DESE Information Security Management Systems (ISMS) Scheme
The Information Security Management Systems (ISMS) scheme is a customised version of the ISO 27001 Information Security Management Systems Standard that includes additional controls from the Australian Government Information Security Manual to protect the People, Processes and IT Infrastructure.
As the leading provider of JAS-ANZ accredited information security certification in Australia, SAI Global’s national network of auditors combined with our industry-leading customer service team ensures your success in meeting your contractual obligations.
Three Key Considerations to be Successful in your DESE ISMS Scheme Certification
Watch our video to learn what 3 key considerations you need to take to be successful in your DESE ISMS Scheme Audit.Watch Now
DESE ISMS Scheme FAQ
What is the DESE ISMS Scheme, What is the audit process and How do I prepare? Get the answers to the most frequently asked DESE ISMS Scheme questions.Read Now
The Benefits of Certifying to the DESE Information Security Management Systems (ISMS) Scheme
Meet Contractual Requirements
Demonstrate Customer Commitment
Improve Risk Management Process
What is the DESE Information Security Management Systems Scheme?
The scope of this regulatory scheme is to meet the Department of Education, Skills and Employment requirements for providers’ Information Security Management Systems.
Organisations seeking certification must prepare a Statement of Applicability, which is the central document in your Information Security Management System.
The scheme requires Organisations to be compliant with the latest controls, up to 3 months before their audit date to ensure they can effectively preserve the confidentiality, integrity and availability of information.
The DESE Information Security Management Systems Scheme documents reference the need to maintain an Information Security Management System (ISMS).
An ISMS based on ISO 27001 is a structured and systematic approach to protecting the confidentiality, availability and integrity of information. It does this through risk management processes comprising of the organisational structure, people, policies, processes and IT Systems.
It is important that your ISMS is an integrated part of your organisation’s processes to ensure ongoing compliance and to provide stakeholder confidence.
The Statement of Applicability (SOA) is a central document that defines how your organisation has implemented information security. It connects your risk assessment, risk treatments and implementation of the controls.
While it is not mandatory to submit your organisations scoping document and SOA, it is recommended you share it with your Certification Body and the Department to ensure it meets your requirements and the Departments’.
Organisations should prepare their SOA by listing all the controls from the Australian Governments Information Security Manual and determine whether they are applicable, why it has been done, which risk or business requirement drives it, and how it will be implemented.
To ensure successful outcomes from your DESE Information Security Management Systems audit, you must prepare your systems, documentation and people.
Organisations should review the scheme requirements and ensure they are implemented correctly, including reviewing all the Australian Governments’ Information Security Manual (ISM) controls and determining whether they are suitable.
Organisations will need to ensure all documentation is ready and accessible. You will need to provide your Certification Body with:
- Cybersecurity strategy: how the system fulfils requirements of the RFFR
- System security plan: system description including implemented controls
- Incident response plan: a plan to respond appropriately to an incident situation
- Continuous monitoring plan: identify, prioritise and respond to security vulnerabilities
- Self-assessment: determine gaps between your system and scheme requirements
- Annual average of end-users serviced
Organisations will also need to communicate with employees and prepare appropriate personnel who will be interviewed during the audit.
Our clients pick us because they know we’re a trusted partner.
[The Auditor] put forth an outstanding effort to assist the organization during the Stage 1 and Stage 2 assessments to achieve the end goal of obtaining certification to the 27000 standards, raising awareness and offering suggestions for enhancing our ISMS. We greatly appreciate [the Auditor’s] efforts and look forward to our continued partnership with SAI Global.Wayne M, Computer Systems Analyst,
Frequently Asked Questions
The time taken to go through the certification process will depend on your level of preparedness. This covers the development and implementation of the management system required by ISO27001 as well as the implementation of the controls that have been identified in the Statement of Applicability.
Experience has shown that the timeframe could be anywhere from 3 to 12 months.
Yes, if you are already certified to ISO27001 there is an expedited process, offering expedited Stage 1 and Stage 2 audits that include the following activities:
- Confirming the current certification
- Comparing current controls to those required by the DESE ISMS in force at the time
- Providing a written estimate of the gap between your current certified ISMS and that which is required to attain certification under the DESE ISMS Scheme
DESE ISMS Scheme audits are longer than ISO27001 audits due to the large number of additional ISM controls that are required to be audited.
If you have completed an IRAP assessment you still need to comply to all DESE ISMS Scheme processes.
The identification of risks and implementation of controls should have been addressed under IRAP, however IRAP does not address many of the management system aspects of ISO27001. An IRAP assessment should have ensured that the required controls are already identified and implemented.
No – the scope of the certification can’t include other business activities – The DESE ISMS Scheme is a standalone certification, particularly for contracted employment service providers. A separate ISO27001 certification can be linked with the DESE ISMS certification. This should be discussed with your SAI Global representative to ensure that the appropriate scope is determined.
Are You Ready To Take The Next Step to Certification?
ISO 27001 Training Courses
As a leading provider of education and training, SAI Global Assurance Learning offers a wide range of training courses to help you learn, plan, implement, assess and improve your management system. Explore some of the courses below.
Lead Auditor ISMS ISO/IEC 27001:2013
Receive concentrated and comprehensive training in the theory and practice of auditing Information Security Management Systems (ISMS) based on ISO/IEC 27001:2013.
Auditing an ISMS ISO/IEC 27001:2013
This two day advanced course develops the skills needed to perform effective internal/external audits against the ISO/IEC 27001:2013 Information Security Management Systems standard.
Foundation and Implementing an ISMS ISO/IEC 27001:2013
This 3 day advanced course provides an opportunity to learn the necessary skills to develop, implement and monitor an Information Security Management System within your organisation.