🤖 Ready for Sovereignty 2026: Australian Insights Report. Get your copy
MarketplaceCybersecurityRFFR ISM SoA
CybersecurityRegulation

RFFR ISM SoA

Right Fit for Risk Information Security Manual Statement of Applicability

The Right Fit for Risk (RFFR) Statement of Applicability (SoA) is a structured template used to document how organizations meet cyber security accreditation requirements. It outlines applicable controls, their implementation status, and provides assurance of compliance with the RFFR framework.

Book your strategy callView source ↗

Overview

The RFFR Statement of Applicability (SoA) serves as a key governance document within the Australian Government’s Right Fit for Risk cyber security accreditation program. Its purpose is to demonstrate how an organization applies relevant security controls, identifies exclusions, and justifies risk-based decisions in alignment with accreditation standards. The SoA is primarily intended for service providers seeking accreditation to deliver ICT services to government agencies, ensuring transparency and accountability in their cyber security posture.

This framework applies across sectors that interact with government systems, including ICT vendors, managed service providers, and organizations handling sensitive or official information. By requiring organizations to map controls against the Information Security Manual (ISM) and other ASD guidance, the SoA ensures consistency, comparability, and confidence in cyber risk management. Ultimately, it provides government agencies with assurance that accredited providers have implemented appropriate safeguards, while also enabling providers to clearly communicate their compliance and risk management approach.

Related in Cybersecurity

CybersecurityStandard

ISM CCM — Information Security Manual Cloud Controls Matrix Template

The Cloud Controls Matrix (CCM) Template is a comprehensive framework for mapping cloud security controls to industry standards and compliance requirements. It helps organizations assess, implement, and demonstrate effective cloud security practices across diverse environments.

Australian Government • Australia • vJune 2026

View details
CybersecurityRegulation

ISM SSP — Information Security Manual System Security Plan Annex Template

The System Security Plan (SSP) Annex Template is a structured document used to capture detailed information about an organization’s cyber security controls and implementation. It supports accreditation processes by providing evidence of compliance, risk management, and system-specific security measures.

Australian Government • Australia • vJune 2026

View details
CybersecurityRegulation

ISM — Information Security Manual

The Australian ISM is the nationally recognized cybersecurity framework developed by the Australian Signals Directorate. It provides organizations with structured guidance to safeguard information and operational technology systems against evolving cyber threats.

Australian Government • Australia • vJune 2026

View details
CybersecurityStandard

NIPG — National Identity Proofing Guidelines 2025

The National Identity Proofing Guidelines 2025 provide voluntary, risk-based best-practice guidance for verifying an individual's identity, aligned with Digital ID Accreditation Rules to promote consistency across physical and digital identity verification processes. The guidelines support organizations in strengthening identity-proofing practices, increasing trust through a standardized and transparent approach, and enabling more identity verification activities to be conducted online. By leveraging national identity verification services, organizations can reduce the need to store identity document copies, resulting in lower costs, improved privacy, reduced data breach risks, and stronger protection against identity fraud.

Australian Government • Australia

View details

Ready to manage these frameworks?

6clicks maps regulations to controls, evidence and risks — automatically.

Book your strategy call