The Disability Trust succeeds on its ISO 27001 and Right Fit For Risk (RFFR) journey with Sekuro.
HIGHLIGHTS
Challenge
- The Trust’s small IT team had a tight deadline to become ISO 27001 certified which included additional Right Fit For Risk requirements.
- Transition to the funding model of the National Disability Insurance Scheme (NDIS) meant an enterprise-grade IT strategy became a critical priority to cater for the change.
- The Trust’s cyber security and governance requirements needed to cater for an increase in cyber-attacks against the Disability and Healthcare sectors.
- Demonstrate alignment with the Australian Government’s Essential Eight cyber maturity framework.
Solutions
- Sekuro’s Governance, Risk and Compliance team were engaged to develop an ISMS for the Trust, and led its ISO 27001 and Right Fit For Risk accreditation process.
Outcomes
- Regulatory compliance is being met with ISO 27001 certification and accreditation with the Department of Employment and Workplace Relations’ (DEWR) Right Fit For Risk (RFFR) requirements.
- Strong partnership with Sekuro ensures the Trust can meet its ongoing cyber security and compliance requirements.
- The Trust’s Leadership team recognise the importance of organisation-wide cyber security posture.
“Sekuro is really proactive and responsive. The team’s been brilliant in providing us with solutions and meeting our needs for our way forward,”
– Ian Treweek, Head of Information Communications & Technology at The Disability Trust.
The Story
The Disability Trust is an NDIS registered and not-for-profit provider of disability services, committed to providing highly professional care and support to people with disabilities and their families.
Ian Treweek, Head of Information Communications & Technology, oversees 130 sites’ IT as well as The Disability Trust’s Head Office and online presence, which works with more than 1,000 direct support workers. Experiencing a digital skills gap amongst the wider field staff and handling the complex post-transition phase to the NDIS, Treweek’s next frontier was governance: achieving regulatory compliance through ISO 27001 certification and Right Fit For Risk (RFFR).
Beginning with a team of just two staff in late 2018, Ian Treweek was faced with a number of unexpected challenges related to the Trust’s recent move to the NDIS funding model. This shift from a noncompetitive to a competitive funding model dramatically increased the volume of claim transactions being processed each week. This accelerated the need to rapidly migrate to an enterprise-grade architecture resulting in a total redesign of the Trust’s IT architecture – including a move to the cloud.
In the midst of all this disruption and innovation, Treweek was also determined to enhance the cyber security posture of The Disability Trust, despite the limited resources available to him as a not-for-profit organisation. Amongst the 1,000 direct support workers, there was a digital skills gap, and the proliferation of a BYOD policy meant broad cyber security training was and continues to be, rolled out to all staff.
But Treweek’s work was not yet done. “The first few years here were all about getting the IT foundations under control,” he says. “And we knew we’d have to catch up on Governance by the third year.” With an ISO 27001 certification deadline looming, and additional requirements to the Department of Employment and Workplace Relations’ (DEWR) Right Fit For Risk (RFFR) data handling scheme, Treweek had to select a partner to facilitate this regulatory compliance journey for The Disability Trust.
The Disability Trust
The Disability Trust is committed to providing highly professional care and support to people with disability and their families. Based in NSW, the ACT, Victoria and South East Queensland, The Disability Trust provides a wide range of services to adults and children to support people with disability to live the life they choose.
The Disability Trust has its roots firmly in the community, having been established in 1974 to help children with disabilities and their families in the Illawarra. In recent years, we have grown substantially and now have approximately 1400 permanent and casual staff providing care for more than 4000 clients.
Our Solution for The Disability Trust
Treweek engaged Sekuro when he received the deadline for The Disability Trust’s ISO 27001 certification, which formed part of a broader regulatory compliance partnership between the two organisations.
Additionally, part of the Trust’s mandate is to help people with a disability gain employment, leveraging services sourced from the Australian Government. To do so, the Trust has to be fully compliant with the Government’s data requirements. This involved adherence with the Department of Employment and Workplace Relations’ (DEWR) Right Fit For Risk (RFFR) framework, and demonstrating alignment with the Government’s ‘Essential Eight’ cyber security maturity model.
Sekuro has worked with many organisations to develop their ISMS and act on behalf at the audit and guide the primary auditee during the certification audit.
“We would have been drowning underwater without Sekuro to help us through RFFR. We had a strict deadline, and having Sekuro on board accelerated our plans,” says Treweek.
Outcomes
Sekuro worked with the Trust’s team to define and establish their Information Security Management System (ISMS) as a key part of their journey to ISO 27001 certification.
Sekuro extended the initial scope to include the additional 780+ requirements needed for RFFR and its three milestones to certification.
In February 2023, the Trust was successfully accredited under the DEWR’s Right Fit For Risk program, validating the Trust’s commitment to uplifting their information security capability.
Additionally, cyber risk is now included in the Trust’s five design principles within the IT team, delivering an organisation-wide awareness of its cyber security posture.
Sekuro #clientforlife
Sekuro’s GRC team helps you navigate regulatory requirements and industry standards with confidence.
Sekuro consultants improve your GRC maturity by helping to meet and maintain compliance to a broad range of industry standards including ISO 27001, PCI DSS and more. We identify and recommend tailored remediation for any compliance gaps to ensure you have the processes and technology in place to achieve full compliance.
