Frequently Asked Questions

On this page:

Where do I start?

There are many free and paid resources available to help you to design an Information Security Management System (ISMS) in accordance with ISO 27001. You should begin by reading all of the published guidance on our website here: Accreditation support resources.

I am a Category 1 Provider and I am currently ISO 27001 certified. The certification does not cover Australian Government Information Security Manual (ISM) controls in my Statement of Applicability (SoA). How do I approach my upcoming RFFR milestone?

You must either:

  1. update your ISO 27001 certification to include the RFFR requirements (including the ISM controls) within the scope of your ISMS, or
  2. attain a DEWR ISMS Scheme certification (previously the DESE ISMS Scheme).

If you wish to pursue option a) to update your existing ISO 27001 certification, you must contact your Certification Body (also known as the auditor). You will need to discuss the scope of your next audit, whether that is a surveillance audit or recertification. You must inform the Certification Body that your SoA contains additional controls sourced from the ISM so that they can create an accurate audit plan. The specific audit activities will need to be confirmed with the Certification Body, as they will be different depending on the audit stage. Once the audit is complete and your certification is updated, the audit report and certificate should be suitable for RFFR submission along with the rest of the deliverables for the milestone.

If you wish to pursue option b) to attain a DEWR ISMS Scheme certification, you must request this from your Certification Body. If they are accredited by JASANZ to do so, then you may proceed with the audit. If not, you can find a Certification Body that is accredited to conduct DEWR ISMS Scheme certifications via the JASANZ website. Your Certification Body will determine the type of audit required (e.g. transition), depending on your circumstances. Once the audit is complete, the audit report and certificate should be suitable for RFFR submission along with the rest of the deliverables for the milestone.

For more detail, please see the Accreditation resources: Accreditation support resources.

I am a Category 1 Provider and am planning my certification. What is the difference between an ISO 27001 certification and a DEWR ISMS Scheme certification?

For context, your ISMS must be designed and implemented in accordance with the ISO 27001 standard to meet all your legal, regulatory, and contractual obligations, including the RFFR requirements. Independent certification of your ISMS provides assurance to the department that it is effectively meeting these requirements. The certification standards are separate from the ISO 27001 standard.

A standard ISO 27001 certification will still need to cover your entire SoA, including the controls sourced from the ISM, in order to accurately cover your RFFR-related services. You will need to inform your Certification Body that your SoA contains these additional controls. This will ensure they can create an accurate audit plan with sufficient timings. The audit report must reference the SoA by version/date and must provide information regarding the status of both Annex A and ISM-sourced applicable controls. The standard ISO 27001 certification is limited in its ability to verify that all obligations have been identified and addressed, so the department created the DEWR ISMS Scheme.

A DEWR ISMS Scheme certification incorporates the RFFR requirements into the audit process to ensure the ISMS is scoped and audited correctly. The auditors must hold relevant experience to ensure the more detailed controls are accurately verified.

You may discuss the two options with your Certification Body to determine which one is best for you.

Do I need to update my SoA every time there is a new release of the ISM?

It is best practice to perform a gap analysis against the latest ISM as soon as possible after it is released, or at least when a new RFFR SoA template is released. Benefits in doing this include:

  • risks can be addressed as soon as the Australian Signals Directorate (ASD) has deemed a control to be relevant to the security of “not classified” and OFFICIAL: Sensitive information;
  • it is typically less onerous to address a small update every 3 months, rather than one large update shortly before an audit or RFFR milestone; and
  • it allows more time to implement new applicable controls before an audit or RFFR milestone, minimising the chance of receiving non-conformities.

I am planning an upcoming audit. Does the auditor need to verify all the controls in my SoA?

In accordance with your internal processes, you must continuously maintain your ISMS and its SoA. This should include addressing new or updated controls in the quarterly ISM updates.

At the time of the audit, the audit activities will be different depending on the audit stage (e.g. stage 2, surveillance, etc.). Your SoA must always be presented in full to the auditor. Normally, a stage 2 or recertification audit will involve a verification of all applicable controls, while a surveillance audit will involve a verification of a subset of controls. However, you must confirm the activities with your Certification Body, as the department does not control the underlying auditing standards. If you still have concerns after discussing with your Certification Body, you may contact the department (securitycompliancesupport@dewr.gov.au). The department may liaise with JASANZ as the relevant authority on auditing standards.

I am discussing certification requirements with my Certifying Body (also known as the auditor) and we have questions for the Department. Can the Certifying Body contact the department directly?

Yes. The Certifying Body may direct their queries to the Security Compliance Support mailbox: securitycompliancesupport@dewr.gov.au.

What changes in circumstances should I advise the department about that might affect my RFFR accreditation?

If the change alters the risk profile of your organisation, the department will reassess the accreditation status. This includes, but is not limited to, when your organisation:

  • enters or terminates a Deed with the department
  • changes its subcontracting arrangements (e.g. from one Subcontractor to another, or introduces a new Subcontractor)
  • introduces new software, plugins, or cloud services
  • changes its Third-Party IT Vendors who are supporting their IT environments
  • believes their category may have changed (e.g. from Category 2 to Category 1)

As outlined in Chapter 4.8 of the Workforce Australia Guidelines - Part A: Universal Guidelines (PDF), you must notify the department within 5 business days of a change in circumstance via the Security Compliance Support mailbox: securitycompliancesupport@dewr.gov.au.

I believe my organisation should be a different category for RFFR purposes. What should I do?

In the first instance, your organisation should review the categorisation requirements on the following webpage: Provider classification for accreditation.

If you believe your organisation falls under a different category, you must notify the department in writing, providing relevant reasons. The department may hold a categorisation meeting to formally document your organisation’s new characteristics and determine whether the category should be changed.

If your category is changed, the department will determine a transition plan with appropriate timings for your future RFFR milestones.

Can I discuss my upcoming RFFR milestone with an assessor?

Yes, feel free to contact the department, who will ensure an Assessor engages with you on your upcoming submission. Our assessors can provide guidance through each milestone and can help you find relevant resources on this website, the ASD website, and vendor websites.