Home
Case Studies
About Us
Contact Us

Right-Fit-For-Risk (RFFR)

Right-Fit-For-Risk (RFFR) is a cybersecurity compliance framework mandated by the Australian Government for private organisations handling sensitive information. It ensures businesses implement security measures aligned with their risk profile. Providers working with government are categorised into Category 1, 2A, or 2B, each with specific compliance requirements. 
GET RFFR Consulting READY TODAY

Why RFFR Compliance Matters 

Securing and maintaining RFFR accreditation is more than just meeting a regulatory obligation—it’s vital for protecting your business and ensuring continued engagement with the Australian Government. Non-compliance can result in serious consequences, such as: 
Losing existing government contracts 
Being disqualified from future government opportunities 
Facing heightened cybersecurity threats and potential data breaches 
Suffering reputational harm that can impact long-term business success 

Book a Free Consultation

    Milestone 1 (M1)

    Cyber Assured simplifies your RFFR compliance process. We begin by guiding you through the RFFR questionnaire, tailoring responses to fit your organisation’s specific context. Once completed, we handle the submission to the department to determine your provider classification. Acting on your behalf, we also participate in departmental meetings to clarify any points and advocate for your business interests. 

    Milestone 2 (M2)

    Cyber Assured liaises with the Department on your behalf to co-develop your ISMS and supports your organisation in drafting key documents such as the ISMS Scope and the Statement of Applicability using the latest template provided by the department. 

    Submission deliverables 

    ISMS scope 
    Statement of Aplicability (SoA) 
    Independent assessor’s Stage 1 report 

    RFFR Requirements for Category 1

    Submission deliverables 

    ISMS scope 
    Statement of Aplicability (SoA) 
    ISMS Self-assessment report (conformance) 

    RFFR Requirements for Category 2A

    Submission deliverables 

    Does not apply to category 2B providers who instead proceed directly to Milestone 3. 

    RFFR Requirements for Category 2B

    Milestone 3 (M3)

    Cyber Assured supports you through Milestone 3 by focusing on the hands-on implementation of your ISMS and preparing the documentation required by the department or an independent assessor. Whether you're gearing up for a Stage 2 audit, completing a self-assessment, or submitting final compliance documents, we tailor our approach to meet your specific needs. Our expert guidance helps minimize risk and stress, setting you up for a successful accreditation—no matter your provider category. 

    Annual Maintenances (AM1 & AM2)

    Cyber Assured helps you maintain your RFFR accreditation year after year with proactive, customised support. We act on your behalf to communicate directly with the Department, clarify evolving requirements, and manage all submissions using the latest departmental templates. From audit preparation to self-assessment reporting, we handle the critical documentation, reducing your risk and workload—ensuring continued compliance and a smooth accreditation process for your business. 
     

    Re-Accreditation

    Re-accreditation is a thorough, three-year renewal process that goes beyond routine annual checks, aiming to confirm that your ISMS has been consistently and effectively maintained. With Cyber Assured as your partner, you benefit from expert support that includes direct engagement with the Department, complete documentation management, and audit preparation. We help reduce your compliance burden and risk—ensuring a smooth, confident path to renewing your accreditation. 

    Submission deliverables 

    ISMS scope and  (SoA) – Based on Department’s latest template 
    ISO27001 stage-2 audit report or DESE ISMS Scheme report 
    ISO27001 certificate or DESE ISMS Scheme certificate

    RFFR Requirements for Category 1

    Submission deliverables 

    ISMS scope - Based on Department’s latest template 
    Statement of Applicability (SoA) - Based on Department’s latest template 
    ISMS Self-assessment report - Based on Department’s latest template 

    RFFR Requirements for Category 2A

    Submission deliverables 

    Management Assertion Letter - Based on Department’s latest template 
    Updated SoA (abridged) - Based on Department’s latest template 

    RFFR Requirements for Category 2B

    Our Approach to Achieving and Maintaining Your RFFR Accreditation 

    To simplify the process, we offer structured service tiers aligned with provider categories:
    Essential Tier – for Category 2B providers
    Professional Tier – for Category 2A providers
    Elite Tier – for Category 1 providers
    Our services cover everything from documentation to full implementation, supporting providers at any stage of the RFFR journey—regardless of your current milestone.
    RFFR compliance is essential for any provider or contractor working with government agencies. It follows a tailored accreditation model based on the international ISO 27001 standard, enhanced with additional controls from the Australian Government’s Information Security Manual (ISM). It also places strong emphasis on meeting the department’s RFFR deed obligations and implementing the ACSC Essential Eight. 
    GET RFFR Consulting READY TODAY

    Why Partner with Cyber Assured? 

    We deliver end-to-end RFFR compliance solutions tailored to all provider categories. 
    Specialist Expertise: Our deep understanding of the RFFR framework allows us to clearly interpret complex requirements and guide you with confidence.
    Efficiency & Cost-Effectiveness: We help you avoid delays and costly missteps, streamlining the accreditation process. 
    All-in-One Service: From consulting and documentation to fully managed technical solutions, we cover every aspect of RFFR compliance. 
    Confidence & Clarity: With us managing the compliance process, you can focus on your core operations—knowing your accreditation is in expert hands. 
    Get RFFR Ready Today

    Don’t risk losing government opportunities. Let Cyber Assured make compliance simple and stress-free.

    Contact us today for RFFR Consulting

    Services

    RFFR Overview
    Managed RFFR Solution
    Managed security awareness training
    Cyber Threat & Risk Assessment

    Additional Info

    Phone: 03 - 7042 3043
    Email: info@cyberassured.com.au
    Business Hours: 
    Mon-Fri, 8:00 AM – 6:00 PM
    location: Melbourne, Victoria – 3338, Australia

    Learn

    Resource
    Blogs
    Case Studies

    Privacy Policy

    Terms of Service
    Cookie Policy
    Visit our FacebookVisit our Twitter
    crossmenucheckmark-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram