Right Fit For Risk & ISO 27001

Become Right Fit for Risk (RFFR) & ISO 27001 accredited, address compliance risks, and secure your organisation’s endpoint devices/users in Microsoft 365 with eStorm’s RFFR & ISO 27001 Risk & Compliance Assessment.


Fast-track the DESE Right Fit for Risk & ISO 27001 Process with eStorm Australia

The ISO 27001 certification is a globally recognised ISMS that is becoming increasingly important for businesses from every industry to achieve. The ISO 27001 Certification sets yourself apart from other businesses, proving that your organisation is committed to the development, improvement and protection of your information and sensitive data.

Right Fit for Risk builds on top of the foundations built in ISO27001, covering essential mitigation strategies for the storage, processing or communication of data related to delivering employment services AND digital information, including data and records supporting the program.


Achieving RFFR Certification can be an overwhelming, time-consuming and frustrating experience.
We can change that.
ISMS Experts

We’re dedicated to getting your organisation to the finish line no matter the obstacles. Fast-track your DESE ISMS scheme accreditation and build lasting effectiveness of your information security management system.


ISMS and RFFR certification can be an overwhelming, time-consuming and frustrating experience. We can change that. We have helped dozens of NFPs across Australia achieve RFFR certification as seamlessly and painlessly as possible.

Complete Support

From consulting to implementation, eStorm Australia will provide tailored support to achieve your certification and compliance goals no matter where you are in your Right Fit for Risk DESE ISMS Scheme journey.


Our ISMS road map is efficient, strategic, and tailored to your organisation. We promise to give you the confidence that your project is compliant with DESE’s standards and ready to seek official certification.

Right Fit for Risk & ISO 27001 Services

eStorm Australia offers a host of Right fit for Risk (RFFR) and ISO 27001 services ranging from complete end-to-end implementation to get you certified, to posture assessments, internal audits and broad advisory services tailored to your organisation.
Cyber Security Assessment/Audit

We dive into your organisation's security practices to highlight any areas where your security controls are inadequate and determine how they map to your RFFR accreditation. The cyber security assessment will identify risks in your IT and information security, such as user risk and endpoint health, while also defining your current security posture and maturity.

Furthermore, the cyber security assessment highlights gaps or weaknesses in your security processes. This helps us to determine and prioritise control methods which need immediate implementation.

Compliance Strategy & Consulting

Our extensive experience with helping organisations solve their information security management challenges, we understand that one size does not fit all. We will work with your business leaders to create a collaborative partnership that ensures we understand the ins-and-outs of your organisation.

This understanding means we can create a compliance and implementation strategy that will get you on the fastest path to certification with the least amount of disruptions to your daily operations.

Auditing & Statement of Applicability

Our accreditation audit will give you the confidence that your project is RFFR compliant and ready to seek official certification. We will also assess the applicability of the security controls outlined in the Australian Government's ISM, and implement the controls that are suitable for your organisation.

This then leads the way to preparing a Statement of Applicability that will meet the requirements of the DESE ISMS scheme.

Implementation & Microsoft Security

It's vitally important you implement the security controls in a way that aligns with the requirements to achieve certification. Our partnerships with major tech giants means we can establish flexible solutions and software that are appropriate for your business.

By following Microsoft's 'Zero Trust' security model, we leverage Microsoft security solutions that expedite compliance with the control methods outlined in ISO 27001 and RFFR. Once we have determined which Microsoft security solutions are applicable to your business we will deploy them accordingly.


Get started on your Right Fit for Risk certification today

The Government's Right Fit for Risk (RFFR) DESE ISMS scheme calls for all providers of employment skills, training, and disability employment services to gain ISO27001 certification. Failure to achieve accreditation could result in the loss of future tenders and funding for your organisation. 

eStorm Australia provides targeted support to help you achieve certification as painlessly as possible. No matter where you are in your ISO27001 & RFFR journey, we can assist in building a path to accreditation that offers the least amount of resistance on your journey.

fast track

Achieve Right Fit for Risk certification on time, with all the security benefits

eStorm will assist you with obtaining contractual compliance with DESE's ISMS scheme by:

  • Identifying and understanding your full security maturity and posture
  • Identifying risks posing a threat to your organisation and objectives
  • Selecting the security controls applicable for your business
  • Preparing your Statement of Applicability
  • Building ongoing effectiveness of your ISMS
  • Achieving ISO27001 compliance
  • Selecting the right suite of Microsoft security tools to aid in the implementation of your ISMS

What is RFFR & the DESE ISMS Scheme?

For most Not-For-Profits, the realm of Information Security Management Systems is foreign, confusing and overwhelming. That's why we've created a blog post outlining the hows and whys of RFFR and the DESE ISMS Scheme.

The blog post covers topics like:

  • What is Right Fit for Risk?
  • What is ISO27001?
  • What is the DESE ISMS Scheme?
  • What is a Statement of Applicability?
  • And the RFFR accreditation process

What is the DESE ISMS Scheme?

The Department of Education, Skills and Employment’s (DESE) new Information Security Management Scheme calls for all providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk accreditation.

The objective of this scheme is to ensure that providers are in compliance with the Department's contractual and legal obligations. These obligations aim to ensure the department’s IT environment and confidential data are being managed responsibly via an Information Security Management System (namely, ISO 27001 and the Australian Governments Information Security Manual).

The gold standard of Information Security Management Systems is ISO 27001, which is recognised globally and covers 114 security control methods. This ISMS contains all the resources, systems, tools, policies, controls, communication protocols and processes that manage information security in an organisation.

As mentioned, the Department has recognised that there are requirements particular to their providers. Specifically, the DESE ISMS Scheme calls for all providers to implement the clauses in Annex A of ISO 27001 (in other circumstances, these clauses can be omitted at the discretion of the organisation). Otherwise, the ISO 27001 certification process is the same for both providers under this scheme and other businesses.

Accreditation for ISO27001 can be an arduous and time-consuming process, but the benefits of gaining certification are ultimately worth the hassle. On top of securing your organisation’s data and systems, becoming ISO 27001 accredited can open new market opportunities by demonstrating your commitment to protecting customer and client information.

The DESE Information Security Management Scheme customises the baseline requirements of ISO 27001 with additional controls set by the Australian Government’s Information Security Manual (ISM).

The scheme, as mentioned, incorporates all the baseline requirements of ISO 27001, HOWEVER you must also develop a Statement of Applicability that considers the specific security risks and needs of your organisation, and the applicability of controls outlined in the Australian Information Security Manual.

Your Statement of Applicability should address RFFR core expectations, such as the Australian Cyber Security Centre’s Essential Eight strategies, personnel security, and data sovereignty.

As part of the Right Fit for Risk and DESE ISMS Scheme, organisations are required to submit a Statement of Applicability (SOA).

The SOA is a central document that outlines and defines how your organisation has implemented information security. In order to prepare your SOA, you should start by listing the controls within the Australian Governments Information Security Manual and determine whether they are applicable; which risk or business requirement drives it; and how it will be implemented.

The Department is the accrediting authority for this scheme; thus, organisations are required to check in at 3 milestone points throughout the accreditation process.

Milestone 1:

Business Maturity Assessment

Milestone 1 determines how your organisation uses information and manages security. The initial maturity of your organisation’s information security is assessed against the ASD Essential Eight maturity model.

You should work closely with DESE through this process as the Department will provide the guidance and approach needed to advance to further milestones.

Milestone 2:

Statement of Applicability and ISO 27001 Accreditation

Milestone 2 requires the implementation of a customised Information Security Management System PLUS full accreditation of ISO 27001.

This means that in addition to the 114 annex A controls in ISO 27001, your scope should incorporate the controls defined in the Australian Governments Information Security Manual.

You must also submit a Statement of Applicability that, as previously mentioned, determines whether controls in the ISM are applicable to your organisation and how you have implemented these controls.

Milestone 3:

RFFR Accreditation

To pass milestone 3 you’ll need to demonstrate the effective implementation of the ISMS and applicable controls. Ensure you have incorporated the RFFR requirements into your ISMS and scope and taken all the ISM controls into consideration. You should also make your certification body aware of the customised nature of the ISO 27001 certification so you can gain the appropriate accreditation.

Contact Us

To get started on simple, secure and fast-tracked ISO 27001 certification

This field is for validation purposes and should be left unchanged.

Case Studies

Get business driven results with eStorm.

The internal IT Manager at Silky Oaks left with no notice and very little documentation. Silky Oaks approached eStorm to assist in keeping their systems operational while they assessed their ongoing IT requirements.


Lighthouse Christian School promoted their junior technician to a management role after the departure of their previous IT manager. The new manager felt he was still developing his IT knowledge and experience, and thus would not be able to single-handedly run the school’s IT. LCS then endeavoured to find a Managed Service Provider that could provide supplemental IT support and services.


To meet the needs of a large client, Liquid Animation worked with eStorm to architect a solution that allowed international animators to seamlessly access data. This was achieved using a combination of cloud-based work stations and Amazon Web Services.

Liquid Animation

Achieving Right Fit for Risk Certification can be an overwhelming, time-consuming and frustrating experience.

We can change that.


Related Articles

The NEW Apple Classroom. Is it right for your Institution?
By eStormAdmin | April 29, 2016

SO WHAT IS APPLE CLASSROOM? First of all, Apple Classroom is not really like Google Classroom. Google Classroom is more equivalent […]

Solid State Drives vs Traditional Hard Drives. Which is right for you?
By eStormAdmin | April 19, 2016

  Gone are the days of simply choosing the drive that had the largest capacity that your budget could afford. Solid-state drives […]

Industry Standards: How does your IT provider compare?
By eStormAdmin | January 29, 2016

If you’re a non-techie who has been left to look after the IT department of your workplace, you may be […]

Work better with eStorm

See why businesses all across Australia and NZ partner with eStorm Australia