Logo Image Content

DEWR (previously DESE) Information Security Management Systems (ISMS) Scheme

The Information Security Management Systems (ISMS) scheme is a customised version of the ISO 27001 Information Security Management Systems Standard that includes additional controls from the Australian Government Information Security Manual to protect the People, Processes and IT Infrastructure.

The Department of Employment and Workplace Relations has mandated that all providers of employment skills training and disability employment services must be compliant to ISO 27001:2022 by April 2024, in order to fulfil their obligations.

As the leading provider of JAS-ANZ accredited information security certification in Australia, Intertek SAI Global’s national network of auditors combined with our industry-leading customer service team ensures your success in meeting your contractual obligations.

Reach out to book in a gap analysis to ensure you are still compliant post the April 2024 Deadline

Find Out More

Three Key Considerations to be Successful in your DEWR ISMS Scheme Certification

Watch our video to learn what 3 key considerations you need to take to be successful in your DEWR ISMS Scheme Audit.

Watch Now

DEWR ISMS Scheme FAQ

What is the DEWR ISMS Scheme, What is the audit process and How do I prepare? Get the answers to the most frequently asked DESE ISMS Scheme questions.

Read Now

The Benefits of Certifying to the DEWR Information Security Management Systems (ISMS) Scheme

Some of the key benefits to organisations that certify to the DEWR ISMS Scheme include; continual fulfilment of obligations to provide services, focus on meeting and exceeding customer expectations for secured information, and minimising risks of breaches and exposure of your organisation.

Meet Contractual Requirements

Whether you’re looking to continue meeting contractual obligations with the Department of Education, Skills and Employment, or seeking new market opportunities, or remain competitive in the market, being certified to the ISMS Scheme can help you get there.

Demonstrate Customer Commitment

The ISMS Scheme provides a comprehensive list of controls needed to protect sensitive information by focussing on people, processes and IT Infrastructure. Certifying these controls demonstrates your ongoing commitment to protecting customer information.

Improve Risk Management Process

Detailed controls from the Australian Government Information Security Manual combined with a customised information security management system based on ISO 27001, ensure organisations are compliant with best practices in cybersecurity.

What is the DEWR Information Security Management Systems Scheme?

The scope of this regulatory scheme is to meet the Department of Employment and Workplace Relations for providers’ Information Security Management Systems.

The DESE Information Security Management Scheme customises the baseline requirements of ISO/IEC 27001:2022 Information Security Management Systems Standard, with additional controls set by the Australian Governments’ Information Security Manual (ISM).

Organisations seeking certification must prepare a Statement of Applicability, which is the central document in your Information Security Management System.

The scheme requires Organisations to be compliant with the latest controls, up to 3 months before their audit date to ensure they can effectively preserve the confidentiality, integrity and availability of information.
What is an Information Security Management System?

The DEWR Information Security Management Systems Scheme documents reference the need to maintain an Information Security Management System (ISMS).

 

An ISMS based on ISO 27001:2022 is a structured and systematic approach to protecting the confidentiality, availability and integrity of information. It does this through risk management processes comprising of the organisational structure, people, policies, processes and IT Systems.

 

It is important that your ISMS is an integrated part of your organisation’s processes to ensure ongoing compliance and to provide stakeholder confidence.

Preparing a Statement of Applicability

The Statement of Applicability (SOA) is a central document that defines how your organisation has implemented information security. It connects your risk assessment, risk treatments and implementation of the controls.

 

While it is not mandatory to submit your organisations scoping document and SOA, it is recommended you share it with your Certification Body and the Department to ensure it meets your requirements and the Departments’.

 

Organisations should prepare their SOA by listing all the controls from the Australian Governments Information Security Manual and determine whether they are applicable, why it has been done, which risk or business requirement drives it, and how it will be implemented.

Preparing for the DESE Information Security Management Systems Audit

To ensure successful outcomes from your DEWR Information Security Management Systems audit, you must prepare your systems, documentation and people.

 

Organisations should review the scheme requirements and ensure they are implemented correctly, including reviewing all the Australian Governments’ Information Security Manual (ISM) controls and determining whether they are suitable.

 

Organisations will need to ensure all documentation is ready and accessible. You will need to provide your Certification Body with:

  • Cybersecurity strategy: how the system fulfils requirements of the RFFR
  • System security plan: system description including implemented controls
  • Incident response plan: a plan to respond appropriately to an incident situation
  • Continuous monitoring plan: identify, prioritise and respond to security vulnerabilities
  • Self-assessment: determine gaps between your system and scheme requirements
  • Annual average of end-users serviced

Organisations will also need to communicate with employees and prepare appropriate personnel who will be interviewed during the audit.

How to Certify to the DEWR Information Security Management Systems Scheme

The path to certification can be complex, so we’ve simplified it for you by outlining the key steps to take below.

Start
Undertake training and implement the standard.
More Information
Getting Started

Undertake training (optional)

Intertek SAI Global Assurance has an extensive selection of training courses designed to help you understand, implement, assess or improve your information security management system. Build your knowledge and skills with our world-class trainers.

Implement the Scheme

Apply the scheme requirements within your business. It is critical you have management and resource commitment to be successful. Organisations can also choose to hire consultants to assist in implementing the controls.

Apply
Contact Intertek SAI Global, book your audit date, do a gap analysis or self-evaluation.
More Information
How to Apply for Certification

Contact SAI Global

Contact Intertek SAI Global’s dedicated sales team to discuss your requirements, timeframes, costs and receive a formal proposal.

Accept proposal and book audit dates

An Intertek SAI Global scheduler will contact you to book in your Stage 1 Audit.

Self-evaluation (gap analysis)

Priori to your Stage 1 Audit, you will need to complete a Gap Analysis or self-evaluation questionnaire and pass it back to SAI Global.

Certification
Stage 1 Audit, Stage 2 Audit and Submission & Application
More Information
Certification

Stage 1 audit – readiness review required for each site

The Stage 1 Audit provides the organisation opportunity to identify and discuss areas for improvement and address queries regarding the process. The auditor reviews your reference documents and preparedness to ensure the management system meets the requirements of the standard.

Stage 2 audit – certification audit and registration

A detailed, full system assessment verifies that the requirements of the standard are fully implemented and effectively complied with.

Submission and application

Upon certification, display the relevant ‘Five Ticks’ logo.

Maintenance
Surveillance audits, re-certification audit and organisational development.
More Information
Maintenance

Surveillance audits

A Surveillance Audit is conducted between major certification stages to ensure you are maintaining expected performance (generally annually).

Recertification audit

Upon anniversary of your certification a comprehensive audit process is required to re-certify (generally every 3 years).

Organization development

Equip your team with the tools to understand and critically improve processes and systems. Establish a training and development plan and commit to building your people capability and organizational knowledge.

Create Business Opportunity
Compete for tenders, optimise your sales and shareholder/stakeholder awareness.
More Information
Maximising Your Certification

Compete for Tenders

Meeting the DESE ISMS Scheme requirements allows you to participate in business opportunities with the Department.

Sales enablement 

Ensure your team are equipped to communicate your success.

Shareholder and stakeholder awareness

Visibility in board reports, press releases, articles and general communication to stakeholders.

Find out more about DESE/DEWR Right Fit For Risk Cyber Security Accreditation

Find Out More

Client Testimonials

Our clients pick us because they know we’re a trusted partner.

[The Auditor] put forth an outstanding effort to assist the organisation during the Stage 1 and Stage 2 assessments to achieve the end goal of obtaining certification to the 27001 standards, raising awareness and offering suggestions for enhancing our ISMS. We greatly appreciate [the Auditor’s] efforts and look forward to our continued partnership with Intertek SAI Global.
Wayne M, Computer Systems Analyst

Frequently Asked Questions

Explore some of the most frequently asked questions relating to certification to the DESE ISMS Scheme.
How long does the process take?

The time taken to go through the certification process will depend on your level of preparedness. This covers the development and implementation of the management system required by ISO27001 as well as the implementation of the controls that have been identified in the Statement of Applicability.

Experience has shown that the timeframe could be anywhere from 3 to 12 months.

Can I get an extension to scope with my existing ISO 27001 Certification?

Yes, if you are already certified to ISO27001 there is an expedited process, offering expedited Stage 1 and Stage 2 audits that include the following activities:

  1. Confirming the current certification
  2. Comparing current controls to those required by the DESE ISMS in force at the time
  3. Providing a written estimate of the gap between your current certified ISMS and that which is required to attain certification under the DESE ISMS Scheme
Why is it so much longer than other audits?

DESE ISMS Scheme audits are longer than ISO27001 audits due to the large number of additional ISM controls that are required to be audited.

I have done IRAP, does this mean I’m ready for RFFR?

If you have completed an IRAP assessment you still need to comply to all DEWR ISMS Scheme processes.

The identification of risks and implementation of controls should have been addressed under IRAP, however IRAP does not address many of the management system aspects of ISO27001. An IRAP assessment should have ensured that the required controls are already identified and implemented.

Can I include all my business in this audit, not just my employment program?

No – the scope of the certification can’t include other business activities – The DESE ISMS Scheme is a standalone certification, particularly for contracted employment service providers. A separate ISO27001 certification can be linked with the DESE ISMS certification. This should be discussed with your SAI Global representative to ensure that the appropriate scope is determined.

Are You Ready To Take The Next Step to Certification?

Request a callback from one of our certification experts to have a no-obligation discussion around getting certified to the DEWR ISS Scheme with SAI Global.
Contact Us

ISO 27001 Training Courses

As a leading provider of education and training, SAI Global Assurance Learning offers a wide range of training courses to help you learn, plan, implement, assess and improve your management system. Explore some of the courses below.

Lead Auditor ISMS ISO/IEC 27001:2022

Receive concentrated and comprehensive training in the theory and practice of auditing Information Security Management Systems (ISMS) based on ISO/IEC 27001:2022

Auditing an ISMS ISO/IEC 27001:2022

This two day advanced course develops the skills needed to perform effective internal/external audits against the ISO/IEC 27001:2022 Information Security Management Systems standard.

Foundation and Implementing an ISMS ISO/IEC 27001:2022

This 3 day advanced course provides an opportunity to learn the necessary skills to develop, implement and monitor an Information Security Management System within your organisation.

ISO/IEC 27001:2022 Foundation

Dispel the mystery surrounding the terminology of the internationally recognised ISO/IEC 27001:2022 Standard, providing a sure foundation for your information security management system.

View all courses

ISO 27001 News and Resources

Explore our free news and resources related to the ISO 27001 Information Security Management System standard.
ISO 27001: A Risk Based Approach to Cyber Security
News & Resources Information Security Risk-Based Thinking
According to a recent SAI Global survey, more than 55% of respondents don’t realise that they’re vulnerable to cyber security attacks. Hackers really have the advantage here – it’s all they do – attacking every 39 seconds, which is on average, 2,244 times a day.
Read More
An 8 Step Plan to Strengthen Your Cybersecurity Strategy with ISO 27001
News & Resources Information Security
An ISO 27001 Information Security Management System enables organisations to preserve the confidentiality, integrity and availability of information
Read More
Cyber Security Is More Than a Compliance Requirement, It’s Your Business’ Reputation
News & Resources Information Security
The rapid spread of digital technology is enabling organisations to quickly roll out new products and services to meet shifting customer demands.
Read More