Right Fit For Risk Compliance Services in Australia

Meeting Right Fit For Risk compliance requirements doesn't have to be complicated. Siege Cyber helps Australian organisations achieve RFFR accreditation so you can secure and maintain government contracts with confidence.

Whether you're an employment services provider, training organisation, or contractor working with the Department of Employment and Workplace Relations (DEWR), we'll guide you through every step of the RFFR framework, from gap analysis to full accreditation.

let's talk

The Challenge: Government Contracts Require RFFR Accreditation

If you're tendering for or delivering services under DEWR contracts, Right Fit For Risk accreditation isn't optional—it's mandatory. But for many organisations, the RFFR framework feels like navigating unfamiliar territory.

You're facing questions like:

  • What exactly does RFFR require, and how does it differ from ISO 27001 or Essential Eight?
  • Do we fall into Category 1 or Category 2, and what's the difference?
  • How do we prove compliance with the ASD ISM and Essential Eight requirements?
  • What documentation does DEWR actually need to see?
  • Can we achieve accreditation without hiring a full-time security team?

The stakes are high. Without RFFR accreditation, you can't compete for government employment services contracts. And if you're already delivering services, non-compliance puts those contracts at risk.

The good news? RFFR is built on frameworks you may already know, ISO 27001 and the ASD Information Security Manual. With the right guidance, accreditation is absolutely achievable.

What We Deliver: Complete RFFR Compliance Support

Siege Cyber provides end-to-end Right Fit For Risk compliance services designed specifically for Australian organisations working with government contracts.

RFFR Gap Analysis

We start by assessing where you currently stand against RFFR requirements:

  • Review your existing security controls against the RFFR Statement of Applicability
  • Identify gaps between your current state and both Category 1 and Category 2 requirements
  • Map your Essential Eight maturity levels against RFFR expectations
  • Provide a clear roadmap showing exactly what needs to be implemented or improved
  • Estimate the effort and timeline required to achieve accreditation

Essential Eight Implementation

RFFR requires demonstrated compliance with the Essential Eight. We help you implement and mature these critical controls:

  • Application control to prevent unauthorised software execution
  • Patch management for applications and operating systems
  • Multi-factor authentication across all user accounts
  • Macro settings to prevent malicious code execution
  • User application hardening to reduce attack surface
  • Regular backups with offline storage and testing
  • Administrative privilege restrictions
  • Daily patching of internet-facing services

We don't just tick boxes—we implement controls that actually protect your environment while meeting RFFR requirements.

ISO 27001 Alignment

Since RFFR is built on ISO 27001 principles, we align your information security management system with both frameworks:

  • Risk assessment and treatment aligned with ISO 27001 and RFFR
  • Policy and procedure development covering all required controls
  • Documentation that satisfies both RFFR auditors and potential ISO 27001 certification
  • Statement of Applicability (SOA) tailored to your category and risk profile

ASD ISM Compliance

The ASD Information Security Manual forms the technical foundation of RFFR. We ensure your controls meet ISM requirements:

  • Technical control implementation aligned with ISM guidelines
  • Configuration hardening for servers, workstations, and cloud environments
  • Access control frameworks following ISM best practices
  • Incident response procedures meeting ASD standards

Category Determination and Documentation

We help you understand which RFFR category applies to your organisation and what that means:

  • Category 1 or Category 2 classification based on service volume and risk
  • Documentation packages tailored to your category requirements
  • Evidence collection and management for ongoing compliance
  • Template customisation for policies, procedures, and registers

Audit Preparation and Support

When it's time for your RFFR assessment, we make sure you're ready:

  • Pre-audit readiness reviews to identify any last-minute gaps
  • Documentation organisation and evidence mapping
  • Staff briefings so your team knows what to expect
  • Auditor liaison and technical clarifications during the assessment
  • Post-audit remediation support if any findings need to be addressed

 

 

Australian Right Fit For Risk Cyber Security Accreditation

 

Our Process: From Gap Analysis to Accreditation

1. Discovery and Scoping

We start by understanding your organisation and RFFR requirements:

  • Review your current services and government contract obligations
  • Determine your RFFR category based on service volume and data handling
  • Assess existing security controls and documentation
  • Define the scope of systems and data covered by RFFR
  • Identify key stakeholders and establish communication channels

2. Gap Analysis

We conduct a thorough assessment against RFFR requirements:

  • Evaluate your current state against the RFFR Statement of Applicability
  • Test Essential Eight controls and determine maturity levels
  • Review policies, procedures, and documentation against ASD ISM
  • Identify technical, procedural, and documentation gaps
  • Deliver a detailed gap analysis report with prioritised recommendations

3. Remediation Roadmap

We create a practical plan to close the gaps:

  • Prioritise remediation activities based on risk and effort
  • Define implementation timelines and resource requirements
  • Establish quick wins versus longer-term projects
  • Assign responsibilities and accountabilities
  • Set milestones and review points

4. Implementation Support

We work alongside your team to implement required controls:

  • Configure and deploy Essential Eight controls
  • Develop and customise RFFR-compliant policies and procedures
  • Implement technical controls aligned with ASD ISM
  • Set up evidence collection and monitoring processes
  • Conduct regular progress reviews and adjust the roadmap as needed

The timeline varies based on your starting point—organisations with existing ISO 27001 or Essential Eight programs typically achieve RFFR compliance faster.

5. Documentation and Evidence Package (Ongoing)

We help you compile the documentation DEWR needs to see:

  • Statement of Applicability demonstrating control implementation
  • Policies and procedures covering all required security domains
  • Risk assessment and treatment documentation
  • Evidence of Essential Eight maturity levels
  • Incident response and business continuity plans
  • Access control registers and system inventories

6. Pre-Audit Readiness Review 

Before your formal RFFR assessment, we ensure everything is in order:

  • Comprehensive review of all documentation and evidence
  • Mock audit scenarios to test control effectiveness
  • Staff interviews and awareness checks
  • Final gap remediation for any outstanding items
  • Readiness certification and go/no-go recommendation

7. Audit Support and Ongoing Compliance

We're with you through the assessment and beyond:

  • Technical support during the RFFR audit process
  • Clarification and evidence provision to auditors
  • Remediation of any audit findings
  • Ongoing compliance support to maintain accreditation
  • Annual review and re-assessment preparation

 

Who This Service Is For

Employment Services Providers

If you're delivering employment services under DEWR contracts, RFFR accreditation is mandatory. We help providers of all sizes—from boutique agencies to national networks—achieve and maintain compliance without the overhead of a full-time security team.

Training Organisations

Training providers working with government programs need RFFR accreditation to continue delivering services. We understand the unique challenges of training environments and help you implement practical controls that protect participant data without disrupting program delivery.

Government Contractors and Service Providers

Any organisation handling employment services data or working under DEWR contracts needs to meet RFFR requirements. We help contractors demonstrate compliance and maintain accreditation as contracts evolve.

Organisations with Existing ISO 27001 or Essential Eight Programs

Already invested in ISO 27001 or Essential Eight? We'll help you leverage that work to achieve RFFR accreditation faster. RFFR builds on these frameworks, so you're further along than you might think.

Growing Organisations Pursuing Government Contracts

If you're expanding into government work, RFFR accreditation opens the door to new opportunities. We'll help you build a compliance foundation that scales with your business while meeting current requirements.

 

Right Fit For Risk (RFFR) compliance service

Why Work with Siege Cyber?

We Understand Australian Government Frameworks

RFFR sits within a broader Australian regulatory landscape. We understand how RFFR connects to Essential Eight, ISO 27001, the Privacy Act, and DEWR's specific requirements. We speak the language of Australian government compliance.

Practical, Risk-Based Implementation

We don't believe in security theatre. Every control we implement serves a genuine security purpose while meeting RFFR requirements. We focus on controls that protect your actual risk profile, not just checking compliance boxes.

Experience Across Multiple Frameworks

Many of our clients need to meet multiple compliance requirements simultaneously—RFFR, ISO 27001, Essential Eight, Privacy Act. We design integrated compliance programs that satisfy multiple frameworks without duplicating effort.

Technical Depth When You Need It

RFFR requires real technical controls—properly configured firewalls, effective patch management, genuine multi-factor authentication. Our team includes penetration testers and security engineers who can implement controls properly, not just document them.

Virtual CISO Capability

Don't have a Chief Information Security Officer? Our vCISO service provides ongoing security leadership to maintain RFFR compliance, respond to auditor questions, and evolve your security program as requirements change.

No Surprises, Clear Pricing

We provide fixed-price gap analysis and transparent scoping for implementation projects. You'll know exactly what achieving RFFR accreditation will cost before you commit to the full program.

 

Frequently Asked Questions

What's the difference between RFFR Category 1 and Category 2?

RFFR has two categories based on the volume of individuals you provide services to. Category 2 applies to organisations serving more than 2,000 individuals per annum and has more stringent requirements. Category 1 is for smaller service volumes with a proportionate compliance requirement. We help you determine your category and implement the appropriate controls.

How long does it take to achieve RFFR accreditation?

It depends on your starting point. Organisations with existing Essential Eight maturity or ISO 27001 certification can often achieve RFFR compliance in 2-3 months. Starting from scratch typically takes 4-6 months to implement controls, develop documentation, and prepare for audit. We provide a realistic timeline during the gap analysis phase.

Is RFFR the same as ISO 27001?

RFFR is built on ISO 27001 principles but isn't identical. RFFR specifically requires demonstrable Essential Eight implementation and compliance with the ASD Information Security Manual. If you already have ISO 27001 certification, you're well-positioned for RFFR—we'll help you bridge the gaps.

Do we need to achieve Essential Eight Maturity Level 3 for RFFR?

RFFR requires implementation of the Essential Eight, but the specific maturity level depends on your risk profile and category. Most organisations target Maturity Level 2 as a baseline, with Level 3 for higher-risk environments. We assess your risk profile and recommend the appropriate maturity level during our gap analysis.

Can we maintain RFFR compliance ourselves after accreditation?

Absolutely. We design compliance programs you can maintain internally. We provide training, templates, and documentation so your team can manage ongoing compliance. Many clients also engage our vCISO service for periodic reviews and audit preparation support.

What happens if we don't maintain RFFR compliance?

Loss of RFFR accreditation can result in contract termination or ineligibility for future DEWR contracts. Regular self-assessment, annual reviews, and ongoing evidence collection are essential. We help you establish monitoring processes to maintain compliance between formal assessments.

Does Siege Cyber conduct the formal RFFR audit?

No, we're consultants who help you prepare for and achieve RFFR compliance. The formal RFFR assessment is conducted by DEWR-approved auditors. We prepare you for that audit and can recommend reputable assessors when you're ready.

 

Get RFFR Accredited and Protect Your Government Contracts

Right Fit For Risk compliance doesn't have to be overwhelming. With the right partner, it's an achievable milestone that opens doors to government opportunities while genuinely improving your security posture.

Siege Cyber has guided employment services providers, training organisations, and government contractors through RFFR accreditation. We'll do the same for you—with clear guidance, practical implementation, and transparent pricing.

let's talk