The Australian federal government is requiring ISO 27001:2013 certification for all providers of employment skills training and disability employment services. The Department of Education, Skills and Employment (DESE) issued the mandate, aligning Australian standards with global standards. ISO 27001 essentially carries out the work Centrelink was tasked with previously.  

This new requirement doesn’t necessarily mean that organisations need to submit their scope and SoA (Statement of Applicability) to the department for review. If you don’t submit these documents, you may still achieve certification to ISO 27001 but the department may not see the certification as meeting their requirements if the scope and applicable security controls listed in the SOA are viewed as not being adequate to protect the confidentiality, integrity and availability of the DESE’s information. Therefore, it’s wise to submit your scope and SoA for review by the department to ensure it is adequate. All of these components are part of the RFFR (Right Fit for Risk) Framework. 

To put all of these pieces together, let’s take a step back and examine each one separately.

What is ISO 27001?

ISO 27001 is a globally-recognised, flexible framework used by many industries and organisations. It was developed to help organisations protect their information systematically and cost-effectively. The adoption of an Information Security Management System (ISMS) is key to these benefits.

Many organisations in Australia seek ISO certification on their own as a way of ensuring the organisation’s management system adopts industry best practice. 

What is an Information Security Management System?

As you work through the RFFR suite of documents, you’ll find that you need an Information Security Management system (ISMS). The department requires that you document and implement your ISMS. Organisations use an ISMS to manage risk and limit the impact of a security breach. In short, an ISMS is a set of policies and procedures used to protect the confidentiality, integrity and availability of information. 

It can also help coordinate all of your security activities (both physical and digital). By having everything in one place, you can simplify your security processes and enable staff and management to make informed decisions regarding security controls and the organisation’s security posture. 

The ISMS Scope

When you set the ISMS scope, you define which information you plan on protecting. To do this, differentiate between data that is critical to your organisation’s operations and that which is beyond your control. Don’t worry about whether this information is stored within your company’s computers or in the cloud. 

The parameters will be helpful when you’re ready for certification because the auditor will verify that all elements of the ISMS work well within your chosen scope. 

As you define your scope, consider the following:

• The need to meet tender requirements to operate (ISO 27001 clause 4.1)
• The provisions of interested parties, such as departments and job seekers (ISO 27001 clause 4.2)
• Interfaces and dependencies between elements within the scope and the outside world

Documenting Your Scope

The department doesn’t require you to use a specific template when you submit your scope, but the following headings will help you to cover all the core expectations:

• Purpose of the scope document
• Interested parties
• Processes and services
• Organisational units or business areas
• Assumptions, constraints and dependencies
• Locations and physical boundaries
• Supply chain management
• Logical boundaries (data flow diagrams and network security issues)
• Exclusions from the scope
• Roles and responsibilities
• Essential Eight strategies for mitigating cybersecurity breaches
• Information security risk management
• Information security monitoring
• Detection, reporting and management of cybersecurity incidents
• Restricted access controls
• HR processes.

Preparing a Statement of Applicability:

Clause 6.1.3 d) of ISO 27001 requires an organisation to produce a document known as a Statement of Applicability, which is a checklist of sorts.

The Statement of Applicability is based around a list of 114 security controls: measures designed to address specific risks. 

The 114 security controls are grouped into 14 security domains. These are the domains along with some notes where the categories aren’t self-explanatory.

For a full list of these domains, how the SoA works and its benefits, read here.

Walking You Through Certification

Here at Compliance Council, we’ve already helped a few organisations in DESE achieve certification, and we can assist you through the process as well. Not only will you be certified to provide employment skills training and disability employment services, but you’ll also strengthen your organisation’s security. Many organisations find that the certification process leads to improved efficiency once all the changes are implemented.

Improve your company’s reputation and achieve a return on your investment. ISO 27001 is not complicated or prescriptive; it’s well worth the time and effort. Get in touch with us to learn more about ISO 27001 and Right Fit for Risk. We’re here to help you strengthen your organisation and level up.