FAQs for Right-Fit-For-Risk
What is RFFR and do I need to comply?
The RFFR Journey: Milestones and Requirements?
Understanding Provider Categories ?
How We Help at Each Stage?
RFFR, or Right Fit for Risk, is a cybersecurity accreditation framework used by the Australian Government. It is designed to ensure that contracted providers handling government data have robust information security systems in place. The framework is based on the international standard ISO 27001 and incorporates requirements from the Australian Government's Information Security Manual (ISM).
RFFR accreditation is mandatory for any provider or third-party vendor with a contract to deliver services for the Government [e.g., Department of Employment and Workplace Relations (DEWR)]. This includes Employment Services Providers and other contracted parties who handle sensitive government data.
The RFFR process is divided into key stages:
Initial Accreditation (Milestones 1-3): This is the initial process to get accredited.
Annual Maintenance (AM1 & AM2): Annual reviews to maintain your accreditation status.
Triennial Re-accreditation: A comprehensive renewal process that occurs every three years.
Initial Accreditation (Milestones 1-3): This is the initial process to get accredited.
Annual Maintenance (AM1 & AM2): Annual reviews to maintain your accreditation status.
Triennial Re-accreditation: A comprehensive renewal process that occurs every three years.
The Department classifies providers into three categories—Category 1, 2A, and 2B—based on your risk profile, which is often tied to your annual caseload and IT environment.
Category 1: Typically for providers with a high annual caseload (2,000 or more clients).
Category 2A & 2B: For providers with a lower caseload (fewer than 2,000 clients). The specific sub-category (2A or 2B) is determined by other risk factors such as your level of outsourcing and IT security maturity.
Your category dictates the specific documentation and level of assurance required at each stage. We will help you understand your category and its requirements.
Category 1: Typically for providers with a high annual caseload (2,000 or more clients).
Category 2A & 2B: For providers with a lower caseload (fewer than 2,000 clients). The specific sub-category (2A or 2B) is determined by other risk factors such as your level of outsourcing and IT security maturity.
Your category dictates the specific documentation and level of assurance required at each stage. We will help you understand your category and its requirements.
We guide you through all three milestones.
Milestone 1: we help you complete the RFFR questionnaire and act as your representative to determine your provider category.
Milestone 2: we assist in designing your ISMS and producing critical documents like the ISMS Scope and Statement of Applicability (SoA).
Milestone 3: we provide hands-on support for implementing your ISMS, preparing for audits (for Cat 1), and completing self-assessment reports (for Cat 2A) to ensure a successful final submission.
Milestone 1: we help you complete the RFFR questionnaire and act as your representative to determine your provider category.
Milestone 2: we assist in designing your ISMS and producing critical documents like the ISMS Scope and Statement of Applicability (SoA).
Milestone 3: we provide hands-on support for implementing your ISMS, preparing for audits (for Cat 1), and completing self-assessment reports (for Cat 2A) to ensure a successful final submission.
The annual maintenance stages require you to demonstrate that your ISMS is continuously operational and compliant.
For Cat 1: We prepare you for the annual surveillance audit and assist with assessor liaison.
For Cat 2A: We help you complete the annual ISMS self-assessment report, identifying any new gaps and helping you address them.
For Cat 2B: We simplify the process of submitting the required Management Assertion Letter and updated SoA.
For All Categories: We directly engage with the Department to clarify requirements, ensuring your submission is flawless and on time.
For Cat 1: We prepare you for the annual surveillance audit and assist with assessor liaison.
For Cat 2A: We help you complete the annual ISMS self-assessment report, identifying any new gaps and helping you address them.
For Cat 2B: We simplify the process of submitting the required Management Assertion Letter and updated SoA.
For All Categories: We directly engage with the Department to clarify requirements, ensuring your submission is flawless and on time.
Re-accreditation is a comprehensive review every three years. We provide end-to-end support for this intensive process.
For Cat 1: We prepare you for the full re-certification audit, assisting with documentation updates and assessor liaison to ensure you get recertified.
For Cat 2A: We guide you through the process of completing a fresh, in-depth ISMS self-assessment report and gathering all necessary evidence of continued conformance.
For Cat 2B: We help you prepare and submit the necessary Management Assertion Letter and updated SoA.
For Cat 1: We prepare you for the full re-certification audit, assisting with documentation updates and assessor liaison to ensure you get recertified.
For Cat 2A: We guide you through the process of completing a fresh, in-depth ISMS self-assessment report and gathering all necessary evidence of continued conformance.
For Cat 2B: We help you prepare and submit the necessary Management Assertion Letter and updated SoA.
The Right Fit For Risk (RFFR) approach classifies Providers and Subcontractors into categories to obtain accreditation.
Category One: Providers and Subcontractors delivering Services to 2,000 or more individuals per annum because of all their Deeds. Third Party Employment and Skills (TPES) System vendors obtaining accreditation are also classified as Category one.
Category Two: Providers and Subcontractors delivering Services to fewer than 2,000 individuals per annum because of all their Deeds. This category includes two sub-categories referred to as “Category 2A” and “Category 2B” below.
When determining whether a Provider is in Category 2A or 2B, the Department will consider a range of risk factors including the:
IT environment
level of outsourcing
subcontracting arrangements
organisational structure
level of security maturity
the extent of sensitive information held and level of access to departmental systems
other relevant factors.
Category One: Providers and Subcontractors delivering Services to 2,000 or more individuals per annum because of all their Deeds. Third Party Employment and Skills (TPES) System vendors obtaining accreditation are also classified as Category one.
Category Two: Providers and Subcontractors delivering Services to fewer than 2,000 individuals per annum because of all their Deeds. This category includes two sub-categories referred to as “Category 2A” and “Category 2B” below.
When determining whether a Provider is in Category 2A or 2B, the Department will consider a range of risk factors including the:
IT environment
level of outsourcing
subcontracting arrangements
organisational structure
level of security maturity
the extent of sensitive information held and level of access to departmental systems
other relevant factors.
Timelines vary by category and readiness, but we streamline the process to meet deadlines.
Category 1 providers typically require ISO 27001 or DESE ISMS certification. We guide you through the entire process.