CybersecurityRegulation

RFFR ISM SoA

Right Fit for Risk Information Security Manual Statement of Applicability

The Right Fit for Risk (RFFR) Statement of Applicability (SoA) is a structured template used to document how organizations meet cyber security accreditation requirements. It outlines applicable controls, their implementation status, and provides assurance of compliance with the RFFR framework.

Overview

The RFFR Statement of Applicability (SoA) serves as a key governance document within the Australian Government’s Right Fit for Risk cyber security accreditation program. Its purpose is to demonstrate how an organization applies relevant security controls, identifies exclusions, and justifies risk-based decisions in alignment with accreditation standards. The SoA is primarily intended for service providers seeking accreditation to deliver ICT services to government agencies, ensuring transparency and accountability in their cyber security posture.

This framework applies across sectors that interact with government systems, including ICT vendors, managed service providers, and organizations handling sensitive or official information. By requiring organizations to map controls against the Information Security Manual (ISM) and other ASD guidance, the SoA ensures consistency, comparability, and confidence in cyber risk management. Ultimately, it provides government agencies with assurance that accredited providers have implemented appropriate safeguards, while also enabling providers to clearly communicate their compliance and risk management approach.

Related in Cybersecurity

CybersecurityFrameworkStandard

CCM v4.1 — Cloud Controls Matrix v4.1

The Cloud Controls Matrix (CCM) v4.1 is a cybersecurity control framework that consists of 207 controls across 17 security domains, specifically tailored for cloud security and privacy. The Consensus Assessment Initiative Questionnaire (CAIQ) accompanies the CCM, offering a set of assessment questions to evaluate security controls.

Cloud Security Alliance (CSA) • v4.1

View details
CybersecurityStandard

SOC-CMM — SOC-CMM Assessment Tool

The SOC-CMM model is a capability maturity model that can be used to perform a self-assessment of your Security Operations Center (SOC). The model is based on review conducted on literature regarding SOC setup and existing SOC models as well as literature on specific elements within a SOC. The literature analysis was then validated by questioning several Security Operations Centers in different sectors and on different maturity levels to determine which elements were actually in place. The output from the survey, combined with the initial analysis is the basis for this self-assessment. For more information regarding the scientific background and the literature used to create the SOC-CMM self-assessment tool, please refer to the thesis document as available through: https://www.soc-cmm.com/

SOC-CMM

View details
CybersecurityRegulation

EU Digital Services Act — Regulation (EU) 2022/2065 - EU Digital Services Act

The Digital Services Act (DSA) (Regulation (EU) 2022/2065) establishes a comprehensive framework for regulating online intermediary services, platforms, and marketplaces across the European Union to create a safer and more transparent digital environment. The regulation introduces obligations for online platforms to address illegal content, improve transparency in content moderation and advertising, protect users' rights, and manage systemic risks such as disinformation and harmful content. It also imposes enhanced requirements on very large online platforms and search engines, while preserving fundamental rights, consumer protection, and innovation. Overall, the DSA aims to harmonize rules across the EU and increase accountability for digital service providers operating within the Single Market.

European Union • EU

View details
CybersecurityRegulation

EU Data Act — Regulation (EU) 2023/2854 - EU Data Act

The EU Data Act (Regulation (EU) 2023/2854) establishes harmonized rules to make data generated by connected products and related digital services more accessible and usable across the European Union. It gives users of connected devices, such as IoT products, the right to access and share the data they generate with third parties, while requiring data holders to provide that data under fair, reasonable, and non-discriminatory conditions. The regulation aims to reduce barriers to data sharing, promote innovation and competition, enable easier switching between cloud and data-processing services, and support public-sector access to data in situations of exceptional need, while preserving data protection, privacy, intellectual property rights, and trade secret safeguards. Overall, the Data Act is designed to create a fairer and more competitive European data economy by empowering users and improving access to valuable data resources.

European Union • EU

View details

Ready to manage these frameworks?

6clicks maps regulations to controls, evidence and risks — automatically.

Book your strategy call