A Dummy’s Guide To Right Fit For Risk (RFFR)

The Right Fit for Risk (RFFR) program was originally created and accredited by the Department of Education, Skills and Employment (DESE) in 2019 as part of its External Systems Assurance Framework (ESAF). However, as off July 2022, DESE is now known as the Department of Education and the RFFR program has been shifted to be utilised by a new department: The Department of Employment and Workplace Relations (DEWR).

More specifically, the scope of this certification scheme aims at ensuring providers are compliant with DESE’s contractual requirements for information security i.e., Statement of Applicability (SoA) for providers’ Information Security Management Systems (ISMS) under the RFFR accreditation approach. This is a component of DESE’s External Systems Assurance Framework (ESAF) by which the department seeks to gain assurance over its service providers’ security posture. Further, the ESAF aims to cover the delivery of services by the provider, the storage, processing and communication of related data and records supporting the program.

The objective of the RFFR scheme is to supplement the minimum (baseline) requirements of ISO/IEC 27001 with the specific and evolving legal, security and technical requirements for the providers’ ISMS as part of the certification standard. Additionally, the scheme requires the SoA to include applicable controls listed in the Australian Government’s Information Security Manual (ISM). Due to the significant increase in controls, an RFFR assessment requires more effort to implement and monitor controls.

The Problem that Sekuro’s RFFR Service Solves

If you are a provider of contracted private employment services, who DEWR engage with or a service organisation that stores, processes or transmits any kind of employment skills, training and disability employment data; Sekuro can help you solve the issue of how to ensure government owned data is securely held on your systems according to DEWR’s requirements.

Further to this, RFFR reinforces a positive security culture, provides supporting documentation to meet legal and compliance challenges, assists with risk management and improves your overall security posture.

Sekuro offers a range of RFFR services that go from end-to-end assistance to get you certified, posture assessments, internal audits and broad advisory services tailored to your needs.

Key benefits:

  • Manage security risks and continual improve your security.
  • Contractual compliance with DEWR’s requirement and detailed controls as described in the Australian Government’s ISM and ISO/IEC 27001 Annex A controls.
  • Ongoing data protection and security commitment to customers by ensuring a strategic and risk-based approach towards technology, people and processes.
  • Ensuring compliance with best practices whilst incorporating the principles of Confidentiality, Integrity and Availability.
  • Improved prevention and detection of cyber security attacks through implementation of security controls.
  • Fostering workplace confidentiality and improved culture by integrating systems together.

What do you need to prepare for RFFR ISMS certification?

At Sekuro, our trained Security Consultants will assist you in every step of the process, setting up your compliance framework, developing your SoA, assessing your information security risks, and guiding you through the implementation of the controls, by hosting workshops and transferring knowledge to your key stakeholders.

Our methodology includes identifying the strengths and weaknesses in your information security implementation and mapping them to your RFFR ISMS goals and compliance requirements.

What is the certification process?

Sekuro’s auditors will examine your systems and supporting documentation to ensure your organisation’s RFFR ISMS is compliant with ISO 27001.

Once the implementation requirements are met, your organisation can be certified via accredited external certification bodies.


Sita Bhat

Sita Bhat is a Managing Consultant at Sekuro, and leads the IRAP team across various states - working with numerous global tech giants. Sita is passionate about sharing her skills and knowledge, and championed the first Governance, Risk and Compliance (GRC) related stream inside Sekuro's Hackcelerator program.

Scroll to Top