Right Fit for Risk (RFFR) was created in 2019 by Australia’s Department of Education, Skills and Employment (DESE) with an aim to ensure that providers, such as educational institutions, meet DESE’s information security contractual requirements at their workplace.
In this blog we will discuss Right Fit for Risk DESE, procedure to get certification, and how to comply with it.
What is Right Fit For Risk DESE?
Recognising that the ISO 27001 baseline criteria do not fully satisfy the particular and developing regulatory requirements for providers, the department has implemented various additional mitigation methods to fill these security gaps. These new policies is known as the ‘Right Fit for Risk.’
Right Fit for Risk does not weaken or decrease current ISO 27001 standards but rather enhances them to establish an Information Security Management System tailored to the demands and duties of the department’s suppliers.
However, you must also develop a Statement of Applicability that considers your organization’s specific security risks and needs, as well as the applicability of controls outlined in the Australian Information Security Manual.
Under the RFFR, providers having a caseload of 2000 or more cases per year must achieve certification to the department’s contractual requirements Declaration of Applicability.
Statement of Applicability
Organisations must submit a Declaration of Applicability as part of the Right Fit for Risk and DESE ISMS Programme (SOA – Statement of Applicability).
The Statement of Applicability (SOA) is a central document that explains and specifies your organization’s information security implementation. To begin preparing your SOA, identify the controls in the Australian Government’s Information Security Handbook and evaluate whether they are appropriate, which risk or business necessity drives it, and how they will be applied.
Department of Education, Skills, and Employment’s (DESE) Scheme
According to the Department of Education, Skills, and Employment’s (DESE) new Information Security Management Plan, all providers of employment skills, training, and disability employment services must be ISO27001 and Right Fit for Risk certified.
The scheme aims to guarantee that suppliers follow the department’s contractual and legal commitments. These duties are intended to ensure that the department’s IT environment and private data are handled responsibly using an Information Security Management System namely, ISO 27001 and the Information Security Manual by the Australian Government.
Right Fit for Risk DESE Process
Since the Department is the scheme’s certifying authority, organisations must check in at three stages along the Right Fit for Risk DESE certification process.
Milestone 1 – Business Maturity Assessment
Milestone 1 dictates how your company utilises information and controls security. The ASD Essential Eight maturity model is used to measure your organization’s initial information security maturity.
You should collaborate closely with DESE throughout this process since the Department will offer the guidelines and methodology required to go forwards to the next milestone.
Milestone 2 – Statement of Applicability and ISO 27001 Accreditation
Milestone 2 necessitates the installation of a customised Information Security Management System as well as complete ISO 27001 certification.
This implies that your scope should include the controls stated in the Australian Government’s Information Security Handbook in addition to the 114 annex A controls in ISO 27001.
You must also submit a Declaration of Applicability, which indicates if the controls in the ISM are applicable to your organisation and how you have implemented these controls, as previously noted.
Milestone 3 – RFFR Accreditation
To pass milestone 3, you must show that the ISMS and associated controls have been effectively implemented. Check that you have included the RFFR requirements in your ISMS and scope, as well as all of the ISM controls. You should also notify your certifying authority of the customised nature of the ISO 27001 certification so that you may obtain the necessary accreditation.
Maintaining RFFR Accreditation
An RFFR-accredited organisation and all of its subcontractors must maintain its certification status by submitting yearly reports and being monitored for conformity with RFFR criteria.
An organisation that already has an accreditation must perform the annual and triennial audits on the dates the accreditation was granted.
Right Fit For Risk – Core Expectations
To maintain and improve your security posture, the RFFR strategy needs you to define and maintain a set of fundamental security criteria.
The Australian Essential Eight Cyber Security strategies and basic expectations can assist your organisation in developing a strong security framework.
RFFR Core Expectations for Personnel Security
Some steps must be followed when hiring new employees in accordance with RFFR requirements:
- Identify and confirm the individual’s identification.
- Evaluate the individual’s competency by verifying the credentials, certificates, and experience indicated on their Curriculum Vitae.
- A good police check must be obtained for the individual.
- Working with vulnerable persons’ checks must be completed properly.
- To work in Australia, an individual must have legitimate work entitlements.
- Ascertain that the individual has completed the introductory security awareness training with topics relevant to their employment.
- The contract must include terms that ensure information security and non-disclosure standards are met even after the contract is terminated.
- People with privileged or administrative positions in your organisation should be subject to greater levels of assurance.
RFFR Core Expectations for Physical Security
Organizations must guarantee that physical security measures reduce the risk of information and physical assets being stolen or lost.
- Inaccessible or inoperable.
- Accessed, utilised, or removed without authorisation.
Physical security criteria must be met by all organisations. Commercial-quality facilities must be situated in Australia. Working from home necessitates that organisations guarantee that the home environment is just as secure as the office environment in terms of protecting employees, program data, and IT infrastructure.
RFFR Core Expectations for Cyber Security
To ensure cyber security, organisations must employ security measures such as the ‘Essential Eight’ cyber security strategies, information security risk management, information security monitoring, handling cybersecurity incidents, and limited access restrictions to the staff.
How can Anitech help in achieving Right Fit for Risk DESE Accreditation?
Anitech offers customised assistance to help you acquire certification as quickly as feasible. We can help you develop a path to certification that presents the least amount of resistance, no matter where you are in your ISO27001 and RFFR journey.
Our experienced ISMS consultants will audit your existing security posture and can help you in obtaining contractual Compliance with DESE’s scheme by helping with the following:
- Enhancing and comprehending your overall security maturity and posture.
- Assessing hazards that pose a threat to your organization’s goals and objectives.
- Choosing the appropriate security procedures for your company.
- Putting together your Declaration of Applicability.
- Increasing the long-term efficacy of your ISMS.
- Obtaining ISO27001 compliance.
- Choosing the proper Microsoft security tool package to help in the deployment of your ISMS.
To book an appointment with Anitech’s ISMS consultant, call us at 1300 802 163 or email info@anitechgroup.com
Our team will be happy to help!
Stay tuned to Anitech website for more blogs
