Right-Fit-For-Risk (RFFR)
Right-Fit-For-Risk (RFFR) is a cybersecurity compliance framework mandated by the Australian Government for private organisations handling sensitive information. It ensures businesses implement security measures aligned with their risk profile. Providers working with government are categorised into Category 1, 2A, or 2B, each with specific compliance requirements.
GET RFFR Consulting READY TODAY
Why RFFR Compliance Matters
Securing and maintaining RFFR accreditation is more than just meeting a regulatory obligation—it’s vital for protecting your business and ensuring continued engagement with the Australian Government. Non-compliance can result in serious consequences, such as:
Losing existing government contracts
Being disqualified from future government opportunities
Facing heightened cybersecurity threats and potential data breaches
Suffering reputational harm that can impact long-term business success
Book a Free Consultation
Milestone 1 (M1)
Cyber Assured simplifies your RFFR compliance process. We begin by guiding you through the RFFR questionnaire, tailoring responses to fit your organisation’s specific context. Once completed, we handle the submission to the department to determine your provider classification. Acting on your behalf, we also participate in departmental meetings to clarify any points and advocate for your business interests.
Milestone 2 (M2)
Cyber Assured liaises with the Department on your behalf to co-develop your ISMS and supports your organisation in drafting key documents such as the ISMS Scope and the Statement of Applicability using the latest template provided by the department.
Submission deliverables
ISMS scope
Statement of Aplicability (SoA)
Independent assessor’s Stage 1 report
RFFR Requirements for Category 1
Submission deliverables
ISMS scope
Statement of Aplicability (SoA)
ISMS Self-assessment report (conformance)
RFFR Requirements for Category 2A
Submission deliverables
Does not apply to category 2B providers who instead proceed directly to Milestone 3.
RFFR Requirements for Category 2B
Milestone 3 (M3)
Cyber Assured supports you through Milestone 3 by focusing on the hands-on implementation of your ISMS and preparing the documentation required by the department or an independent assessor. Whether you're gearing up for a Stage 2 audit, completing a self-assessment, or submitting final compliance documents, we tailor our approach to meet your specific needs. Our expert guidance helps minimize risk and stress, setting you up for a successful accreditation—no matter your provider category.
Annual Maintenances (AM1 & AM2)
Cyber Assured helps you maintain your RFFR accreditation year after year with proactive, customised support. We act on your behalf to communicate directly with the Department, clarify evolving requirements, and manage all submissions using the latest departmental templates. From audit preparation to self-assessment reporting, we handle the critical documentation, reducing your risk and workload—ensuring continued compliance and a smooth accreditation process for your business.
Re-Accreditation
Re-accreditation is a thorough, three-year renewal process that goes beyond routine annual checks, aiming to confirm that your ISMS has been consistently and effectively maintained. With Cyber Assured as your partner, you benefit from expert support that includes direct engagement with the Department, complete documentation management, and audit preparation. We help reduce your compliance burden and risk—ensuring a smooth, confident path to renewing your accreditation.
Submission deliverables
ISMS scope and (SoA) – Based on Department’s latest template
ISO27001 stage-2 audit report or DESE ISMS Scheme report
ISO27001 certificate or DESE ISMS Scheme certificate
RFFR Requirements for Category 1
Submission deliverables
ISMS scope - Based on Department’s latest template
Statement of Applicability (SoA) - Based on Department’s latest template
ISMS Self-assessment report - Based on Department’s latest template
RFFR Requirements for Category 2A
Submission deliverables
Management Assertion Letter - Based on Department’s latest template
Updated SoA (abridged) - Based on Department’s latest template
RFFR Requirements for Category 2B
Our Approach to Achieving and Maintaining Your RFFR Accreditation
To simplify the process, we offer structured service tiers aligned with provider categories:
Essential Tier – for Category 2B providers
Professional Tier – for Category 2A providers
Elite Tier – for Category 1 providers
Our services cover everything from documentation to full implementation, supporting providers at any stage of the RFFR journey—regardless of your current milestone.
RFFR compliance is essential for any provider or contractor working with government agencies. It follows a tailored accreditation model based on the international ISO 27001 standard, enhanced with additional controls from the Australian Government’s Information Security Manual (ISM). It also places strong emphasis on meeting the department’s RFFR deed obligations and implementing the ACSC Essential Eight.
GET RFFR Consulting READY TODAY
Why Partner with Cyber Assured?
We deliver end-to-end RFFR compliance solutions tailored to all provider categories.
Specialist Expertise: Our deep understanding of the RFFR framework allows us to clearly interpret complex requirements and guide you with confidence.
Efficiency & Cost-Effectiveness: We help you avoid delays and costly missteps, streamlining the accreditation process.
All-in-One Service: From consulting and documentation to fully managed technical solutions, we cover every aspect of RFFR compliance.
Confidence & Clarity: With us managing the compliance process, you can focus on your core operations—knowing your accreditation is in expert hands.
Get RFFR Ready Today
Don’t risk losing government opportunities. Let Cyber Assured make compliance simple and stress-free.
Contact us today for RFFR Consulting