Logo Image Content

DEWR (previously DESE) Information Security Management Systems (ISMS) Scheme

The Information Security Management Systems (ISMS) scheme is a customised version of the ISO 27001 Information Security Management Systems Standard that includes additional controls from the Australian Government Information Security Manual to protect the People, Processes and IT Infrastructure.

The Department of Employment and Workplace Relations has mandated that all providers of employment skills training and disability employment services must be compliant to ISO 27001:2022 by April 2024, in order to fulfil their obligations.

As the leading provider of JAS-ANZ accredited information security certification in Australia, Intertek SAI Global’s national network of auditors combined with our industry-leading customer service team ensures your success in meeting your contractual obligations.

Reach out to book in a gap analysis to ensure you are still compliant post the April 2024 Deadline

Three Key Considerations to be Successful in your DEWR ISMS Scheme Certification

Watch our video to learn what 3 key considerations you need to take to be successful in your DEWR ISMS Scheme Audit.

Watch Now


What is the DEWR ISMS Scheme, What is the audit process and How do I prepare? Get the answers to the most frequently asked DESE ISMS Scheme questions.

Read Now

The Benefits of Certifying to the DEWR Information Security Management Systems (ISMS) Scheme

Some of the key benefits to organisations that certify to the DEWR ISMS Scheme include; continual fulfilment of obligations to provide services, focus on meeting and exceeding customer expectations for secured information, and minimising risks of breaches and exposure of your organisation.

Meet Contractual Requirements

Whether you’re looking to continue meeting contractual obligations with the Department of Education, Skills and Employment, or seeking new market opportunities, or remain competitive in the market, being certified to the ISMS Scheme can help you get there.

Demonstrate Customer Commitment

The ISMS Scheme provides a comprehensive list of controls needed to protect sensitive information by focussing on people, processes and IT Infrastructure. Certifying these controls demonstrates your ongoing commitment to protecting customer information.

Improve Risk Management Process

Detailed controls from the Australian Government Information Security Manual combined with a customised information security management system based on ISO 27001, ensure organisations are compliant with best practices in cybersecurity.

What is the DEWR Information Security Management Systems Scheme?

The scope of this regulatory scheme is to meet the Department of Employment and Workplace Relations for providers’ Information Security Management Systems.

The DESE Information Security Management Scheme customises the baseline requirements of ISO/IEC 27001:2022 Information Security Management Systems Standard, with additional controls set by the Australian Governments’ Information Security Manual (ISM).

Organisations seeking certification must prepare a Statement of Applicability, which is the central document in your Information Security Management System.

The scheme requires Organisations to be compliant with the latest controls, up to 3 months before their audit date to ensure they can effectively preserve the confidentiality, integrity and availability of information.
What is an Information Security Management System?

The DEWR Information Security Management Systems Scheme documents reference the need to maintain an Information Security Management System (ISMS).


An ISMS based on ISO 27001:2022 is a structured and systematic approach to protecting the confidentiality, availability and integrity of information. It does this through risk management processes comprising of the organisational structure, people, policies, processes and IT Systems.


It is important that your ISMS is an integrated part of your organisation’s processes to ensure ongoing compliance and to provide stakeholder confidence.

Preparing a Statement of Applicability

The Statement of Applicability (SOA) is a central document that defines how your organisation has implemented information security. It connects your risk assessment, risk treatments and implementation of the controls.


While it is not mandatory to submit your organisations scoping document and SOA, it is recommended you share it with your Certification Body and the Department to ensure it meets your requirements and the Departments’.


Organisations should prepare their SOA by listing all the controls from the Australian Governments Information Security Manual and determine whether they are applicable, why it has been done, which risk or business requirement drives it, and how it will be implemented.

Preparing for the DESE Information Security Management Systems Audit

To ensure successful outcomes from your DEWR Information Security Management Systems audit, you must prepare your systems, documentation and people.


Organisations should review the scheme requirements and ensure they are implemented correctly, including reviewing all the Australian Governments’ Information Security Manual (ISM) controls and determining whether they are suitable.


Organisations will need to ensure all documentation is ready and accessible. You will need to provide your Certification Body with:

  • Cybersecurity strategy: how the system fulfils requirements of the RFFR
  • System security plan: system description including implemented controls
  • Incident response plan: a plan to respond appropriately to an incident situation
  • Continuous monitoring plan: identify, prioritise and respond to security vulnerabilities
  • Self-assessment: determine gaps between your system and scheme requirements
  • Annual average of end-users serviced

Organisations will also need to communicate with employees and prepare appropriate personnel who will be interviewed during the audit.

How to Certify to the DEWR Information Security Management Systems Scheme

The path to certification can be complex, so we’ve simplified it for you by outlining the key steps to take below.

Undertake training and implement the standard.
Contact Intertek SAI Global, book your audit date, do a gap analysis or self-evaluation.
Stage 1 Audit, Stage 2 Audit and Submission & Application
Surveillance audits, re-certification audit and organisational development.
Create Business Opportunity
Compete for tenders, optimise your sales and shareholder/stakeholder awareness.

Find out more about DESE/DEWR Right Fit For Risk Cyber Security Accreditation

Client Testimonials

Our clients pick us because they know we’re a trusted partner.

[The Auditor] put forth an outstanding effort to assist the organisation during the Stage 1 and Stage 2 assessments to achieve the end goal of obtaining certification to the 27001 standards, raising awareness and offering suggestions for enhancing our ISMS. We greatly appreciate [the Auditor’s] efforts and look forward to our continued partnership with Intertek SAI Global.

Wayne M, Computer Systems Analyst

Frequently Asked Questions

Explore some of the most frequently asked questions relating to certification to the DESE ISMS Scheme.
How long does the process take?

The time taken to go through the certification process will depend on your level of preparedness. This covers the development and implementation of the management system required by ISO27001 as well as the implementation of the controls that have been identified in the Statement of Applicability.

Experience has shown that the timeframe could be anywhere from 3 to 12 months.

Can I get an extension to scope with my existing ISO 27001 Certification?

Yes, if you are already certified to ISO27001 there is an expedited process, offering expedited Stage 1 and Stage 2 audits that include the following activities:

  1. Confirming the current certification
  2. Comparing current controls to those required by the DESE ISMS in force at the time
  3. Providing a written estimate of the gap between your current certified ISMS and that which is required to attain certification under the DESE ISMS Scheme
Why is it so much longer than other audits?

DESE ISMS Scheme audits are longer than ISO27001 audits due to the large number of additional ISM controls that are required to be audited.

I have done IRAP, does this mean I’m ready for RFFR?

If you have completed an IRAP assessment you still need to comply to all DEWR ISMS Scheme processes.

The identification of risks and implementation of controls should have been addressed under IRAP, however IRAP does not address many of the management system aspects of ISO27001. An IRAP assessment should have ensured that the required controls are already identified and implemented.

Can I include all my business in this audit, not just my employment program?

No – the scope of the certification can’t include other business activities – The DESE ISMS Scheme is a standalone certification, particularly for contracted employment service providers. A separate ISO27001 certification can be linked with the DESE ISMS certification. This should be discussed with your SAI Global representative to ensure that the appropriate scope is determined.

Are You Ready To Take The Next Step to Certification?

Request a callback from one of our certification experts to have a no-obligation discussion around getting certified to the DEWR ISS Scheme with SAI Global.