Right Fit For Risk Accreditation

Group of eight people sitting on wooden steps, posing for a photo indoors. They are wearing black clothing with 'ISO365' branding. Behind them is a modern wood-paneled wall with teal cushions.

Compliance as a Service

  • We start by running a thorough gap analysis and mapping out the required Milestones (1, 2, 3) based on your Provider Category (1, 2A or 2B) under RFFR.

    From there, we help you plan which controls you’ll need from ISO/IEC 27001, the Australian Government Information Security Manual (ISM), and other RFFR-specific obligations.

  • You’ll get a full risk assessment and risk treatment plan designed around the ISM & ISO 27001 control sets.

    These will be tailored to your business model, data sensitivity, and the specific DEWR contract(s) you are under. It includes documenting scope, boundaries, control selection, and associated evidence.

  • We prepare your SoA using the official RFFR template.

    This includes all applicable controls from ISO 27001 Annex A plus those drawn from the ISM, plus other contractual obligations.

    We help you decide which controls apply, why or why not, and ensure documentation is audit-ready.

  • All of this is built directly inside your Microsoft 365 and SharePoint environment.

    Policies, registers, control evidence, workflows — everything lives in tools your team already uses, so you don’t face extra software burden or learning curves.

  • Depending on your RFFR category (1, 2A, 2B), we align your pathway:

    • Category 1 (higher risk / large caseload): Full ISMS, independent ISO 27001 certification, full SoA covering ISM + ISO controls.

    • Categories 2A & 2B (lower risk or smaller scope): Possible self-assessment options for certain Milestones, but still need alignment to SoA, ISM controls, risk assessments, etc.

  • We help you deliver the required RFFR Milestones:

    • Milestone 1: Context, maturity, questionnaire, IT environment & scope setting.

    • Milestone 2: SoA, ISO 27001 / ISM control design, documentation ready for assessment (certified or self-assessment depending on category).

    • Milestone 3: Full implementation, evidence of operational effectiveness, submission of required reports, audit readiness.

  • After attaining RFFR accreditation, obligations don’t stop. You’ll need to maintain surveillance or self-assessment (annual or triennial depending on category), update your SoA when ISM updates, and adjust as your business changes.

    We stay with you to ensure nothing slips, and your system continues to meet DEWR’s evolving requirements.

Schedule A Call

How ISO365 Supports RFFR Accreditation.

The Right Fit for Risk (RFFR) Cyber Security Accreditation Program is managed by the Department of Employment and Workplace Relations (DEWR). It requires digital suppliers handling government data to demonstrate strong information security practices aligned to ISO/IEC 27001 and the Australian Government Information Security Manual (ISM).

At ISO365, we embed these requirements directly into your Microsoft 365 environment, guiding you through every Milestone (1, 2 and 3) whether you are a Category 1, 2A or 2B provider.

Australian Government Department of Employment and Workplace Relations logo.

Beyond ISO 27001

Many clients expand into additional standards over time. We build a single system that can support:

  • The global benchmark for managing information security.

    We help you design and implement an Information Security Management System (ISMS) that protects data, builds trust, and opens doors to new business. Most clients achieve certification in under six months, with a system built directly inside Microsoft 365.

  • As one of the first Australian firms certified to ISO/IEC 42001, we help you build responsible AI governance into your existing compliance system.

    Whether you’re using, deploying or developing AI, we guide you through risk assessments, impact assessments, control design, and accountability structures — ensuring your AI practices are safe, transparent and aligned with emerging regulation.

  • ISO 9001 demonstrates that your organisation consistently delivers quality services and meets client expectations.

    We help you integrate a Quality Management System (QMS) into your operations, improving service delivery, customer satisfaction and tender success.

  • ISO 14001 certification shows your commitment to environmental responsibility.

    We help you implement an Environmental Management System (EMS) that aligns with sustainability goals, reduces environmental impact, and meets stakeholder expectations.

  • ISO 45001 focuses on the health, safety and wellbeing of your workforce.

    We guide you in building a practical Safety Management System that reduces risks, improves compliance with workplace regulations, and demonstrates your commitment to a safe and sustainable workplace.

Trusted by 130+ providers across Australia and New Zealand