dese information security systems scheme

DESE Information Security Systems Scheme REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) OF CONTRACTED EMPLOYMENT SERVICE PROVIDERS

DESE ISMS Scheme

Issue 1, 10 March 2021

Authority to Issue

Dr James Galloway Chief Executive with Authority of the Governing Board

DESE Information Security Systems Scheme

Issue 1, 10 March 2021 of 24

Contents

0 INTRODUCTION ..................................................................................... 4

1 SCOPE ................................................................................................... 4

2.1 NORMATIVE REFERENCES ..................................................................... 6

2.2 INFORMATIVE REFERENCES .................................................................. 7

3 TERMS AND DEFINITIONS ..................................................................... 8

4 PRINCIPLES .......................................................................................... 10

5 GENERAL REQUIREMENTS .................................................................. 10

5.1 Legal and contractual matters 10

6 STRUCTURAL REQUIREMENTS ............................................................ 11

7 RESOURCE REQUIREMENTS ................................................................ 11

7.1 Competence of personnel 11

7.2 Personnel involved in the certification activities 12

8 INFORMATION REQUIREMENTS .......................................................... 13

9 PROCESS REQUIREMENTS ................................................................... 13

9.1 Pre-certification activities 13

9.2 Planning audits 16

9.3 Initial certification 17

9.4 Conducting audits 17

9.5 Certification decision 19

9.6 Maintaining certification 20

9.7 Appeals 21

9.8 Complaints 21

9.9 Client records 21

10 MANAGEMENT SYSTEM REQUIREMENTS ........................................... 21



ANNEX A – KNOWLEDGE AND SKILLS FOR RFFR ISMS AUDITING AND CERTIFICATION (NORMATIVE) ............................................................. 22

ANNEX B – AUDIT TIME (NORMATIVE) ............................................................. 23

Table B.1 Audit time chart ............................................................................................................................... 23



0 Introduction 0.1 Background

As part of assistance measures for persons looking for work, the Australian Government engages private service providers under contractual arrangements that include compliance with information security requirements for both participant and Australian Government information.

0.2 Object and field of application This Scheme contains requirements that supplement, but do not diminish the requirements of ISO/IEC 17021-1 and ISO/IEC 27006, which collectively are the current International Standards for bodies auditing and certifying ISMS.

Certification bodies (CB) seeking accreditation to these standards, and those other requirements specified in this document.

For ease of reference, the clause numbers in this document (other than in this Introduction and the Annexes) refer to the clauses in ISO/IEC 17021-1:2015.

The term “should” indicates a recognised means of meeting a requirement of this Scheme. A CB can meet these requirements in an equivalent way provided this can be demonstrated to the satisfaction of JAS-ANZ. The term “shall” is used in this document to indicate those provisions that are mandatory.

0.3 Transition policies

Accreditation

0.3.1 CBs are to demonstrate regard to the latest DESE requirements in force at the time of a client’s application.

0.3.2 CBs shall lodge a self-declaration of compliance to JAS-ANZ prior to issuing certification to a new version of the DESE requirements.

Certification

0.3.3 Certifications are to be for the version of DESE requirements in force. The version shall be stated on the certification.

0.3.3.1 Providers shall apply to upgrade their certification to the latest version of the DESE requirements following a surveillance or recertification audit to this version in the three-year cycle. Following a successful surveillance audit to the most recent version, the certification cycle will be maintained. The version on certificate documentation shall be updated on a successful surveillance audit.

1 Scope The ‘object of conformity’ for the scheme is the information security management systems (ISMS) and environment of contracted service providers, of which the Department of Education, Skills and Employment (DESE, ‘the Department’) engages to assist persons prepare for and look for work. At the time of Issue 1 of this scheme, the Department had engaged over 300 such providers.



More specifically, the scope of this certification scheme is compliance with the Department’s contractual requirements (Statement of Applicability, SoA) for providers’ (providers) ISMS under the Right Fit for Risk (RFFR) accreditation approach. The latter approach is a component of the Department’s External Systems Assurance Framework (ESAF) by which the department gains assurance over providers’ ISMS. Under the RFFR, providers with a caseload of 2000+ per annum are required to attain certification to the SoA in order to tender for provider deeds. The SoA is comprised of three distinct focus areas, the first of which is the Australian Cyber Security Centre’s (ACSC’s) essential eight strategies to mitigate cyber security incidents. The ACSC is itself based within the Australian Signals Directorate (ASD), a long-standing Australian Government entity supporting the broader work of the Australian Government. ASD was established as a Statutory Agency by the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018.

The ESAF aims to ensure the department’s systems and confidential data stored outside of the department’s ICT environment are being managed responsibly. It covers all external ISMS associated with: 1) The delivery of a provider service; 2) Storage, processing, or communication of data related to delivering provider services; and 3) Data, information and Records supporting the program.

The objective of this scheme is to supplement the minimum (baseline) requirements of ISO/IEC 27001 with the specific, evolving legal requirements for providers’ ISMS as part of the certification standard. More specifically, the supplementation does not allow providers the discretion to omit clauses in Annex A of ISO/IEC 27001:2013 (also see clause 6.1.3 of this standard). In addition, the ISMS contains minimum additional controls that fall within distinct control objectives of Annex A. While certification to ISO/IEC 27001 provides a robust foundation for operation of an ISMS, DESE has encountered limitations in the use of this certification standard to demonstrate compliance with its specific requirements for providers. The scheme incorporates all base-level international criteria for ISMS certification: ISO/IEC 17021-1:2015, ISO/IEC 27006:2015, and IAF MD 4:2018 as the accreditation criteria, and ISO/IEC 27001:2013 as part of the certification standard with the discretionary elements of the SoA under ISO/IEC 27001 being supplemented through the OFFICIAL controls for the Australian Government Information Security Manual (ISM) in the DESE ISMS Scheme. While titled ‘guidance’, ISO/IEC 27007 is also considered normative under this scheme.

In acknowledgement that a providers’ ISMS may extend to controls over additional information and for additional stakeholders as depending on its operational context, certification to this scheme is not mutually exclusive – nor in competition with – voluntary accredited third-party certification to ISO/IEC 27001. However, in such cases care is required to ensure the respective scopes of both certifications are clearly distinct, and thus specifies clear demarcation in the ISMS that warrants separate certifications (see clause 9.1.3.1.4 of this scheme). To help distinguish the ISMS specifically in scope of this scheme from other ISMS, the term “RFFR ISMS” is used in subsequent clauses of this scheme document.

When determining all controls that are necessary to implement the information security risk treatments (clause 6.1.3(b) of ISO/IEC 27001:2013), DESE acknowledge the note “Organisations can design controls as required, or identify them from any source.” DESE also notes that the control objectives and the controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed to protect and manage your business (6.1.3(c) of ISO/IEC 27001:2013).



Providers’ deeds with the Department includes compliance with the ISM. Therefore, all OFFICIAL controls within the ISM is the source.

Reflecting the pace of technological changes and Australian Government expectations for ISMS and those guidance and requirements published by DESE and the ACSC more specifically, the applicable certification standard in this scheme is subject to continual changes. At the time of initial certification or recertification, CBs are to ensure they utilise the current version in force. Upon surveillance and recertification, CBs are to ensure the latest version is utilised. A default self-declaration policy to attain JAS-ANZ accreditation to the latest version of the ISM applies for bodies prior to issuing certification to a new version of this certification standard, while JAS-ANZ reserves the right to impose a transition policy on any new version of the RFFR ISMS standards under this scheme. The default self-declaration transition policy requirements apply only to RFFR ISMS requirements developed by Australian Government agencies. Transitions for ISO and ISO/IEC standards are subject to the case-by-case transition arrangements as published by JAS-ANZ and agreed with the Department.

This accreditation scheme was developed by a technical committee to further develop the criteria for the minimum skills, experience, qualifications, personnel, audit processes, and systems for certification bodies accredited by JAS-ANZ to issue certificates to providers to signify they meet requirements of the RFFR approach.

While requirements of this scheme were developed by a consensus of a balanced range of representatives for the RFFR ISMS, its content is ultimately decided by DESE as the scheme owner, and as managed by JAS-ANZ on its behalf. Updates to this scheme are reflected by changes to the Issue number, and are accompanied by distinct, specific transition policies.

As a regulatory scheme, Policy 3/13 fully applies, and DESE reserves the right to modify the application of default transition policies for IAF mandatory documents, and ISO and ISO/IEC standards invoked in the scheme.

The additional unique requirements of this scheme were developed by considering the totality of requirements from the certification standard and RFFR requirements, and identifying where existing accreditation criteria for ISO/IEC 27001 certification could benefit from prescriptivity to supplement the minimum (baseline) requirements of one or more of legal, structural, resourcing (e.g., personnel), public information (e.g., website, brochures, advertisement), certification process (auditing process from application through to surveillance), and management system elements.

2.1 Normative references The following referenced documents are indispensable for the application of this Scheme. For dated references, the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

Accreditation criteria

IAF MD 4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing/Assessment Purposes.

ISO/IEC 27006 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems.



ISO/IEC 27007 Information technology – Security techniques – Guidelines for information security management systems auditing.

ISO/IEC 17021-1 – Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements.

Other accreditation requirements

JAS-ANZ Policy 3/13. Providing conformity assessment in countries without appropriate authority’s approval. Note that this is a JAS-ANZ requirement. The Department requires all activities supporting these Deeds to be performed wholly within Australia in line with the data sovereignty clause.

Certification criteria (certification standards)

ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements (as modified by making normative Annex A.18.1 in respect of DESE legal requirements).

The Protective Security Policy Framework.

The Australian Government’s Information Security Manual (ISM).

Statement of Applicability (SoA) [as current in force], the OFFICIAL ISM controls.

Other certification requirements

ISO/IEC 27002:2013. Information technology — Security techniques — Code of practice for information security controls.

2.2 Informative references The following referenced documents are informative for this Scheme. For dated references, the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

Accreditation criteria

ISO 19011:2018. Guidelines for auditing management systems.

ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary.

ISO/IEC TS 27008:2019. Information technology — Security techniques — Guidelines for the assessment of information security controls.

IAF MD 13:2020. Knowledge Requirements for Accreditation Body Personnel for Information Security Management Systems (ISO/IEC 27001) (NOTE: This is normative criteria for accreditation body personnel, and thus fully applies to JAS-ANZ for the purpose of this scheme. This MD superseded IAF MD 13:2015 from December 2020).

Other

DESE’s RFFR suite of guidance documents.

DESE’s ISO/IEC 27001 suite of guidance documents.



DESE’s series of ISO to ISM maps based on different ISM versions. (Mapping of Annex A control objectives and controls of ISO/IEC 27001:2013 to ISM controls.)

DESE (2020) Right Fit For Risk (RFFR) Questionnaire. (Self-assessment form for providers).

DESE’s Accreditation of cloud services from 27 July 2020 guidance

Accreditation letters DESE have released in relation to Third-Party Employment Systems (available https://www.employment.gov.au/digital-information-assurance)

Other guidance documents released to providers by DESE periodically.

3 Terms and definitions 3.1 The following definitions also apply to this scheme:

ACSC Australian Cyber Security Centre

Breaches A breach of Policy occurs when any person performs an act prohibited by the Policy. Examples include:

- the sharing of user IDs and passwords - failure to notify the Department of an inappropriate

access or use of the system or data - users using the system for a purpose not authorised by

the Department - failure to notify the Department when a User should be

suspended - users attempting to inappropriately obtain increased

access - users making any false or fraudulent declaration - Providing false or misleading information, or failing to

provide information where there is an obligation to do so

- users disclosing information obtained from Department Systems to someone not authorised to receive it.

CB Certification body, as defined in ISO/IEC 17021-1

Compliance breach A contravention against legal requirements directly relevant to RFFR ISMS, including but not limited to contractual requirements under the Deed utilised by DESE that exceed minimum requirements of ISO/IEC 27001. To avoid doubt, any data breach as defined under the Notifiable Data Breaches scheme or GDPR breaches also constitute a compliance breach.

https://www.employment.gov.au/digital-information-assurance



Cyber security incidents

Cyber security incidents include but are not limited to: - unwanted disruption or denial of service (e.g., DDoS

attack) - website defacement - malicious code outbreak (e.g., virus or malware) - data spillage, data loss - loss or compromise of cryptographic keying material - attempts to gain unauthorised access to a computer

system or its data - unauthorised use of a system for processing or storing

data - changes to system hardware, firmware or software

without the knowledge or consent of the System Owner.

Cyber security strategy

The organisation’s strategy for meeting the requirements of the ISM under this scheme.

Deed An agreement between the Australian Government (via its Departments or agencies) and a business for the supply of employment services to the Department.

Department or DESE Refers to the Commonwealth Department of Education, Skills and Employment or such other agency or department as may administer this Agreement on behalf of the Commonwealth from time to time and, where the context so admits, includes the Commonwealth’s relevant officers, delegates, employees and agents.

End user A user of a provider’s services, for example job seekers and participants.

ESAF The External Systems Assurance Framework, the method the Department uses to gain assurance over providers’ IT Systems and of which the RFFR is a component.

ISM, and OFFICIAL ISM controls

Australian Government Information Security Manual, as currently in force. A defined subset of OFFICIAL ISM controls is the scope of certification, surveillance, and recertification audits in this scheme.

Office of the Australian Information Commissioner

The Australian Government independent national regulator for privacy and freedom of information.

Provider

Organisations contracted under Deed(s) to deliver programs, and its personnel, successors and assigns, and any constituent entities of the organisation, and includes reference to a Tendering Group contracted under this Deed, where applicable.

Right Fit For Risk (RFFR)

The Department’s risk assurance approach to provider IT security accreditation. It is part of the Department’s ESAF.



RFFR ISMS The Right Fit For Risk (RFFR) Information Security Management System (ISMS) in scope of this scheme. This term is utilised in to distinguish the element(s) of the ISMS to which the requirements of the OFFICIAL ISM controls apply.

SoA Statement of Applicability. Under this scheme, the Department has produced a template ‘Statement of Applicability’ document that prioritises the Australian Government Protective Security Policy Framework (PSPF) and Australian Government Information Security Manual (ISM) controls to govern programs.

4 Principles No additional principles

5 General requirements 5.1 Legal and contractual matters

5.1.2 Certification agreement 5.1.2.1 The certification agreement shall also ensure that:

(a) the client:

(i) is provided with the definition of a compliance breach under this scheme, and

(ii) agrees that in the event of any such breach, or reasonable basis to conclude such a breach had occurred, the CB is obligated to notify the Department within 24 hours of this realisation, and other authorities with legislated responsibility for monitoring data breaches,

(iii) agrees to provide the CB with its current service contract with the Department, and any revisions to this within seven days of the revised contract, and

(iv) agrees:

(I) to provide any audit reports in this scheme to the Department, if requested or otherwise obligated to do so through other legal agreements; and

(II) that in the event of refusing to do so, the CB reserves the right to provide all such report(s) to the Department, if the latter requests the body to do so.

Note: See clause 9.4.8.1 in this scheme.

(b) justification for undertaking short notice audits (clause 9.6.4.2) also includes any credible RFFR ISMS related concerns raised:

(i) by the Department, or other Government authorities,

(ii) by end users of services; or



(iii) in online feedback, reviews, or commentary about the client.

Note: This includes concerns raised in reviews on online platforms and fora.

6 Structural requirements No additional requirements

7 Resource requirements 7.1 Competence of personnel 7.1.1 General considerations

No additional requirements

7.1.2.1 Competence requirements for RFFR ISMS auditing

7.1.2.1.3 Information security management system standards and normative documents Competency criteria shall also ensure that auditors involved in RFFR ISMS auditing have

demonstrated current knowledge and experience of the OFFICIAL ISM controls, and at least conversant-level knowledge of the range of other security controls outlined in the Australian Government’s Information Security Manual.

Note: Such knowledge and experience may collectively be held by the audit team.

7.1.2.2 Competence requirements for leading the RFFR ISMS audit team 7.1.2.2.1 Prior to gaining approval as leading the audit team (‘Audit Team Leader’, commonly

referred to as ‘Lead Auditor’) under this scheme, personnel shall also meet at least one of the following criteria:

(a) Have a minimum of two years’ experience leading ISMS audit teams undertaking audits under JAS-ANZ (or other IAF member) accredited ISO/IEC 27001 certification programmes.

(b) Hold current qualifications regarding audit or security of information systems.

7.1.2.2.2 Audit Team Leaders in this scheme could hold at least one of the following qualifications, or qualifications equivalent or superior to these:

(a) Certified Information Security Auditor (CISA) (b) Certified Information Security Manager (CISM) (c) Certified Information Systems Security Professional (CISSP)

Note: The above is not an exhaustive list of relevant qualifications.

7.1.2.2.3 The equivalency or superiority of another qualification to those identified in clause 7.1.2.2.2 shall be documented, with records demonstrating how critical appraisal led to this determination. The appraisal should include regard to the topics covered, the length of any tuition (if applicable), and examination (or equivalent determination of knowledge attainment).

7.1.2.3 Competence requirements for conducting the application review 7.1.2.3.4 In addition, the personnel shall also have demonstrated:



(a) knowledge of the:

(i) operating context of providers;

(ii) the range of government information; and

(ii) the influence of provider size on ISMS vulnerabilities and the extent of ISMS related risk.

Note 1: Such knowledge requirements should normally be demonstrable from records of either knowledge testing and/or audit planning history.

Note 2: Such knowledge and experience can also be partially obtained through demonstrated, ongoing ability to solicit, receive and understand inputs from an Audit Team Leader(s) under this scheme during the application review stage, prior to accepting the application from the client and entering into a certification agreement. However such input cannot be relied on as the sole means of obtaining all such knowledge in (a).

(b) experience in planning audits to the OFFICIAL ISM controls:

(i) in an unsupervised capacity; and/or

(ii) in a supervised capacity, in which the performance of the activity is critically appraised by the Supervisor and written feedback provided.

(c) access to the list of approved audit personnel under this scheme, and regard to availability of these personnel within the client’s expected timeframe for attaining (re)certification to this scheme.

Note: For example, audit calendars over the next three months for these personnel. See clause 9.1.2.1(c) in ISO/IEC 17021-1:2015.

7.1.3 Evaluation processes 7.1.3.1 In addition, at no longer than an annual basis, the adequacy of audit planning shall be

evaluated through feedback from the audit team and client following the audit, to confirm the adequacy of:

(a) audit time; and

(b) audit team competency.

7.2 Personnel involved in the certification activities 7.2.7.1 Training expectations for audit team personnel approved in this scheme shall also

encourage regular attendance at relevant workshops, forums and conferences, and ensure records of attendance and satisfactory completion (as applicable) of these are maintained. Such encouragement shall also incorporate views on the suitability of these in guidance by the Department, where available.

Note 1: As the Department is the scheme owner, it is not appropriate for this scheme to mandate regular attendance to such workshops, forums and conferences. However such attendance could be made mandatory by individual certification bodies.



Note 2: Examples of incentivising such attendance can be through role descriptions, contracts with audit personnel, internal correspondence on training and events, and other similar records of communication.

7.2.9.1 The monitoring process for auditors shall also ensure that any feedback from the Department or other Australian Government agencies are afforded high weighting in the overall determination of performance under this scheme. Any indication of a performance deficit in the views of these stakeholders should be examined through detailed review of audit records, and follow-up onsite audit observation.

Note: Such feedback could be obtained through comments on audit reports, audit outcomes including nonconformity ratings, and responsiveness to queries on specific audit matters.

8 Information requirements No additional requirements

9 Process requirements 9.1 Pre-certification activities

9.1.1 Application 9.1.1.1 The CB shall also inform all applicants for certification, regardless of provider size, of the

following information in writing and featured prominently: ‘Providers with a caseload of less than 2000 end users per annum are not required to attain certification to their SoA in order to tender for provider deeds. However, such providers may elect to seek certification to their SoA’.

Note: ‘Featured prominently’ would typically involve appearing at the outset of emails and/or on the first two pages of a document-based quote, in font no smaller than the main body font.

9.1.1.2 The application for certification shall also require the applicant to agree to provide the organisation’s:

(a) cyber security strategy;

Note: This should clearly identify how the system fulfils requirements of the RFFR.

(b) following plans:

(i) System security plan;

(ii) Incident response plan;

(iii) Continuous monitoring plan.

Note: See Chapter ‘Guidelines for Security Documentation’ in the Australian Government’s Information Security Manual (ISM).

(c) self-assessment against the RFFR; and

(d) either:



(i) typical number of end users serviced by the provider; or

Note: ‘Typical’ would be the annual average serviced over the past three years.

(ii) in the case of new organisations that have not yet commenced or have been operating for less than three years, projected number of end users serviced per annum over the next three years.

Note: Projections would normally be based on consideration of geographic factors such as population levels, economic conditions, and local demand and competition.

9.1.1.3 The application process shall also require the applicant to declare whether:

(a) it had been subject to a data breach, or other ISMS related incident in the past five years that could reasonably be considered to constitute a compliance breach if it had occurred under this scheme; and

(b) it holds:

(i) accredited ISO/IEC 27001 certification from a JAS-ANZ accredited body or other IAF member accreditation body, that is relevant to the scope of the ISM in the DESE ISMS Scheme; and/or

(ii) any other ISMS related certifications from a CB accredited by JAS-ANZ or other IAF Member accreditation body that has ISMS in the MLA scope.

Note 1: i.e., accredited certification(s) that pertain to the handling of information from end users and government in relation to employment assistance programs.

Note 2: If the CB has issued current accredited ISO/IEC 27001 certification to the client for an ISMS relevant to that in the DESE ISMS Scheme, then this information is already known.

9.1.1.3.1 If such a breach in (a) had occurred, details of the incident, the financial, legal and other penalties incurred, and actions taken in response shall also be agreed to be provided.

9.1.1.3.2 If either of the criteria in 9.1.1.3(b) also apply, the CB shall notify JAS-ANZ in writing, as soon as practicable, with the name of the applicant being specified together with other details as considered relevant.

Note: Notification would normally be through an email being sent to [email protected], identifying the sender’s contact details and role within either a CB accredited under this scheme, or applying for accreditation.

9.1.2 Application review 9.1.2.1 The application review shall also confirm and document receipt of the information in

clauses 9.1.1.2 and 9.1.1.3.

9.1.3 Audit program 9.1.3.1.1 The audit program shall also ensure that:

(a) at the time of initial certification or recertification, certification bodies (CBs) are to ensure the client has selected a current in force version of the OFFICIAL ISM controls in the SoA within three months of the audit fieldwork (i.e., of the opening meeting);

mailto:[email protected]



(b) in surveillance audits, if a subsequent version of the OFFICIAL ISM controls is in force, the audit scope shall be to this new version;

(c) in surveillance audits,

(i) nonconformities shall be raised against new requirements in a subsequent version of the OFFICIAL ISM (if applicable), however modified timeframes for closure of these apply, and

(ii) if no nonconformities arise against the current in force version of the OFFICIAL ISM, or nonconformities are raised and satisfactorily closed, the certification documentation for the client be updated to reflect certification to the current version of the OFFICIAL ISM; and

(d) providers undergoing recertification audits under this scheme are not afforded extended timeframes to address nonconformities to new requirements in a subsequent version of the OFFICIAL ISM (if applicable), if such extensions will extend more than six months beyond the three year certification expiry date in ISO/IEC 17021-1.

Note: See clause 9.6.3.2.5 of ISO/IEC 17021-1, which specifies actions to be taken prior to restoring expired certification.

9.1.3.1.2 Where one or more criteria in 9.1.1.3(b) of this document apply, the CB shall follow a documented process for offering the applicant expedited stage one and stage two certification audits to this scheme, that include the following activities:

(a) requesting and confirming the accuracy and currency of the current claimed certification(s) held by the client.

Note: See as informative the initial process for transfer of accredited certification in the JAS-ANZ Accreditation Manual for confirming the currency of certification held by a client.

(b) comparing the extent of controls to the ISO/IEC 27001 conforming system operated by the client, as per its SoA and certification documentation, to that required by the current DESE ISM in force;

(c) providing the client with a written estimate of the 'gap' between their current certified ISM and that which is required to attain certification to this scheme. The estimate shall include:

(i) whether the current ISO/IEC 27001 certification (or similar) and associated reports can be utilised for expediting certification to this scheme; and if so

(ii) an outline of the remaining extent of requirements for which objective evidence of conformity will need to be attained through audit; and

(iii) the extent of reduction in audit time that can be afforded in the audit planning, noting that this may be refined following completion of the expedited stage one audit;

Note 1: Audit time is inclusive of Stage One and Stage Two activities.

Note 2: The process may also allow such advice to be provided following the completion of a Stage One audit.



(d) following receipt of the written estimate in (c), the client shall be requested to clarify whether it wishes to proceed with:

(i) expedited certification audits to this scheme; or

(ii) the full certification audit activities in this scheme; and

(e) The documented process shall not allow the expedited audit time to be reduced by greater than 66% (rounded to the nearest quarter day) than the defaults specified in Annex B of this scheme.

Note 1: It is highly unlikely that expedited audit activities in this scheme will be shorter than five auditor days.

Note 2: The extent of maximum reduction is also applicable for surveillance and recertification audits.

9.1.3.1.3 The CB shall maintain documented records of the outputs of its process in 9.1.3.1.2 and retain these for all clients for a minimum of two certification cycles under this scheme.

Note: This requirement also applies for clients that do not proceed with the proposed quote.

9.1.3.1.4 The process shall allow the client to also maintain separate ISO/IEC 27001 certification to the ISMS scheme (internationally harmonised scheme operated globally), provided all requirements of that scheme are also complied with as determined by the rules of that scheme, and as determined by its CB.

9.1.3.1.5 Where notification of a suspected or confirmed data breach in 9.4.3.1 of this scheme has occurred, the surveillance and recertification audit procedures for the CB shall require it to confirm with the client whether it had received any feedback or directions from authorities regarding the data breach.

Note: Also see clauses 9.4.3.2.3 and 9.4.8.3.2

9.1.4 Determining audit time 9.1.4.2.1 The process for determining audit time shall also include clear regard to increasing audit

time in proportion to increasing typical annual end user numbers serviced by the provider, as detailed in Annex B of this scheme.

9.2 Planning audits

9.2.1 Determining audit objectives, scope and criteria 9.2.1.1 The documented audit criteria shall also demonstrate clear regard to requirements of the

audit program under clause 9.1.3.1.2 of this scheme (as applicable and subject to eligibility criteria).

9.2.2 Audit team selection and assignments 9.2.2.1.3 The Audit Team Leader may consider the use of an Information Security Registered

Assessors Program (IRAP) Assessor within the audit team.

Note 1: This program and IRAP Assessor approval are controlled by the Australian Signals Directorate.



Note 2: The list of currently approved IRAP Assessors can be found online at: https://www.cyber.gov.au/acsc/view-all-content/programs/irap/irap-assessors

9.2.3 Audit plan 9.2.3.1 The audit plan shall also demonstrate regard to auditing the provider’s compliance with

all cyber security requirements under its contractual obligations to the Department.

9.3 Initial certification No additional requirements

9.4 Conducting audits

9.4.1 General 9.4.1.1 In addition, documented procedures shall detail:

(a) the actions taken to ensure the Department is notified within 24 hours of compliance breaches discovered during audit activities under this scheme.

(b) Other actions for notifying authorities of data breaches, as relevant to the jurisdictional requirements of their operations. Note that the consideration of other jurisdictions is a default JAS-ANZ requirement arising from legislative compliance obligations in certification schemes. The Department requires all activities supporting these Deeds to be performed wholly within Australia, in line with the data sovereignty clause. If this is not the case, the CB shall notify the Department within 24 hours of identifying this fact.

9.4.3 Communicating during the audit

9.4.3.2.1 In addition, in the event of a suspected or confirmed data breach, the CB shall notify:

(a) the Department, in writing within 24 hours; and

(b) any other relevant authority.

Note 1: Until advised otherwise, notifications to the Department should be via an email addressed to [email protected]

Note 2: The Department may update its contact address for such notifications and publish the new address(es) on its website.

9.4.3.2.2 Notifications within 24 hours to the Department shall outline:

(a) the nature of the information that has been breached;

(b) extent of potential damages to the provider, end users; and

(c) immediate planned actions that are being taken by the provider to reduce the extent of potential harm.

9.4.3.2.3 Following a confirmed data breach, the CB shall monitor the client’s actions to comply with the Notifiable Data Breaches scheme.

Note: Also see clause 9.1.3.1.5

https://www.cyber.gov.au/acsc/view-all-content/programs/irap/irap-assessors




9.4.3.2.4 The CB is not responsible for following up on the data breach (or reasonable suspicion thereof) and shall decide whether the audit can continue or is to be called off, using the guidance specified in the normative references of this scheme.

Note: Also see criteria for cancellation of audits in clauses 9.3.1.2.4 and 9.4.3.2 of ISO/IEC 17021-1.

9.4.3.2.5 Where the CB decides it is not satisfied that the provider has complied with the Notifiable Data Breaches scheme requirements, or is unlikely to do so, within seven days of reaching this determination, it shall notify:

(a) the Department;

(b) the Office of the Australian Information Commissioner, as consistent with the Notifiable Data Breaches scheme; and

(c) any other relevant authority.

Note: Such notifications themselves do not constitute a decision or proof of confirmed noncompliance to the Notifiable Data Breaches scheme or any other legal requirement.

9.4.4 Obtaining and verifying information No additional requirements

9.4.5 Identifying and recording audit findings No additional requirements

9.4.6 Preparing audit conclusions No additional requirements

9.4.7 Conducting the closing meeting 9.4.7.2.1 For surveillance audits, nonconformities shall be raised against new requirements in a

subsequent version of the OFFICIAL ISM, however modified timeframes for closure of these are to be no earlier than one week prior to the expiry of the current certification.

9.4.7.2.1.1 The exception is if such nonconformities against new requirements constitute – or are considered by the CB to likely result in – a compliance breach under this scheme. In such cases, follow-up actions and timeframes for handling such breaches under this scheme apply.

9.4.7.2.1.2 Where a nonconformity is raised in surveillance or recertification audits against new requirements in a subsequent version of the OFFICIAL ISM, and its closure is impracticable or unreasonable to expect under the default or modified (clause 9.4.7.2.1) timeframes in this scheme due to equipment or other resourcing constraints, the timeframes may be extended if all of the following are demonstrated:

(a) The provider has been requested to explain why it is impracticable or unreasonable, and this explanation includes an analysis of why no other feasible alternatives could be arranged for corrections and corrective actions within the requested timeframes.

(b) The provider has also provided the explanation in (a) to the Department.



(c) The CB agrees with the explanation in (a), using a nonconformity handling process that incorporates the views of Audit Team Leaders under this scheme, and has confirmed by records that the provider has notified the Department in (b).

(d) A certification decision maker under this scheme has made a determination, in writing, for why the objectives of this scheme are not better served by suspending the provider’s certification in the first instance, and the records of this determination are maintained.

(e) For recertification audits, the provider is advised, in writing, of the inability to extend certification cycles beyond three years, the process for restoring expired certification at up to six months, and the inability to do so beyond six months in this scheme.

Note: See clauses 9.1.3.1.1 and 9.6.3.1.2.2 in this scheme.

9.4.8 Audit report 9.4.8.1 Note 1: Under separate agreements, clients are required to provide audit reports to the

Department. Any queries from the Department on audit reports or outputs of these shall be handled in a manner comparable to queries from clients. In addition, failure to adequately address such queries may be considered a breach of the Standard of Service requirements in the Conditions of Accreditation, as operationalised in the JAS-ANZ Accreditation Manual (see ‘Responsibilities to Scheme Owners’).

Note 2: Any deficit in responses to queries from the Department may have implications for continued accreditation under this scheme as a result of Policy 3/13 obligations from JAS-ANZ as the accreditation body.

9.4.8.3.1 The audit report shall also contain an unambiguous statement of the provider’s compliance with cyber security requirements under its contractual obligations to the Department.

9.4.8.3.2 The outcome from the enquiries in clause 9.1.3.1.5 on the status of data breaches shall be at the minimum documented in audit reports.

9.4.9 Cause analysis of nonconformities No additional requirements

9.5 Certification decision

9.5.1 General No additional requirements

9.5.2 Actions prior to making a decision 9.5.2.1 Documented records of all certification decisions shall also include confirmation that

certification is being issued against either:

(a) The version of the OFFICIAL ISM that was in force at least as at three calendar months prior to the first onsite audit day (including remote ICT onsite auditing);

(b) Or optionally, if applicable and justified by the audit team and subsequent post-audit records, the current version of the OFFICIAL ISM in force at the time of the certification decision.



9.5.3 Information for granting initial certification No additional requirements

9.6 Maintaining certification

9.6.1 General No additional requirements

9.6.2 Surveillance activities 9.6.2.1 General

9.6.2.1.2 If a new version of the OFFICIAL ISM controls have been published within three months of the planned date of the opening meeting of the surveillance audit, then the provider shall also be requested in writing to undertake a self-assessment against the new or modified subset of controls.

9.6.2.2 Surveillance audit

9.6.2.3 Regardless of whether a self-assessment has been submitted or whether a new version of the OFFICIAL ISM controls was published within three months of the planned date of the opening meeting, surveillance audits shall also have regard to conformity with the current in force version of the OFFICAL ISM, and raise nonconformities against these with modified timeframes as per the rules of this scheme.

9.6.3 Recertification 9.6.3.1 Recertification audit planning

9.6.3.1.2.1 Recertification audit planning under this scheme also shall determine conformity to the version of the OFFICIAL ISM in force at least as at three calendar months prior to the first onsite (including remote ICT onsite auditing) recertification audit day, as specified in the audit plan.

9.6.3.1.2.2 If a new version of the OFFICIAL ISM controls have been published within three months of the expiry date of certification, then the provider shall also be requested in writing to:

(a) undertake a self-assessment against the new or modified subset of controls, and

(b) note the inability under this scheme to extend certification cycles beyond three years without imposing suspension, and the inability to restore suspended certification beyond three years and six months from the date of (re)certification under this scheme.

Note: Non-submission of a self-assessment (if applicable) is not itself grounds to terminate a recertification audit.

9.6.4 Special audits 9.6.4.3 Credible evidence of a compliance breach under this scheme shall necessitate a short-

notice audit, unless as at the first time of this being determined, a surveillance audit or recertification audit is undertaken within two calendar weeks.

9.6.5 Suspending, withdrawing or reducing the scope of certification 9.6.5.6 At no later than 48 hours after making a decision to suspend, withdraw, or reduce the

scope of certification for a client, the CB shall also notify the Department in writing of this



decision via an email addressed to [email protected], or other means advised by the Department.

9.7 Appeals 9.7.6.1 At no later than seven calendar days following receipt of an appeal, the CB shall also

notify the Department in writing of the substance of the appeal via an email addressed to [email protected]

9.7.8.1 The Department shall also be notified of the outcome of the appeal handling process, at no later than seven calendar days following its completion, via an email addressed to [email protected]

Note: Notifications of such appeals may also proceed via other means advised by the Department.

9.8 Complaints No additional requirements

9.9 Client records 9.9.2.1 Records on certified clients shall also include their progress on complying with the most

recent version of the OFFICIAL ISM in force, if not already certified to this version.

10 Management system requirements No additional requirements






Annex A – KNOWLEDGE AND SKILLS FOR RFFR ISMS AUDITING AND CERTIFICATION (NORMATIVE)

A.1 Additional competency requirements beyond those of ISO/IEC 27006 and ISO/IEC 27007 apply for application review and audit personnel, as specified in clause 7 of this scheme.

No additional requirements to the foundational requirements of Annex A for audit team personnel apply, noting that the discretionary elements of the SoA under ISO/IEC 27001 are supplemented through the OFFICIAL controls within the ISM in the DESE ISMS Scheme. Knowledge of these elements for audit team personnel is mandatory, as detailed in clause 7 of this scheme.

Note 1: See Informative Reference in this scheme: ‘Mapping of Annex A control objectives and controls of ISO/IEC 27001:2013 to ISM controls’.



Annex B – AUDIT TIME (NORMATIVE) B.3.0.1 Procedure for determining audit time for initial audit

The requirements of Annex B in ISO/IEC 27006 apply, supplemented as follows to account for the extent of controls required for the DESE ISMS Scheme.

Note 1: In general, the audit time requirements for the DESE ISMS Scheme will be on average at least three-fold longer than those for ISMS audits to ISO/IEC 27001. This reflects the large number of OFFICIAL controls in the SoA for the DESE ISMS Scheme.

Note 2: Reductions in the audit time minimums below are afforded for clients that hold accredited certification to specified standards in this scheme. See clause 9.1.3.1.2.

Note 3: Factors to adjust audit time minimums in surveillance and recertification audits in ISO/IEC 27006 also apply.

Note 4: The appropriateness of audit times in this scheme are an active area of focus over the first several years of its operation. In the event of any excessive audit times being produced, CBs may convey their concerns to [email protected]

Table B.1 Audit time chart

*Note: Of an initial audit. See audit time definition in clause B.3.3 of ISO/IEC 27006:2015.

Number of persons doing work under the organisation's control

RFFR ISMS audit time for initial audit (Stage 1 & 2,

auditor days)*

Additive and subtractive factors

Total audit time

1-10 15 See B.3.4 11-15 18 See B.3.4 16-25 21 See B.3.4 26-45 25.5 See B.3.4 46-65 30 See B.3.4 66-85 33 See B.3.4

86-125 36 See B.3.4 126-175 39 See B.3.4 176-275 42 See B.3.4 276-425 45 See B.3.4 426-625 49.5 See B.3.4 626-875 52.5 See B.3.4

876-1175 55.5 See B.3.4 1176-1550 58.5 See B.3.4 1551-2025 63 See B.3.4 2026-2675 66 See B.3.4 2676-3450 69 See B.3.4 3451-4350 72 See B.3.4 4351-5450 75 See B.3.4 5451-6800 78 See B.3.4 6801-8500 81 See B.3.4

8501-10700 84 See B.3.4 > 10,700 Follow progression above See B.3.4




B.3.4.1 Factors for adjustment of audit time

Audit time shall also be increased by the following activity-based factors:

a) For organisations with 100 or fewer end users per annum, no additional activity-based factor applies. b) For organisations with greater than:

1. 100 and fewer than 500 end users per annum, an additional 10% activity-based factor applies



4. 2000 and fewer than 10000 end users per annum, an additional 45% activity-based factor applies; and

5. 10000 or greater end users per annum, an additional 60% activity-based factor applies.

Note 1: See paragraph 9.1.1.2(d) for calculating activity-based factors.

Note 2: Providers with a caseload below 2000 end users per annum are not required to attain certification to their SoA in order to tender for provider deeds. However, such providers may elect to seek certification to their SoA.

dese information security systems scheme

Documents