DESE Information Security Systems Scheme

DESE Information Security Systems Scheme

As part of assistance measures for persons looking for work, the Australian Government engages private service providers under contractual arrangements that include compliance with information security requirements for both participant and Australian Government information.

The ‘object of conformity’ for the scheme is the information security management systems (ISMS) and environment of contracted service providers, of which the Department of Education, Skills and Employment (DESE, ‘the Department’) engages to assist persons prepare for and look for work.

More specifically, the scope of this certification scheme is compliance with the Department’s contractual requirements (Statement of Applicability, SoA) for providers’ ISMS under the Right Fit for Risk (RFFR) accreditation approach. The latter approach is a component of the Department’s External Systems Assurance Framework (ESAF) by which the department gains assurance over providers’ ISMS. Under the RFFR, providers with a caseload of 2000+ per annum are required to attain certification to the SoA in order to tender for provider deeds.

The ESAF aims to ensure the department’s systems and confidential data stored outside of the department’s ICT environment are being managed responsibly. It covers all external ISMS associated with: 1) The delivery of a provider service; 2) Storage, processing, or communication of data related to delivering provider services; and 3) Data, information and Records supporting the program.

The objective of this scheme is to customise the baseline requirements of ISO/IEC 27001 with the specific, evolving legal requirements for providers’ ISMS as part of the certification standard. More specifically, the customisation does not allow providers the discretion to omit clauses in Annex A of ISO/IEC 27001:2013. In addition, the ISMS contains minimum additional controls that fall within distinct control objectives of Annex A.

As a regulatory scheme, DESE reserves the right to modify the application of default transition policies for IAF mandatory documents, and ISO and ISO/IEC standards invoked in the scheme.


  • Demonstrates compliance with obligations for Right Fit for Risk (RFFR) accreditation approach.
  • Helps to secure sensitive government data and personal information.
  • Demonstrates providers are operating an ISMS that meets (and exceeds) expectations of ISO/IEC 27001 as operated globally.
  • Is compatible with separate, stand-alone ISO/IEC 27001 certification for ISMS operated for other purposes, and where this is clearly articulated in the respective certification scopes.

Scheme owner

Department of Education, Skills and Employment

Scheme Criteria (downloadable PDFs)

DESE ISMS Scheme - Issue 1


More information

An application pack, application form and other relevant material is not available on this site. These documents are available through our SharePoint portal. If you are a body that we currently accredit, you can access this information through the Shared CAB Portal. If you are a new applicant, please complete an application enquiry form. Once this form is submitted, the Secretariat will contact you to advise the next steps. For other stakeholders, please submit your inquiry through the online feedback form.