Process for accreditation

To demonstrate that a secure ICT environment has been implemented all Providers are required to undertake an accreditation process with the Department.

Process Overview

The RFFR requires Providers to complete a set of milestones and check in with the Department for progress to be reviewed, risk assessed and to seek guidance on meeting the Department’s requirements.

The milestones are designed to allow Providers to assess their organisation’s level of cyber security measures in place and implement any improvements identified. This is done at the same time as gaining a customised Information Services Management System (ISMS) in their business that conforms with ISO 27001.

The Department requires Providers to complete three milestones in the accreditation process. Once the Provider has demonstrated that risks to systems and government information are low after completing the final milestone, the Department will provide the required accreditation.

Milestone 1 - Scope/context

Milestone 1 requirements

Respondents to relevant Requests for Proposal or Tender (RFP or RFT) are required to submit a completed RFFR questionnaire to the Department on how they use information and manage security. The completed questionnaire provides the Department with information regarding the respondent’s business, IT security posture, subcontracting arrangements, and readiness to meet RFFR requirements.

Milestone 1 is initiated through the submission of a RFFR questionnaire required as part of a Provider’s RFP/RFT response. The Department will review the RFFR questionnaire, assess risk and provide guidance to Providers on completing subsequent Milestones of the RFFR accreditation process as relevant.

On the execution of a Deed, the Department will engage with the Provider to discuss their IT security posture and next steps toward RFFR accreditation.

Assessment method	Review of submitted RFFR Questionnaire and discussion
Submission deliverables	RFFR Questionnaire submitted by the Provider
Key actions and outcomes	The Provider and Department representatives will discuss the Provider’s business, stakeholders, contractual obligations, information, systems and practices to assist the Provider to determine the scope of their Information Security Management System. This discussion will also allow the department to consider Provider risks and assign them to a Category. Unaccredited Providers: The Department will confirm the Provider’s categorisation and the associated RFFR assurance requirements for completing Milestone 2 and 3. Providers intending to deliver Services to fewer than 2,000 individuals will review additional risk factors with the Department to determine whether the Provider should be classified into Category 2A or 2B. Providers part way through an existing accreditation process: Existing Providers who are part way through an accreditation process for delivering Services under an existing Employment Deed should take steps as advised in the purchasing documentation. Accredited Providers with new Deeds: The Department will review the extent of changes to the Provider’s scope of Services and determine if the Provider should be in a different category. If no significant changes have occurred, accredited Providers do not need to complete Milestones 2 and 3 and need only maintain their RFFR accreditation.
Next Steps	For large organisations it is recommended Providers appoint a champion within the organisation to ensure compliance with the RFFR. Commence development of documentation required by the Provider’s category (see Provider Classification for Accreditation for details). Identify where existing security controls meet RFFR requirements, and where there are gaps requiring that additional controls be implemented.
Due dates	Employment Service Providers - Completed within one month of Deed execution by the Department. Australian Apprenticeships Support Network Providers - Completed within one month of Deed execution by the Department Other programs – as advised by the Department’s Program Manager Third Party Employment and Skills Systems Vendors – No required timeframe for completion.

Milestone 2 - Design

Milestone 2 requires Providers to demonstrate their ISMS has been designed to reflect RFFR requirements applicable for their Category (as advised at Milestone 1). Providers are required to demonstrate that appropriate security controls are planned to be implemented within the organisation through submission of required documentation.

The process for completing Milestone 2 depends on the Provider’s Category. This Milestone does not apply to Category 2B Providers who instead proceed directly to Milestone 3.

Reference guides, materials and templates to support Milestone 2 written submissions are available below. It is mandatory to use the Department’s templates including the Scope document, Statement of Applicability (SoA), and Self-assessment template, in order to progress with an RFFR assessment.

The table below details the requirements for Providers to achieve Milestone 2.

Milestone 2 requirements

	Category 1 Provider including TPES	Category 2A Provider	Category 2B Provider
Submission deliverables	ISMS scope Statement of Applicability (SoA) reflecting RFFR requirements Independent assessor’s Stage 1 report	ISMS scope SoA reflecting RFFR requirements ISMS Self-assessment report (conformance)	Does not apply to Category 2B Providers who instead proceed directly to Milestone 3.
Implementation status	Provider’s ISMS expected to substantially conform with ISO 27001 requirements, however applicable controls sourced from ISO27001 Annex A and the Australian Government Information Security Manual are not expected to be implemented at this stage	Provider’s ISMS expected to substantially conform with ISO 27001 requirements, however applicable controls sourced from ISO27001 Annex A and the Australian Government Information Security Manual are not expected to be implemented at this stage
Assessment method	Independently assessed by a JAS-ANZ accredited ISO 27001 Conformance Assessment Body	Self-assessed by business owners
Outcomes to progress to Milestone 3	Department acceptance of submission deliverables.	Department acceptance of submission deliverables.
Next steps	Implement the ISMS in accordance with its design	Implement the ISMS in accordance with its design
Due dates	Employment Service Providers - Completed within 3 months from the Deed Commencement Date. Australian Apprenticeships Support Network Providers - Completed within 3 months from the Deed Commencement Date. Other programs – as advised by the Department’s Program Manager Third Party Employment and Skills Systems Vendors – No required timeframe for completion.	Employment Service Providers - Completed within 3 months from the Deed Commencement Date. Australian Apprenticeships Support Network Providers - Completed within 3 months from the Deed Commencement Date. Other programs – as advised by the Department’s Program Manager Third Party Employment and Skills Systems Vendors – No required timeframe for completion.

Milestone 3 - Implementation

Milestone 3 emphasises the Provider’s progress to conforming with ISO 27001 and implementing the controls applicable to the organisation. While all applicable controls are important, priority should be on ensuring conformance with controls that support the RFFR core expectations.

If not fully implemented at the point of the Milestone 3 submission, Providers are required to inform the Department of their expectation as to when each applicable control will be fully in place and when any remaining areas of non-conformance will be addressed.

Providers should be aware that applicable but unimplemented controls (and remaining areas of non-conformance) will impact the Department’s assessment of residual risk associated with the Provider, and the Department’s decision to accredit the Provider.

The Department does not discourage any Category 2A and 2B Providers from seeking ISO 27001 certification as there may be significant perceived or actual benefits to other aspects of the Provider’s business.

The table below lists the requirements for Providers to achieve Milestone 3.

Milestone 3 requirements

	Category 1 Provider including TPES	Category 2A Provider	Category 2B Provider
Submission deliverables	Updated Scope document describing any changes to the Provider’s operating environment Updated SoA identifying the current implementation status of applicable controls and the applicability decision for new or changed controls published since the SoA’s last review Independent assessor’s “Stage 2” report. This can be either an ISO 27001 or DESE ISMS Scheme report. RFFR does not require a Provider to have both audits completed ISO 27001 or DESE ISMS Certificate (when available)	Updated Scope document describing any changes to the Provider’s operating environment Updated SoA identifying the current implementation status of applicable controls and the applicability decision for new or changed controls published since the SoA’s last review ISMS self-assessment report (implementation)	Management Assertion Letter Updated SoA (abridged)
Implementation status	Provider’s ISMS conforms with ISO 27001 and controls applicable to the organisation have been implemented	Provider’s ISMS conforms with ISO 27001 and controls applicable to the organisation have been implemented	Controls supporting specific security objectives have been implemented
Assessment method	Independently assessed	Self-assessed	Self-assessed
Outcomes to complete process	Department acceptance of submission deliverables RFFR accreditation	Department acceptance of submission deliverables RFFR accreditation	Department acceptance of submission deliverables RFFR accreditation
Next steps	Address any remaining minor non-conformances Implement remaining applicable controls (if any) Monitor the ISMS	Address any remaining minor non-conformances Implement remaining applicable controls (if any) Monitor the ISMS	Monitor performance of security controls
Due dates	Employment Service Providers - Completed within 9 months from the Deed Commencement Date. Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date. Other programs – as advised by the Department’s Program Manager Third Party Employment Systems Providers – No required timeframe for completion.	Employment Service Providers - Completed within 9 months from the Deed Commencement Date. Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date. Other programs – as advised by the Department’s Program Manager Third Party Employment Systems and Skills System Vendors – No required timeframe for completion.	Employment Service Providers - Completed within 9 months from the Deed Commencement Date. Australian Apprenticeships Support Network Providers - Completed within 9 months from the Deed Commencement Date. Other programs – as advised by the Department’s Program Manager

Templates for submission

To assist Providers in completing the accreditation Milestones, standard templates are available for Providers to use.

The use of these templates is mandatory and must be used for RFFR accreditation. Providers cannot use their own modified or tailored version of the SoA, as they will not be accepted as part of the RFFR assessment process.

Templates for a Category 2B Provider submission will be provided by the Department on confirmation of the Provider’s category.

Provider Category	Applicable Milestone	Template
Category 1	Milestone 1	RFFR Questionnaire and Interview
Category 1	Milestone 2 and Milestone 3	ISMS Scope Statement of Applicability
Category 2A	Milestone 1	RFFR Questionnaire and Interview
Category 2A	Milestone 2 and Milestone 3	ISMS Scope Statement of Applicability ISMS Self-assessment report
Category 2B	Milestone 1	RFFR Questionnaire and Interview
Category 2B	Milestone 3	Management assertion letter and abridged Statement of Applicability template will be provided directly on confirmation of Provider category.
TPES Vendor	Milestone 1	RFFR Questionnaire and Interview
TPES Vendor	Milestone 2 and Milestone 3	ISMS Scope Statement of Applicability template will be provided directly on request by TPES Vendors.