The Victorian Chamber undertook a whole-of-organisation assessment of our information security over a 12-month period. We have always been focused on protecting the data entrusted to us by our customers and members and we now have a certification to prove our commitment.

The compliance forms part of an assessment requested by the Federal Department of Employment and Workplace Relations (DEWR) involving a program named Right Fit for Risk (RFFR).

Under the RFFR program, the Victorian Chamber had to prove compliance to the ISO27001 clauses and the full suite of ‘Annex A’ controls, 114 in total, all of which were mandatory. RFFR required that the Chamber assess our compliance to the ‘OFFICIAL’ controls within the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) involving more than 700 controls that needed to be assessed, implemented and independently audited.

The program involved five weeks of onsite audit days examining every control and evidence with an external auditor. No major non-conformances were identified (any major non-conformances found across the 800 controls can result in certification failure). This was a whole-of-organisation initiative involving every department which, for a business the size of the Victorian Chamber, was a significant investment.

Your information was already safe

The Victorian Chamber was pleased to discover throughout the journey that the controls already in place either met or exceeded the RFFR program. These including independent security assessments, staff onboarding/offboarding, staff cyber security training, multi-factor authentication, password strength, patching, encryption at rest and in transit, endpoint protection and email filtering.

What we needed to uplift

Due to the Victorian Chamber’s previous investment in cybersecurity, most of the effort required providing evidence and improving documentation. Specifically, our uplifting efforts were focused on creating/improving documentation, vendor risk assessments, security incident response plans, asset management, information classification and retiring legacy systems.

Better for us, better for our members

Victorian Chamber Executive Director Information, Communications and Technology Glenn Goodwin said: “We are delighted to have gained certification. The program was rigorous, involving a whole-of-organisation effort, and was ultimately fulfilling in providing oversight to the Victorian Chamber’s information security maturity.

“We were fortunate to have a board that was keenly engaged and invested in the initiative and that allowed us to focus attention throughout the entire organisation. Undertaking this journey has provided us insight into the advantages and challenges of cybersecurity and information security, increasing our ability to represent our members on these subjects.

“We will not rest on our current level of compliance and will continue looking for mechanisms to uplift and keep our customer and member data safe.”

To maintain the accreditation, internal audits and annual independent compliance audits are required to ensure that the Victorian Chamber remains up to date within six months of the latest Information Security Manual (ISM).

More information

The Victorian Chamber has further information that details our compliance. This can be found on our Trust Centre page.