The DESE ISMS Scheme – A Quick Overview
The Department of Education, Skills and Employment’s (DESE, ‘the Department) new Information Security Management Scheme calls for all providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk accreditation.
The objective of this scheme is to ensure that providers are in compliance with the Departments contractual and legal obligations. These obligations aim to ensure the department’s IT environment and confidential data are being managed responsibly via an Information Security Management System (namely, ISO 27001 and the Australian Governments Information Security Manual).
Recognising the baseline requirements of ISO 27001 do not entirely cover the specific and evolving legal requirements for providers, the Department has introduced several new mitigation strategies to bridge these security gaps. These new requirements are referred to as ‘Right Fit for Risk’.
Right Fit for Risk does not undermine or diminish the existing standards for ISO 27001, but rather supplements the baseline requirements to create an Information Security Management System that is specific to the needs and obligations of the Department’s providers.
Under the RFFR, providers with a caseload larger than 2000+ per annum are required to attain certification to the Department’s contractual requirements Statement of Applicability. Certification allows organisations to tender for deeds and provides assurance that government data and personal information is handled securely.
What is ISO 27001?
The gold standard of Information Security Management Systems is ISO 27001, which is recognised globally and covers 114 security control methods. This ISMS contains all the resources, systems, tools, policies, controls, communication protocols and processes that manage information security in an organisation.
As mentioned, the Department has recognised that there are requirements specific to their providers. Specifically, the DESE ISMS Scheme calls for all providers to implement the clauses in Annex A of ISO 27001 (in other circumstances, these clauses can be omitted at the discretion of the organisation). Otherwise, the ISO 27001 certification process is the same for both providers under this scheme and other businesses.
Accreditation for ISO27001 can be an arduous and time-consuming process, but the benefits of gaining certification are ultimately worth the hassle. On top of securing your organisation’s data and systems, becoming ISO 27001 accredited can open new market opportunities by demonstrating your commitment to protecting customer and client information.
What is RFFR?
The DESE Information Security Management Scheme customises the baseline requirements of ISO 27001 with additional controls set by the Australian Government’s Information Security Manual (ISM).
The scheme, as mentioned, incorporates all the baseline requirements of ISO 27001, HOWEVER you must also develop a Statement of Applicability that considers the specific security risks and needs of your organisation, and the applicability of controls outlined in the Australian Information Security Manual.
Your Statement of Applicability should address RFFR core expectations, such as the Australian Cyber Security Centre’s Essential Eight strategies, personnel security, and data sovereignty.
What is a Statement of Applicability?
As part of the Right Fit for Risk and DESE ISMS Scheme, organisations are required to submit a Statement of Applicability (SOA).
The SOA is a central document that outlines and defines how your organisation has implemented information security. In order to prepare your SOA, you should start off by listing the controls from the Australian Governments Information Security Manual and determine whether they are applicable; which risk or business requirement drives it; and how it will be implemented.
The Right Fit for Risk DESE ISMS Scheme Accreditation Process
The Department is the accrediting authority for this scheme; thus, organisations are required to check in at 3 milestone points throughout the accreditation process.
Business Maturity Assessment
Milestone 1 determines how your organisation uses information and manages security. The initial maturity of your organisation’s information security is assessed against the ASD Essential Eight maturity model.
You should work closely with DESE through this process as the Department will provide the guidance and approach needed to advance to further milestones.
Statement of Applicability and ISO 27001 Accreditation
Milestone 2 requires the implementation of a customised Information Security Management System PLUS full accreditation of ISO 27001.
This means that in addition to the 114 annex A controls in ISO 27001, your scope should incorporate the controls defined in the Australian Governments Information Security Manual.
You must also submit a Statement of Applicability that, as previously mentioned, determines whether controls in the ISM are applicable to your organisation and how you have implemented these controls.
Tips for achieving this milestone:
- Perform a gap analysis to highlight areas where your information security controls are inadequate
- Perform a threat/risk assessment to identify risks and validate whether the solutions you have already implemented are working as intended
- List the controls in the Australian Governments ISM and justify your reasons for applying or not applying them into your ISMS. If you do not have a justifiable reason for not implementing a certain control, you should consider taking the steps to implement it
- Employ the services of a Managed Service Provider to assist with ISO 27001 implementation. While oftentimes costly, an MSP will speed up the accreditation process exponentially (sometimes by up to 6-12 months)
To pass milestone 3 you’ll need to demonstrate the effective implementation of the ISMS and applicable controls. Ensure you have incorporated the RFFR requirements into your ISMS and scope and taken all the ISM controls into consideration. You should also make your certification body aware of the customised nature of the ISO 27001 certification so you can gain the appropriate accreditation.