April 11

Right Fit For Risk (RFFR)


If you’re an Australian not for profit who provides employment services or you are a deed holder then the #RFFR accreditation may apply to you.

If #RFFR sounds daunting or you are partially there but need help, then keep reading.

The RFFR framework consists of several components, including the RFFR ISMS Scope, RFFR Statement of Applicability, RFFR Questionnaire, ISMS Self-assessment report, and RFFR Core Expectations.

Together, these components help you identify and prioritize your information security risks and develop a tailored security program that meets your needs. The RFFR framework has a lot to offer, and if you’re curious about it, you’re only a few sentences away from finding out more!

In this blog post, we’ll discuss the three critical milestones of the RFFR process. We will also show you how the framework can help you improve your organization’s information security posture.

Let’s get into it right away!

What is the Right Fit For Risk (RFFR) framework?

The Right Fit for Risk (RFFR) framework is an accreditation scheme developed by the Department of Education, Skills, and Employment (DESE) in 2019.

It’s aimed at providers of contracted private employment services who work with DESE to help job seekers prepare for and secure jobs.

This initiative ensures that government-owned data, including personal records of participants and other sensitive information, is kept safe on the provider’s IT systems. Specifically, the RFFR framework is designed to ensure that all providers including third party providers comply with DESE’s contractual requirements for information security.

Providers must create a Statement of Applicability (SoA) for their Information Security Management Systems (ISMS) to receive RFFR accreditation. The SoA outlines which security controls apply to the provider’s organization. It also ensures that they have a comprehensive plan in place to manage potential information security risks.

The RFFR framework is built around the Essential Eight cyber security strategies, a set of recommended security measures developed by the Australian Cyber Security Centre. These strategies help providers assess their level of risk and determine which security measures are most vital for them to implement.

Another essential component of the RFFR framework is the ISMS Scope. This document defines the scope of your information security management system (ISMS) and helps you to establish the boundaries for your security program.

You can be confident that you are implementing the right level of security to protect your clients’ data by using the RFFR framework. The framework also helps you comply with DESE’s contractual requirements.

It provides a cost-effective and tailored solution to managing your information security risks. This ensures that you’re not overspending on unnecessary security measures while still protecting your business against potential threats.

The RFFR framework is a powerful tool that can help you achieve your goals as a provider of contracted private employment services in Australia. This is particularly true if you want to ensure you meet DESE’s information security standards.

How to Prepare for RFFR ISMS Certification?

If you plan to get RFFR ISMS certification for your Information Security Management System, you must be prepared for their auditors to review your systems and documentation.

To meet the RFFR ISMS requirements, you must identify information security risks and understand both internal and external issues.

You must create an Information Security Policy that declares your organization’s commitment to information security.

You’ll also need to develop a Statement of Applicability that includes the assessment of identified information security risks. And establish controls based on the reference controls list in Annex A of ISO 27001 (ISO 27001:2013), the Australian Cyber Security Centre’s essential eight strategies to mitigate cyber security incidents. Plus, the controls that are listed in the Australian Government’s ISM.

To comply with RFFR ISMS, you’ll need to develop an ISMS or Management Manual that addresses the clauses of ISO 27001:2013. This manual can be integrated with other management systems.

Additionally, it would help if the created procedures outline the instructions required to address information security. You’ll need to control any outsourcing of information management and ensure your staff understand their information security responsibilities.

Furthermore, you’ll need to monitor your information security performance, control breaches, and non-conformances, and conduct internal audits of the information security management system.

What documents do you need?

In terms of documentation, RFFR ISMS requires you to have the following:

1.     Statement of Applicability.

2.     A self-assessment against RFFR.

3.     System Security Plan (ISMS or Management Manual and Procedures)

4.     A current service contract with DESE.

5.     An Information Security Policy.

6.     A Cyber Security Strategy.

7.     A Continuous Monitoring Plan,

8.     An Improvement Plan for monitoring information security objectives and targets.

9.     An Incident Response Plan for data breaches or other ISMS-related incidents.

Achieving RFFR certification can be complex, so consider seeking the help of a cybersecurity consultant. They will guide you through the process and help you prepare for the assessment.

RFFR has three milestones. They are used in assessing the organization’s cyber security posture. They are a combination of ISO 27001:2013 and the Government Information Security Manual (ISM). They include:

Milestone 1 – Business Maturity Assessment

This milestone is an evaluation of your organization’s current level of maturity when it comes to information security. The assessment is done against the Australian Signals Directorate (ASD) E8 (Essential 8) maturity model, widely recognized as a leading standard for information security management.

It’s important to note that this assessment isn’t something you should tackle alone. 

Collaborating with the Department of Education, Skills, and Employment (DESE) is crucial. This ensures you follow the right approach and guidelines during the Business Maturity Assessment.

 Also, the results of this assessment will provide the necessary feedback. This feedback will inform the guidance and approach required to transition to the next milestone successfully.

 Milestone 2 – ISO 27001 Compliance and Statement of Applicability

To achieve this milestone, your organization must implement a customized Information Security Management System (ISMS). This ISMS should align with the requirements of the ISO 27001 standard.

Your organization must also create a Statement of Applicability (SoA). This SoA acts as a checklist for the 114 security controls designed to address specific risks to your organization. Clause 6.1.3 of the ISO 27001 standard notes the need for the SoA. It outlines which of the 114 controls your organization has chosen to implement and which controls you have deemed not applicable to your particular context.

 Milestone 3 – Demonstrate RFRR Accreditation

The RFFR Accreditation is the final milestone you may want to or must achieve in the framework. Accreditation depends on the category allocated by the department who consider this based on the initial RFFR questionnaire submission.

To get there, you must ensure that you’ve incorporated all the RFFR requirements into your RFFR ISMS scope. You must also consider all the necessary Information Security Management (ISM) controls.

You’ll may also need to ensure that your certification body knows the customized nature of the ISO 27001 certification you require.


The Right Fit for Risk (RFFR) framework provides organizations with a structured approach to managing information security risks based on their unique context.

By using this framework, you can ensure that your information security controls are aligned with your business objectives.

Plus, you can achieve a higher level of risk assurance. However, implementing RFFR can be a complex process, but Forde Consulting can provide valuable support.

At Forde Consulting, our team of experts will guide you through the RFFR accreditation process. We will help you set up your compliance framework, develop your Statement of Applicability, and assess your information security risks. We’ll also guide you through implementing the controls by hosting workshops and transferring knowledge to your key stakeholders.

With our methodology, we can identify the strengths and weaknesses in your information security implementation. We can then map them to your RFFR ISMS goals and compliance requirements.

We believe that every organization, regardless of its size or sector, deserves to have a robust and effective information security program. By partnering with Forde Consulting, non-profit organizations can achieve just that.

The certification process we provide involves having Forde’s auditors examine your systems and supporting documentation. This examination is to ensure your organization’s RFFR ISMS is compliant with ISO 27001 as well as meeting the ISM requirements and Essential 8 requirements.

Once your implementation requirements are met, your organization can be certified via accredited external certification bodies should you choose to do so.

#cyber #cybersecurity #isms #securityawareness #cyberinsurance #iso27001 #isocertification #ism #RFFR #rightfitforrisk #essentialeight #essential8 #e8


You may also like

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}