Pathway to Accreditation Update
During 2016 Jobs Australia provided support to members required to achieve IRAP accreditation. We used our combined buying power to get a much better price and level of service than would have been possible by members going it alone.
The IRAP service consisted of a series of webinars and online resources provided by Intact Security. Martin Quinn who is an accredited IRAP assessor undertook the audit of member’s progress to help them achieve the necessary Pathway to Accreditation. To date, we have received a lot of positive feedback on this approach by Jobs Australia and Intact Security.
While we are supportive of the fact that all organisations who handle sensitive data do so with the strictest of controls to protect both themselves and their clients, we recognise that the existing ‘one size fits all’ approach isn’t necessarily effective.
The level of resources required by some organisations to achieve the necessary standards set by the Department has been significant. Therefore, we are pleased that towards the end of 2017 the Department started a review of their approach and is now recognising that the level of sophistication required by small to medium sized providers isn’t necessarily the same as very large providers.
What does this review mean for jobactive providers?
Any providers that are about to start their SOA 1 should know that this does not mandatorily require the Security Assessment to be completed by an IRAP Security Assessor. While in the past, the Department has advised providers that an IT security consultant could be useful for this, they are now advising against this because it is unlikely that any external costs incurred by providers for SOA/Phase1 will meaningfully assist them with meeting future accreditation requirements.
As a result, they are advising providers that SOA/Phase 1 should be completed in-house, and to do it on a ‘best effort’ basis.
Jobactive providers currently completing their SOA/Phase 2 assessments at the moment will need to stick to the current deadlines set by the Department and if they’re not completed, the should be speaking with them now to arrange an extension.
The arrangements for ParentsNext, TTW and EST may change. The Department has said that they will inform providers of the specific details and we will continue to monitor this.
What is our ‘best guess’ as to what the Pathway to Accreditation might look like?
We are expecting a gradual transition to an “ISO 27001 style approach” that will be friendlier to small and medium providers.
It is likely that the Department will set up different pathways or expectations based on the size of the provider and the complexity of their IT environments.
An example of this might be that smaller providers (those with a lower case load and levels of IT complexity/risk) might not even have to adhere to an ISO-style approach, but be required to undertake a desktop audit to ensure they have the necessary controls in place
The medium providers would require a more controls focus and the larger providers likely to have to reach a specific level of accreditation.
For DES providers under the new Deed starting in July, Jobs Austalia has been advised that more direction will be provided in March or April. New or smaller providers may not need to undertake the full process. We will keep you updated on developments.