As cyber-attacks against Australian organisations continue to increase, so too have the requirements of information security systems and standards across all industries.
Previously, we have spoken about ISO 27001 certification, a standard for organisations to manage the security of their data, including the personal details of their clients and employees, financial information and intellectual property, by providing a best practice standard to align with.
Here, we deep dive into what the Department of Education, Skills and Employment services (DESE) Information Security Management System ‘DESE ISMS Scheme’ is, who is required to comply with it, and what’s involved in the process.
What is the DESE ISMS Scheme?
Further to the Australian Federal Government requiring all providers of employment skills training and disability employment services to hold ISO 27001 certification, the DESE ISMS Scheme is designed to ensure the storage, processing, and communication of information related to delivering employment services remains confidential and secure, and includes:
- Global security standard requirements (known as ISO 27001);
- Additional controls from the Australian Government Information Security Manual (ISM); and
- A risk-based framework, known as Right Fit For Risk (RFFR).
DESE uses a risk-based framework, known as Right Fit For Risk (RFFR), to ensure the storage, processing and communication of data related to delivering employment services remains confidential and secure.
Under the RFFR framework, all DESE service providers are required to comply with information security requirements. An organisation's caseload provides an opportunity for some smaller organisations to ‘self-assess’ whereas other larger organisations may require external assurance, such as the engagement of an auditor, as part of the process.
The DESE has mandated that all providers mentioned above must be compliant with the framework, in order to fulfil their obligations.
What is the aim of the DESE ISMS Scheme?
The DESE ISMS Scheme aims to help organisations equip themselves with a framework that encompasses both national and international components to allow organisations to manage the organisation's sensitive data. The ISMS brings together people, processes and technology to help coordinate all security efforts (both electronic and physical) in a clear, consistent and viable way.
What does the DESE ISMS Scheme mean for your business?
As the demand of organisations to manage their information security risk changes, there are often requests of parties within their supply chain to meet additional security requirements. In this case, DESE is requesting their suppliers to elevate their information risk management and posture which may likely have a ripple effect through the IT and non-IT service providers of these organisations.
Whether other initiatives similar to the DESE ISMS Scheme are to be implemented affecting other suppliers to the Government we have not confirmed at this time. However, we recommend all organisations make progress towards improving their management of information security and cyber security.
There is a range of benefits (similar to those discussed in our ISO 27001 blog) for businesses that gain compliance, including:
- Increased tender and/or funding opportunities for an organisation where certification is required.
- Ensuring relevant legal requirements or third party obligations are met.
- Establishing trust amongst customers and stakeholders.
- Protecting your organisation and reduces the risk of cyber security threats.
What is involved in DESE ISMS Compliance?
Organisations seeking successful DESE ISMS certification must prepare several documents, including a Scope of Coverage, a Statement of Applicability (SoA), and a Self-Assessment Report.
The SoA comprises distinct focus areas, one of which is the Australian Cyber Security Centre’s (ACSC’s) Essential Eight strategies to mitigate cyber security incidents.
A SoA must include detailed information regarding your organisation's risk posture, including:
- Your organisation's cyber security strategy.
- Your organisation's system security plan, incident response plan, and continuous monitoring plan.
- A self-assessment of your organisation.
- Whether or not your organisation has been subject to a data breach, or other related incidents.
As you can appreciate, the pace of change across both cyber and information security is continually evolving, which means that updates to the ISM are typically released quarterly – a key challenge for organisations is to maintain the currency of their ISMS as certification is likely to be granted upon the very latest, or its prior published ISMS version.
This process can be a time-intensive and detail-driven process. We recommend working with a trusted third party to ensure your cyber security strategy and risk posture are fit for purpose, in order to complete and detailed self-assessment.
Is the DESE ISMS Scheme different from ISO 27001?
This Scheme contains requirements that supplement but do not diminish the requirements of ISO 27001 and collectively combine National and International Standards for bodies auditing and certifying organisations for the DESE ISMS Scheme.
If you’re on the ISO 27001 path to accreditation, we encourage you to consider DESE’s core requirements and expectations, as a standard ISO 27001 certificate may not be seen as meeting all requirements.
How Diamond IT can help you achieve DESE ISMS and ISO 27001 accreditation
Our team of Business Technology Consultants is currently working with key organisations across a range of sectors to ensure their ISO 27001 and DESE ISMS preparedness.
From the development of key cyber security strategies and plans to full self-assessment and audits, our team is here to guide you through.
Becoming compliant doesn’t have to be a difficult process, but may require time, to learn more about ISO 27001 and DESE ISMS Scheme accreditation, contact us today on 1300 307 907.
