Skip to content

Industry · RTO

IT and cybersecurity for Australian Registered Training Organisations.

ASQA audits, long-retention student records, Unique Student Identifier obligations, Student Management Systems, training delivered across your sites and client sites. Compliance sits heavily on RTOs; the IT side of it can be the difference between a clean audit and a show-cause.

What's actually different in registered training organisations

RTO IT is a long-horizon record-keeping problem.

Most industries we work in have retention obligations measured in years. RTOs have obligations measured in decades, for some assessment evidence. That changes the shape of the backup conversation, the shape of the identity conversation, and the shape of what "we've always done it that way" actually implies about the records currently on the network.

The other RTO-specific pattern is the volume of third-party systems. A Student Management System, a Learning Management System, an assessment platform, an accounting and payroll stack, training venue platforms, and the AVETMISS submission pipeline each have their own security posture. Most RTOs accumulate these over years and never audit the aggregate access picture. We do.

On audit: ASQA doesn't audit IT, but almost every clause they audit depends on IT-held evidence. Walking into an audit with a clean evidence pack (retention policy, access register, backup proof, SMS audit log) means the auditor spends their time on training-quality questions, not on whether your records are real. We build and maintain that evidence pack as part of the service, not as a panicked six-weeks-before exercise.

Live right now ·  registered training organisations

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

2025 Standards for RTOs commenced 1 July 2025

ASQA's revised framework is now in force: the Outcome Standards, the Compliance Standards including Fit and Proper Person Requirements, and the Credential Policy. 19 Practice Guides have been published. The Information and Transparency and Accountability guides in particular lift the bar on how student data is handled, disclosed and retained. Most RTOs we assess haven't fully updated their internal processes yet.

USI handling under the Credential Policy

USI verification is now tied more tightly to the Credential Policy and the 2025 Standards. The IT systems supporting AVETMISS submission, USI verification and student-record retention have to operate cleanly and produce evidence on demand.

Cyber-insurance underwriters after 2023 TAFE breaches

Underwriters have priced in the 2023 TAFE-sector breaches and are asking mid-size private RTOs for MFA on every account, EDR, staff cybersecurity training, tested backups and a documented IR plan at renewal. Several RTOs have had quotes declined on missing controls in the last 12 months.

Mandatory ransomware payment reporting, 72 hours

Under the Cyber Security Act, businesses with turnover above $3M must report ransomware payments to ASD within 72 hours (commenced 30 May 2025). Most mid-size private RTOs sit above that threshold.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for registered training organisations in Australia.

Standards for RTOs 2015
The ASQA-administered Standards applicable to Registered Training Organisations. Clauses 5, 7 and 8 cover information provided to learners, governance, and record management. IT is the system that evidences those controls.
VET Quality Framework + Data Provision Requirements
Obligations around AVETMISS submissions, Unique Student Identifier handling, and retention of student and assessment records. Retention periods reach 30 years for some assessment evidence.
Privacy Act 1988 + APPs
USIs and student records carry APP obligations. The USI Registrar has specific handling rules around access, disclosure, and destruction of Unique Student Identifiers.
ELICOS / CRICOS obligations (where applicable)
RTOs delivering to overseas students under CRICOS have additional reporting and record-keeping obligations administered by the relevant state regulator. These extend IT retention obligations further.
ACSC Essential Eight
Increasingly referenced in RTO cyber-insurance renewals and in larger enterprise-client training contracts. See /essential-eight for the maturity model.

Common questions

The things registered training organisations clients ask us first.

How long do we actually need to keep assessment records?
Depends on the qualification and the awarding framework. Core assessment evidence can run 30 years for some AQF qualifications. That's a long time for a document-storage system to stay honest. We build retention into the backup and document-management arrangement so the 30-year obligation is met without manual intervention, and we document the arrangement so ASQA can see it on audit.
Our Student Management System (aXcelerate, Wisenet, JobReady, VETtrak, etc.) stores everything. Isn't that enough?
SMSes are where the records live, not where they're protected. The backup, access control, identity management, and deletion-on-exit all live outside the SMS. If your SMS vendor goes down for two weeks, or an ex-trainer still has a login six months after leaving, the SMS itself can't tell you. We secure the environment around it and audit access properly.
An ASQA audit is on the way. What does the IT side of the audit actually look like?
ASQA doesn't audit IT directly, but a lot of what they do audit depends on IT evidence: that assessment records exist, are unmodified, and can be produced on request; that access to student records is appropriate; that the organisation is maintaining its obligations around USIs. We produce the evidence pack that supports those clauses so you spend audit time on the training-quality questions, not searching for files.
We deliver training on client sites and online. Does that change anything?
Yes, in the details. Trainer devices that travel onto client sites need device-level security that assumes hostile networks (EDR, DNS filtering, conditional access). Online delivery platforms need identity and access reviews, and any recorded content needs clear handling rules. None of it is exotic; it's just not what a generic MSP would set up without being asked.
Can our trainers use Microsoft 365 Copilot or ChatGPT to write, mark or review assessment evidence?
Yes, in some cases, with an ASQA-aware policy. ASQA doesn't currently ban AI-assisted assessment development, but it does expect validation processes that confirm assessment tools reliably assess the competency claimed. Using AI to draft materials is usually fine; using AI to mark student evidence without human sign-off is usually not. We help RTOs write an acceptable-use policy, pick an enterprise-tier tool (Copilot under M365 Business Premium, Claude for Work, ChatGPT Enterprise), and document the controls so the next ASQA audit has a clean answer to "how does your organisation govern AI use?".

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit