In late 2019, Australia’s Department of Education, Skills, and Employment (DESE) established RFFR (Right Fit for Risk). This certification program seeks to verify that suppliers, such as educational institutions, satisfy DESE’s contractual criteria for information security.
The DESE Information Security Management Scheme augments the ISO 27001 baseline criteria with additional controls established by the Information Security Handbook (ISM) provided by the Australian Government.
Right Fit for Risk (RFFR)
The Right Fit for Risk (RFFR) scheme aims to supplement ISO/IEC 27001’s baseline requirements with additional controls established by the Australian Government’s Information Security Manual (ISM) and the evolving legal, security, and technical requirements for providers’ information security management systems (ISMS).
But, you must also create a Statement of Applicability that takes into account your organization’s particular security risks and needs, as well as the applicability of policies provided in the Australian Information Security Handbook.
Your Declaration of Applicability should cover RFFR fundamental requirements, such as the Essential Eight strategies of the Australian Cyber Security Centre, personnel security, and data sovereignty.
Statement of Applicability
Organizations must submit a Declaration of Applicability as part of the Right Fit for Risk and DESE ISMS Programme (SOA).
The SOA is a central document that explains and specifies your organization’s information security implementation. To prepare your SOA, identify the controls from the Australian Government’s Information Security Handbook and evaluate whether they are appropriate, which risk or business necessity drives it; and how they will be applied.
Objective of Right For Fit (RFFR) Accreditation
If you’re on the ISO 27001 path to accreditation, you must consider DESE’s core requirements and expectations, as a standard ISO 27001 certificate may only be seen as meeting some requirements.
ISO 27001 Considerations
1) Reaching compliance level 3 of the Essential Eight (E8) Maturity model. While many controls may demand action inside your environment, achieving this should be a collaborative effort between yourself and your Managed Service Provider (MSP). You’ll also need to specify how your MSP will apply the model.
Another key point for providers is that they should ensure their chosen certification body is accredited. At the very least, the body must be aware of the customised nature of the ISO 27001 certification process and audit concerns.
You are strongly advised to obtain DESE approval for both your certification scope and State of Applicability (SoA) before conducting formal audits.
2) Including rules from the Government’s Information Security Manual (ISM) into your certification scope and SoA.
3) Having a well-defined scope based on your organization’s environment.
This extends to:
– Physical security
– Legal
– Business
– Personnel
– Logical data boundaries
– External/interested parties
– Deed requirements
– ISM and more.
4) Your caseload determines your classification. A caseload of more than 2000 necessitates a tailored ISO 27001 certification by September 2021. You can self-assess if your caseload is less than 2000, but the same approach applies. The RFFR requires a customised ISO 27001 certification, including a customised ISO 27001 audit.
Milestone 1: Business Maturity Assessment
The initial maturity of your organization’s information security is measured against the Australian Signals Directorate’s (ASD) E8 maturity model.
Collaborating closely with the DESE throughout this process is critical since it will inform the guidelines and approach necessary to move forwards smoothly to the next milestone.
Milestone 2: Implementing a Customised ISO27001 Standard
Information security is the entire organization’s responsibility since it affects people, processes, and technology.
The RFFR strategy necessitates the establishment of an Information Security Management System. It also wants to get a customised ISO 27001 certification.
This means that in addition to the 114 appendix A controls linked to ISO 27001, your scope should include, at a minimum, all ISM controls.
Here are some key considerations for those undertaking the process:
- Identify all assets relevant to information security.
- Establish the scope of your certification.
- Do threat analysis and risk assessments to identify any unacceptable risks.
- Do a gap analysis to establish the necessary mitigation.
- Create your SOA
Milestone 3: RFFR Accreditation
It would help if you guaranteed the following:
- You’ve included all of the RFFR criteria in your scope.
- You’ve thought about all of the ISM controls.
- The customised nature of the ISO 27001 certification you want is known to your certifying body.
Certification Audits
Three formal audits from recognised and JAS-ANZ-accredited external certification organisations are required for ISO 27001 -2013 certification. Two are related to the same certifying body’s official stage 1 and stage 2 audits.
Organisations should hire an experienced ISMS consultant to perform an “Internal Audit,” which is normally performed before the stage 2 audit.
Benefits of Right Fit for Risk for Australian Organisations
Organisations can achieve the following benefits with the help of “Right Fit For Risk Accreditation”
1. Tailored Protection:
By selecting a risk management strategy appropriate for their specific needs and risk profile, organisations can ensure that their resources are allocated most effectively to mitigate risks.
2. Cost-effective:
A “Right Fit for Risk” approach can help organizations save money by avoiding overinvestment in unnecessary or excessive risk management measures while maintaining an appropriate protection level.
3. Improved Decision-making:
By conducting a comprehensive risk assessment and selecting a risk management strategy that aligns with their risk profile, organizations can make better-informed decisions about resource allocation, investment, and risk mitigation.
4. Compliance:
Adopting a “Right Fit for Risk” approach can help organizations comply with regulatory requirements and industry standards, ensuring they meet the necessary criteria for cybersecurity accreditation.
5. Improved stakeholder trust:
Organizations can enhance stakeholder trust and confidence in their ability to protect sensitive data and systems by demonstrating a proactive approach to risk management and cybersecurity.
If you want Anitech’s experienced ISMS consultants to help strategize and implement all the steps required to achieve the Right Fit For Risk Accreditation, you can call us at 1300 802 163 or email us at info@anitechgroup.com
Our team will be happy to help!
Stay tuned to Anitech website for more blogs.
