Compliance · RTOs and training organisations
Student records, USI handling, ASQA audits, cyber-insurance renewals that have started asking harder questions every year. The compliance burden on an RTO has quietly doubled since 2020, without a proportional staff increase at most of the RTOs we work with.
Live right now · rtos and training organisations
Active regulatory pressures we're already working through with clients in your sector. Each card links to the detailed guide.
Replaced the 2015 Standards on 1 July 2025. Tighter information-management, recordkeeping, and evidence-integrity expectations the RTO IT environment has to operate against under audit.
Read the full guideWhat's being asked of you · rtos and training organisations
The 2025 Standards for RTOs have moved governance obligations from policy-document territory into operational territory. The Standard 8 governance domain expects an RTO to demonstrate, with evidence, that its information management, records retention, identity and access controls, and information-asset risk handling are working as documented. ASQA auditors under the new framework are asking to see the controls in operation, not just the policy that describes them.
Underneath the ASQA work sits the Privacy Act, which applies to student data the way it applies to any sensitive personal information; the Notifiable Data Breaches scheme, which means a student-record breach is not a private matter; the Unique Student Identifier handling rules; and AVETMISS submission security. RTOs delivering online or hybrid pick up additional surface area through the LMS, the proctoring stack, and any third-party integrations they rely on.
Cyber-insurance questionnaires for RTOs have moved past the polite phase. Insurers now ask for evidence of MFA coverage, patch cycles, offboarding discipline, backup testing, and incident-response readiness. An RTO unable to evidence the controls is increasingly seeing renewal terms harden or coverage decline outright.
What we do · compliance practice
What we do for an RTO runs alongside the 2025 Standards for RTOs rather than inside them. Student records, unique student identifier handling, assessor credentials, trainer currency evidence. The IT stack underneath holds most of this, and ASQA auditors under the 2025 framework increasingly ask to see how the records are stored, who can access them, and what happens when a trainer leaves.
Practically, this looks like identity management that matches the RTO's organisational chart, retention rules that hold student records for the legally required periods without dragging every record forever, and backup discipline that an auditor can verify. For RTOs delivering online or hybrid, we extend the same controls to the LMS, the assessor portals, and any third-party proctoring or integration the RTO relies on.
The engagement cycle is continuous, not audit-driven. Gap analysis against the Standards and the funder obligations the RTO holds, monitoring across student-records systems and the LMS, remediation when the monitoring surfaces a drift, evidence pipelines that produce the report an ASQA auditor or a state training authority expects. The work that turns the next audit into a confirmation rather than a discovery.
We do not write your training and assessment strategies, your validation reports, or your compliance documentation. We make sure the IT environment behind that documentation can substantiate it under audit. The 2025 Standards expect outcomes the IT environment has to actually deliver; we configure the systems so the documentation and the operational reality match.
The tools and the role · what we bring
Compliance frameworks have converged on roughly the same set of operational expectations. These are the five we run as a service so the framework cycle is a continuing operation rather than an annual scramble.
Log aggregation across your devices, identity, network and cloud services with the alerting that surfaces something unusual while it is still recoverable. The answer to 'are we under attack right now' rather than 'were we under attack last quarter'.
Allowlisting that prevents unauthorised executables from running on managed devices. One of the highest-impact Essential Eight controls and one of the hardest for in-house IT to operate without breaking the business. We run it as a service, including the day-to-day exception handling.
Most providers run a scanner and email you a list. We run the scanner and do the labour-intensive remediation work that actually closes the vulnerabilities inside the thirty-day window most frameworks expect. Scanning without remediation is a list of known problems with no closure.
Annual training your staff actually complete, phishing simulations that escalate rather than scold, and the completion reporting your compliance officer can show to an auditor or insurer. The training is a compliance artefact and a real behaviour-change tool, not a tick-box.
Strategic IT advice, framework gap analysis, board-level reporting, risk register maintenance, vendor management oversight. The compliance-aligned strategic role most firms our size cannot resource internally. See /services/vcio/ for the standalone offering.
More on the vCIO offeringThe risk that matters · for rtos and training organisations
The risk we have seen catch RTOs out is a confident answer to an ASQA audit or insurer questionnaire that referenced a policy document rather than an operational control. The auditor or insurer accepted it at the time; the breach event eighteen months later asks for proof that the control was in operation in the relevant period, and the proof has to come from logs and records that were never configured to retain. The audit finding or the claim refusal that follows is the cost of the gap. Designing the operational evidence in from the start avoids the recovery cost downstream.
Where it fits · managed IT engagement
The Client Security Baseline is the floor for every CCP client, including RTOs. ASQA audit-adjacent overlays (retention schedules for student records, trainer credential tracking, access-review discipline) layer on top. Where the RTO holds funding-body obligations beyond ASQA (state training authorities, TAFE partnerships, federal funding programs), we handle those per engagement.
Compliance is an overlay against the baseline, not a separate product. The Managed IT + Compliance plan exists for RTOs with continuing ASQA exposure and active state-funded scope. RTOs with simpler obligation surfaces can run the baseline plan and add specific overlays where the funder or insurer requires them.
What we do not do: the training-product work, the assessment validation, the trainer currency assessment, or the AVETMISS data quality review. Those stay with the RTO's compliance team and its training-and-assessment leads. We provide the IT and evidence machinery the audit conversation relies on, alongside the people who own the training substance.
Common questions · rtos and training organisations
Can you help us meet the 2025 Standards for RTOs (Standard 8 governance)?
What about Privacy Act and student-records obligations?
Can you help us prepare for an ASQA audit?
Do you handle USI handling and student-records retention?
What about AVETMISS submissions security?
Can you help with state training authority requirements?
What about cyber-insurance renewals that ask harder questions every year?
Next step · start with the evidence
The Essential Eight self-assessment takes about ten minutes and gives you a branded PDF report you can hand to your compliance officer, your insurer, or your board the same day. If you want to confirm we're the right shop for the work, the fit check comes next.
