DESE Information Security Scheme

This information security scheme is aimed at contracted employment service provider information security management systems (ISMS) and environment of contracted service providers, of which the Department of Education, Skills and Employment (DESE, ‘the Department’) engages to assist persons prepare for and look for work. Contracted employment service providers are contractually obliged to comply with the department’s ISMS requirements under the Right Fit for Risk (RFFR). Under the RFFR, providers with a caseload of 2000+ per annum are required to attain certification to the Statement of Applicability (SOA) in order to tender for provider deeds.

BSI offers a JAS-ANZ accredited certification audit against the DESE's ISMS Scheme. This customized audit requires a provider to comply with minimum requirements of ISO/IEC 27001 with the specific, evolving legal requirements for providers’ ISMS as part of the certification standard with the discretionary elements of the SOA under ISO/IEC 27001 being supplemented through the official controls for the Australian Government Information Security Manual (ISM) in the DESE ISMS Scheme. Providers’ deeds with the Department includes compliance with the ISM. Therefore, all official controls within the ISM is the source.

As a regulatory scheme, DESE reserves the right to modify the application of default transition policies for IAF mandatory documents, and ISO and ISO/IEC standards invoked in the scheme.

Providers with a caseload below 2000 end users per annum are not required to attain certification to their Statement of Applicability (SoA) in order to tender for provider deeds. However, such providers may elect to seek certification to their SoA.

• Demonstrates compliance with the contractual obligations for Right Fit for Risk (RFFR) accreditation
• Minimizes information security risk and helps to secure sensitive government data and personal information
• Demonstrates operation of an ISMS that meets the expectations of a globally renowned information security management system standard i.e. ISO/IEC 27001
• Is compatible with separate, stand-alone ISO/IEC 27001 certification for ISMS operated for other purposes.