Accreditation maintenance

Requirements to Maintain Accreditation

During the lifespan of their Deed/s, Providers and their Subcontractors who are Right Fit for Risk (RFFR) accredited are required to maintain their certification status through annual reporting and surveillance audits to ensure compliance to the RFFR standards. Providers with an existing accreditation will need to complete the annual and 3 yearly audits based on the dates when the Department's accreditation was granted.

If, at any time during the accreditation maintenance period, a change to a Provider’s (or their Subcontractor’s) circumstances alters the risk profile of the organisation, the Department will reassess the Provider’s accreditation status. This includes when the Provider or their Subcontractor:

  • enters a new Deed with the Department
  • changes its subcontracting arrangements (from one Subcontractor to another, or introduces a new Subcontractor)
  • changes its Third Party IT Vendors who are supporting their IT environments
  • has a change in classification from Category Two to Category One

The Provider must notify the Department within 5 Business Days of a change in circumstance.

ISM controls are regularly added and changed. Providers should regularly review these to consider whether the controls are applicable to their business and whether any of the controls should form part of their accredited ISMS. The SoA should be regularly revised to demonstrate the Provider's consideration of new or changed ISM controls. Where a new or changed control is determined to be applicable but has not been fully implemented by the time of the Provider's annual submission, Providers should ensure their SoA also includes details of their planned actions to address these matters and an expected completion date for each.

The following table details the requirements for Providers to maintain their accreditation once accreditation has been granted. Note the timing of the annual and 3 yearly audits applies from the date of accreditation.

Accreditation type Annually
(Submission is required 6 weeks prior to Annual Anniversary of Accreditation)
Certified ISMS
(Category 1 Providers and Third Party Employment and Skills System vendors)
  • Updated Scope document describing any changes to provider’s operating environment
  • Statement of Applicability in Excel format including current implementation status, implementation details, implementation plan and implementation date
  • Annual surveillance report
  • ISO 27001 or DESE ISMS Certificate
  • Details of action plans
Self-assessed ISMS
(Category 2A Providers)
  • Updated Scope document describing any changes to provider’s operating environment
  • Statement of Applicability in Excel format including current implementation status, implementation details, implementation plan and implementation date
  • Updated ISO 27001 Self-assessment report (ensure that the self-assessment report references your current Statement of Applicability version)
  • Details of action plans
Management Assertion
(Category 2B Providers)
  • Management Assertion Letter which includes annual declaration from the provider.
  • Statement of Applicability in Excel format including current implementation status, implementation details, implementation plan and implementation date
  • Details of action plans

Further details on the Provider classification requirements can be found at the Provider Classification page)