Practical ISMS preparation for RTOs and employment service providers.

The Department of Employment and Workplace Relations (DEWR) Right Fit for Risk (RFFR) framework requires funded providers to implement and maintain an Information Security Management System (ISMS) that meets the DEWR ISMS scheme requirements. Meeting those requirements to the satisfaction of a DEWR assessor takes more than good intentions and a folder of policies.

Assurance Bureau helps RTOs and employment service providers understand their current state, close gaps, and walk into their DEWR assessment with confidence.

What is the RFFR ISMS Scheme?

The RFFR framework is a DEWR initiative requiring providers in receipt of Commonwealth employment and skills funding to demonstrate they manage information security risk in a way that protects the data they handle on behalf of government. Providers are subject to independent assessment against the DEWR ISMS scheme requirements, which draw on ISO/IEC 27001 and the Australian Signals Directorate Information Security Manual (ASD ISM) controls.

Certification is conducted by DEWR-engaged assessors. Our role is to make sure you are ready before they arrive.

Our services

• RFFR ISMS Gap Assessment - a structured assessment of your current ISMS against the DEWR scheme requirements, identifying gaps and priorities

• Advisory and Uplift - hands-on support to develop or strengthen your ISMS documentation, policies, controls, and processes to meet scheme requirements

• RFFR Internal Audit - an independent internal audit of your ISMS against the scheme requirements, producing a findings register to support management review and pre-assessment remediation

• Remediation Support - targeted assistance addressing findings raised during Stage 1, Stage 2 audits and milestone assessments

Who this is for

• RTOs and employment service providers preparing for initial RFFR ISMS assessment

• Providers who received findings at Stage 1 and need support before Stage 2

• Providers approaching surveillance assessment and wanting independent assurance of their current state

• Providers who have implemented controls informally and want a structured review before their assessor arrives

Why Assurance Bureau

• Hands-on experience supporting a Category 1 DEWR-funded provider

• Direct familiarity with DEWR assessor expectations and the practical realities of scheme compliance

• ISO 27001:2022 Lead Auditor and Senior Lead Implementer credentials underpinning our assessment methodology

• Independent advisory with no conflict of interest

Get in touch

Ready to prepare for your RFFR ISMS assessment? Contact us to discuss your situation and arrange a no-obligation scoping conversation.