

Provider Category

Applicable Milestone

Template

Category 1, and TPES Vendors

Milestone 1

RFFR Questionnaire  and Interview

Category 1, and TPES Vendors Milestone 2 and Milestone 3 ISMS Scope  
Statement of Applicability  

Category 2A

Milestone 1

RFFR Questionnaire  and Interview

Category 2A Milestone 2 and Milestone 3 ISMS Scope  
Statement of Applicability  
ISMS Self-assessment report 
 

Category 2B

Milestone 1

RFFR Questionnaire and Interview

Category 2B

Milestone 3

Management assertion letter template will be provided directly on confirmation of Provider category.