Requirements for Information Security Management Systems (ISMS) Certification for contracted employment service providers.
What is DESE ISMS Scheme?
The Department of Education, Skills and Employment (DESE) Information Security Management System (ISMS) Scheme is specifically targeted for the providers of contracted private employment services, who DESE engage with to assist job seekers for preparing and securing the jobs. This certification aims at ensuring the providers are compliant with DESE’s contractual requirements (Statement of Applicability, SoA) under the Right Fit for Risk (RFFR) accreditation approach. RFFR is a component of DESE’s External Systems Assurance Framework (ESAF) that ensures system files and confidential data is secured, stored and managed responsibly in non-departmental ICT environments.
To distinguish the DESE ISMS Scheme from other ISMS, the term “RFFR ISMS” is used.
The most significant difference between ISO 27001 certification and RFFR certification is that RFFR certification requires the Statement of Applicability to include the controls listed in the Australian Government’s Information Security Manual (ISM). That significant workload means the mandatory audit duration is significantly more than what is required for ISO 27001 certification.
This Scheme does not undermine the existing standards for ISMS auditing and certification, rather it supplements the baseline requirements of ISO 27001 with the emerging and evolving legal requirements as part of certification. This certification is mandatory for providers who service more than 2,000 end users per annum.
How to prepare for RFFR ISMS certification
When you apply for RFFR ISMS certification of your Information Security Management System, our auditors will be examining your systems and supporting documentation.
Some of the requirements you will need to satisfy are described below.
RFFR ISMS requires organisations to:
- identify information security risks
- understand external & internal issues, and interested parties, relevant to information security
- develop an Information Security Policy – typically one page document declaring commitment to information security
- develop a Statement of Applicability, documenting the assessment of identified information security risks and establishing controls (risk treatment) based on reference controls list at Annex A of ISO 27001, the Australian Cyber Security Centre’s essential eight strategies to mitigate cyber security incidents and the controls listed in the Australian Government’s ISM
- develop an ISMS or Management Manual – addressing the clauses of ISO 27001; often integrated with the Manual for other management systems
- develop procedures –– instructions required to address information security
- control any outsourcing of information management
- develop and monitor information security objectives and targets
- embrace information security risks and opportunities throughout the business
- ensure staff are competent and understand their information security responsibilities
- monitor information security performance
- control information security breaches and other nonconformances, and take corrective action for significant or repetitive nonconformances
- conduct internal audits of the information security management system
- ensure senior management strategically review the information security management system.
RFFR ISMS documentation requirements are:
- current service contract with DESE
- Information Security Policy
- Cyber Security Strategy
- System Security Plan - ISMS or Management Manual and Procedures
- Statement of Applicability
- Improvement Plan (monitoring information security objectives and targets)
- Incident Response Plan - data breach or other ISMS related incident declaration & response action
- Continuous Monitoring Plan
- Self-assessment against RFFR.
Benefits of DESE ISMS Certification
- contractual compliance with DESE
- compliance to detailed controls as described in Australian Government’s ISM and ISO 27001 controls.
- demonstrated due diligence by meeting regulatory and customer requirements
- ongoing commitment to consumers by strategic focused approach towards IT infrastructure, people and different processes
- meeting tender requirements and stand out from the competition
- ensure compliance with best practices and principles of cybersecurity (Confidentiality, Integrity and Availability of data)
- reduced risk of fraud, information loss and disclosure
- increased resilience to cyber-attacks through early detection of breaches and incidents
- ensured workplace confidentiality and improved company culture easily integrated with other management systems.
Why be certified by TQCSI?
TQCSI is the world’s largest JAS-ANZ accredited certification body, providing auditing and certification of international management system standards. We have offices across the globe, allowing us to offer an affordable service delivered by local experts.
We have certified thousands of businesses of all sizes across all industries to the ISO management system standards. Our proven system of certification is easy, efficient and cost-effective, no matter what industry you're in or how big or small your business is.
If you'd like to transfer your certification from another certifying body, we make that easy for you too. Finally, we walk the talk – our JAS-ANZ accreditation to ISO 17021-1 is based on the ISO Standards and, specifically, ISO 9001.
Let’s get started!
Don't wait until your Management System is in place. Contact us today to ensure a smooth path to certification.
Contact your TQCSI Office to discuss your requirements or apply online here. Just tell us what your business does and how many employees you have.
Find my local TQCSI Office.
Our RFFR ISMS certification marks are recognised Australia-wide. Once certified, you can proudly display the certification mark to promote your RFFR ISMS certification.