DIY NDIS provider registration: the certification path

Becoming a Registered NDIS Provider - a step-by-step guide

Version: 15 June 2026, updated after a review by a practising NDIS auditor. Checked against the NDIS Commission and current Pricing Arrangements (PAPL) - rules change, so re-verify before you rely on it.

This guide covers a certification registration assessed against the Core Module only - standard, everyday support groups that don't add a supplementary module. The worked example below uses 0107, 0117 and 0125. ("Support work" is the everyday term for this, but it isn't an official NDIS category; what matters is whether your groups stay on the Core Module or add a supplementary module.)

Also on this pathway: plenty of other standard certification groups, not just these three. See the full list of registration groups and confirm your own.

Not for: anything that adds a supplementary module - high-intensity daily personal activities (0104 + HIDPA), behaviour support, implementing behaviour support plans, SDA, specialist support coordination, early childhood, or SIL.

Delivering therapy? (OT, physio, speech, psychology, dietetics, etc.) Use the Allied Health (Verification) guide instead.

Worked example: registering for these three registration groups

Group	Support	Audit pathway
0107	Assistance with daily personal activities	Certification
0117	Development of daily living and life skills	Certification
0125	Participation in community, social and civic activities	Certification

The single most important fact up front. Your overall audit type is the highest-risk of the groups you pick: if even one group needs a certification audit, your whole application is certification. All three of these are certification-level, so you're on the certification pathway - the fuller audit, with an on-site visit. (If you ever add a verification-type group later, it just folds in; the whole audit stays certification.) Confirm each registration group against the current Commission "registration requirements by supports and services" table, and treat the Initial Scope of Audit email the Commission sends after you apply (Step 5) as the definitive word. None of these three trigger a supplementary module - but only while your real service stays standard. If you actually deliver high intensity daily personal activities (0104), specialist behaviour support, implementing behaviour support plans, early childhood supports, specialist support coordination, or SDA, those add supplementary modules and extra evidence. This guide assumes you are not in those areas. This guide is honest about one thing throughout: documents do not register you. They are the scaffolding. You become registered by tailoring them to how you actually work, using them, keeping the records that prove you use them, and passing an audit. That is what every step below is building toward.

What the NDIS Commission says about consultants and purchased policies. You are responsible for the content of your registration application. If you use a consultant, advice service, or purchased policies to help you apply, the Commission expects that:

• you were substantially involved in preparing the application and associated documents
• you understand what you have submitted and can explain the content if required
• your application is an accurate representation of your organisation and key personnel
• you can demonstrate the suitability of your organisation to deliver disability supports, and not rely on the expertise of the consultancy or advice service
• your responses are specific to your organisation and are not a direct copy of purchased documents
• your documents accurately set out how your organisation complies with NDIS provider responsibilities
• the policies you provide accurately reflect how your organisation will deliver NDIS supports

That is exactly why this guide keeps saying: tailor every document to how you actually work, and make sure you understand what you submit. (Giving false or misleading information in an application is a civil penalty and a criminal offence.) Source: NDIS Commission - using consultants, advice services or purchased policies.

---

The tools you'll use

• A secure record system - to hold your participant files, worker files, registers, rosters, shift notes and an audit-readiness view. Bluetail CRM (in development) is one option; any secure system that does this works. This guide assumes Bluetail CRM.
• Documents - your registration document pack (Bluetail, or equivalent). Every document name in bold below is a document from the Bluetail pack. A generated document still needs your manual review and tailoring before you submit it - never lodge one untouched.

---

STEP 0 - Are you ready and suitable to register?

Do this before anything else. The Commission does not just check your documents - it assesses you and your key people as fit to run an NDIS service.

0a. Suitability (you + your "key personnel")

"Key personnel" are the people who control or run the business - for a sole trader that's you; for a company it's the directors and anyone making key decisions. The Commission assesses each of them, and key personnel in risk-assessed roles also need a worker screening clearance. Check honestly, for everyone:

• No undisclosed bankruptcy / insolvency history
• No relevant criminal history / indictable offences
• No banning orders, prior refusals, cancellations or adverse compliance history
• Conflicts of interest identified and manageable
• You can show real experience and capability to govern the supports you're applying for Disclose honestly. A past issue does not automatically mean refusal - but non-disclosure is dangerous, because giving false or misleading information is itself a ground for refusal. If you have past insolvency/criminal/enforcement history, get advice before applying.

What the auditor will want for each key person. At audit you'll be asked to provide, for everyone listed as key personnel (and any board member with decision-making authority): qualifications and certificates, a Working With Children Check where relevant, an NDIS worker screening clearance, and 100 points of ID. Have these on file and matched to the names in your application and on the portal.

0b. Decide your legal entity (and keep it consistent)

• Decide sole trader vs company (a company costs more and adds admin but separates personal liability; a sole trader is cheapest and quickest). This is the entity that gets registered.
• For a company: register the company (ACN), ABN, a business name if you trade under one, a bank account in the company's name, and keep ASIC officeholder details current.
• The same legal entity must match your ABN, business name, insurances, service agreements, worker contracts, invoices and bank account. Mismatches here cause audit and payment problems later.

0c. Lock your scope

• Write down the supports you'll actually deliver, and confirm none quietly cross into a supplementary-module area. Watch this scope-creep danger list: medication, mealtime/swallowing risk, bowel care, diabetes or seizure management, behaviour support plan implementation, locked doors/restrictive practices, early childhood early-intervention/key-worker supports or child-related work that triggers a Working With Children Check and child-safe requirements, transport in a worker's car, overnight/sleepover. If any apply, you may need extra evidence or a different module - get advice first.

---

STEP 1 - Preparation: lock your foundations

Get these in place. Tick each one - and save the evidence (a screenshot/PDF/certificate) for each, because you'll need it at audit.

1a. Confirm your registration groups

• Your registration groups: 0107, 0117, 0125.
• This means a certification audit (Stage 1 desktop + Stage 2 on-site).
• 0107 check: confirm your personal care is standard, not high intensity. High intensity (e.g. PEG/tube feeding, ventilation, complex bowel care, complex wound care, and often diabetes management, seizure management, dysphagia/mealtime risk, catheters or subcutaneous injections) needs group 0104 + the HIDPA module - extra evidence. If your real work drifts into these, check before you apply. Also note: the Commission imposes ongoing registration conditions on providers of personal-support groups like 0107 (extra safeguards for situations like a sole worker supporting a participant who lives alone). Read your obligations here: NDIS Commission - registration conditions for personal support providers.

1b. Business + government foundations (you must do these; documents can't)

• ABN + business structure registered, matching the entity from Step 0. → abr.gov.au
• Business name if you trade under a name that isn't your own; GST registered if your turnover requires it (get tax advice - GST treatment of NDIS supports isn't automatic); a business bank account in the entity's name. → asic.gov.au
• myID + RAM access set up - your secure government login to start the application. Set up myID, and if you're acting for a business or sole-trader ABN, link/authorise the entity in Relationship Authorisation Manager (RAM). You'll use myID/RAM to access the NDIS Commission Applications Portal. (The portal is moving from PRODA to myID/RAM.) → myid.gov.au · authorisationmanager.gov.au
• Insurances, with certificates of currency that name your legal entity and cover what you actually do (write a one-page scope - personal care, community access, transport, home visits, lone work - and give it to your broker; keep the quote/email trail as evidence):
• Public liability - the common market expectation is around $10-20m, but match it to your real service risks; confirm with your broker.
• Professional indemnity - expect to need it. Even for support-work-only delivery, NDIS auditors generally require professional indemnity alongside public liability, because supporting a participant still involves giving advice about their care and managing risks (for example helping with a transfer, or suggesting a mobility aid), and getting that wrong can cause injury or harm. Hold cover that matches what you actually do, and confirm the scope with your insurer.
• Workers compensation - required under your state/territory scheme once you employ workers (some states have a small-wages threshold); check your state regulator before you engage anyone. If you don't yet employ anyone (or your wages are under the threshold), get a certificate of exemption / non-liability from your state scheme - an auditor will want to see either workers-comp cover or proof you're exempt.

Need insurance? A shortcut. You can compare public liability, professional indemnity and workers compensation from multiple insurers in one place through BizCover (or quote referral code Bluetail at signup). Bluetail has partnered with BizCover and may earn a small commission if you buy through this link, at no extra cost to you - it helps keep these guides free. Always check the policy actually covers the supports you deliver.

• NDIS Worker Screening Check - cleared, for you and anyone in a risk-assessed role. A police check alone is not enough - auditors generally won't accept one in place of screening, so don't rely on it; an NDIS worker screening clearance is the must-have. First make a short Risk-Assessed Role Register (which roles are risk-assessed, and why - the Commission's worker-screening guidance for registered providers defines what counts as a risk-assessed role); then get a clearance for each person in those roles (keep the clearance ID + expiry), keep them current, and have a process to stand someone down if they're suspended or excluded. → ndiscommission.gov.au/workers/ndis-worker-screening-check

Screening before you're registered: if you need to check or link clearances before you're registered, apply for NDIS Worker Screening Database access through the Applications Portal as an "unregistered provider". Once access is approved, link/check your key personnel and workers, confirm each person's status and expiry, then lodge your provider registration application.

• NDIS Worker Orientation Module ("Quality, Safety and You") done by you and your workers; keep the certificates. → training.ndiscommission.gov.au

1c. Tools ready

• Document pack available; record system set up and you can log in. At the end of Step 1 you have: the right groups, the correct legal entity, an ABN, myID/RAM access, matching insurances, screening, orientation, and your tools - with evidence saved for each.

---

STEP 2 - Build and tailor your document foundation

Write your one-page Operating Model first. Before you tailor a single document, write a one-pager: who owns the business, who manages service delivery, who handles complaints/incidents, who rosters, who supervises workers, where records are stored, which supports are in scope, and which you explicitly don't offer. Then tailor every document to that model. It stops you tailoring blindly. Generate every document pre-filled with your business details, then tailor each one to how you actually operate. This is not optional busywork - at Stage 2 the auditor checks that your documents describe your real service. Generic, untouched documents are the #1 reason providers struggle. ⚠️ The single most important thing in this guide. An untailored policy is an audit failure waiting to happen. The auditor isn't checking that you have a complaints policy - they're checking it describes how you actually handle a complaint: who receives it, what you do, how fast, where you record it, who follows it up. Submit an untouched template and the auditor sees a business that doesn't yet exist on paper. Every document must be made yours before you submit. Policy vs procedure vs form vs register vs record - know the difference. A policy says what you do (your rules and commitments). A procedure says how you do it (the step-by-step your staff follow). A form captures an event or decision. A register lets you track and review it. A completed record proves the system is actually operating. If a single document covers both the rules and the steps, title it a "policy and procedure". For every policy, ask: what procedure puts it into practice, what form records it, what register tracks it, who reviews it, how often, and what shows it was closed out? (Example: your Incident Management Policy and procedure need an incident report form → incident register → corrective-action record → Commission notification evidence.) A policy pack alone is not an audit pack. A policy pack is a promise; an audit pack is the proof you kept it.

What "tailoring" actually means

Most documents have two kinds of content:

• Standard content you can largely keep - the parts that restate the law or NDIS rules (e.g. the eight elements of the Code of Conduct are fixed; don't reword them).
• Your-business content you MUST add - wherever a document describes a process, a person, a timeframe, or a record. This is the part the auditor is really reading. Even a "standard" document has your-business content. Take the Code of Conduct: the eight elements are fixed, but the moment it says "breaches are managed as follows", you must state how your business responds - e.g. "the breach is recorded in our incident/complaints register in [your CRM], the manager reviews it within 2 business days, the worker is spoken to and any retraining is recorded on their file, and reportable matters are notified to the Commission within the required timeframe." That sentence turns a template into evidence. Every spot you must complete is marked in red, highlighted text in the document. Replace (or delete) every red prompt before you submit. If any red text is left, it's not finished. And wherever a policy says "we record this", name where - "logged in the incident register in [your CRM]" - so the auditor sees an unbroken thread from policy to evidence. Your pack, grouped the way an auditor thinks. All need tailoring; the ones carrying the most process/record detail (Governance, Continuous Improvement, Risk, Incident, Complaints, Records, Conflict of Interest, and the participant-facing policies) matter most:

Governance & quality

• Governance & Operational Management Policy + a one-line Scope of Supports / Service Delivery Statement
• NDIS Code of Conduct & Worker Code of Conduct
• Continuous Improvement Policy + Quality Improvement Plan (annual)
• Risk Management Policy & Framework
• Emergency & Business Continuity Plan
• Financial Management Policy
• Internal Audit / Self-Assessment Checklist + Policy & Document Control Register

Rights & participant-facing

• Participant Rights, Dignity & Safeguarding Policy
• Service Access & Intake Policy
• Service Delivery & Support Planning Policy
• Participant Service Agreement (template) + Participant Consent Form
• Participant Handbook / Welcome Pack
• Participant Money & Property Policy
• Transitions Policy (including an exit/transition plan from day one)
• Communication & Information Accessibility Policy

Safety & operations

• Work Health & Safety (WHS) Policy
• Infection Prevention & Control Policy
• Incident Management Policy & Procedure + Open Disclosure Procedure + a Reportable Incident decision tool
• Complaints & Feedback Management Policy (+ acknowledgement/outcome letters)
• Privacy & Confidentiality Policy + Data Breach Response Plan
• Records & Information Management Policy
• Conflict of Interest Policy
• Worker Supervision Policy
• Lone Worker Policy & Procedure ← important for 0107/0125 one-to-one work
• Transport & Vehicle Policy ← important for 0125 community access

Staff & employment

• Human Resources, Recruitment & Screening Policy
• Training & Development Policy (back it with a Training Register that logs every worker's training, including time-limited ones like CPR and First Aid, and their refresher due-dates)
• Employment Agreement (template) + Position Description: Support Worker + Offer of Employment Letter
• Confidentiality & Privacy Agreement (worker-signed) + Employee Details & Onboarding Form
• Subcontractor Agreement + Subcontractor Compliance Checklist ← if you use contracted workers

Specialised supports - only if you actually deliver them

• Medication Management Policy - only if your workers support medication.
• Mealtime Management Policy - only if you support mealtime/swallowing risk.
• Restrictive Practices Policy - only if you use regulated restrictive practices.

⚠️ High-risk documents. If you do deliver medication, mealtime or restrictive-practice supports, have those three reviewed by a clinically qualified person before you rely on them. A mistake here can seriously harm someone, and applying a restrictive practice without the correct authorisation and procedure can be unlawful. Restrictive practices are a special case: if you support any participant whose behaviour support plan includes regulated restrictive practices, a clinical review alone is not enough. You also need the full consent and authorisation framework, the policies and procedures behind it, and evidence your staff completed the required training before any restrictive practice is used - and you must be registered for and audited against the relevant behaviour support supplementary module (implementing behaviour support plans that include restrictive practices; confirm the exact module with your auditor). Without it you cannot deliver to that participant. (These supports also move you out of this standard support-work scope - re-check before you proceed.)

Governance evidence for sole traders

A policy isn't the same as evidence you actually govern. Even solo, build a little real evidence: a short governance statement (who holds which responsibilities), a backup/delegation arrangement (who covers you if you're away), an annual business/quality plan, quarterly governance review notes (run your risks, incidents, complaints, feedback and improvements), and current conflict-of-interest declarations. Sole trader doesn't mean no governance - it means showing how governance works when one person wears several hats.

Core Module evidence map (what proves each area)

The application asks you to self-assess against the Practice Standards. Auditors think in outcomes proven by evidence, not policies on a shelf. Use this to connect each Core Module area to the records that prove it:

Core Module area	Key policies behind it	Where the proof actually lives	Example self-assessment line
Rights & Responsibilities	Rights/Dignity & Safeguarding; Consent; Service Agreement; Communication	Signed service agreements + consent forms; handbook issued; feedback records	"We uphold rights via our Rights policy; each participant signs a service agreement and consent; we record and review consent in [CRM]."
Provider Governance & Operational Management	Governance & Operational Mgmt; Risk; Continuous Improvement; Financial; Conflict of Interest; HR	Governance review notes; risk, COI, continuous-improvement registers; worker compliance tracker	"The [role] governs the service; risks are logged in [CRM] and reviewed [frequency]; improvements are tracked in the CI register."
Provision of Supports	Service Delivery & Support Planning; Intake; Transitions	Goal-based support plans + goal reviews; progress/shift notes; intake records	"Each participant has a goal-based plan; delivery is recorded as progress notes in [CRM] and reviewed [frequency]."
Provision of Supports Environment	WHS; Infection Prevention & Control; Incident Management; Emergency & Business Continuity	Incident register + reports; WHS records; individual emergency plans	"Incidents are logged in [CRM], actioned, and reportable ones notified within the required timeframes; each participant has an emergency plan."

At the end of Step 2 you have: a tailored document set that describes your business, and a clear line from each Core Module area to the evidence that proves it.

---

STEP 3 - Set up your record system: enter your data

Put your business into your record system so your evidence has a home from day one. You do not need participants (or even workers) to apply - a new provider is assessed on whether their systems are ready. Do what applies to you.

3a. Set up access + privacy first (everyone)

• Enter business details, ABN and logo.
• Set user access levels (who can see participant files), a password/MFA rule, a backup/export process, and your data-breach + retention/archive processes.
• Upload your insurance certificates, and stand up your registers (3d) so they exist from day one.

3b. Workers - if you have any, for each one

• Worker Screening clearance + a role risk assessment; Orientation Module certificate
• Signed Code of Conduct, Employment Agreement + Position Description, Confidentiality Agreement
• Proof of identity, right to work, reference checks done, qualifications
• First aid/CPR, WWCC if children may be supported, driver licence + comprehensive car insurance if they transport participants
• Policy acknowledgement; induction checklist; skills/availability; training + supervision dates
• Role-specific training evidence: infection prevention and control standard precautions, PPE use where relevant, manual handling/personal-care training for 0107, transport/community-access and lone-worker training for 0125 - plus refresher dates
• Subcontractors get their own file (their agreement, their own public liability and professional indemnity, screening and qualifications) - they can't work under your insurance umbrella, and don't file them as employees.

3c. Participants - if you have any, for each one

• Signed Service Agreement + Consent Form (note any consent limits/expiry)
• Intake & Assessment Form + Risk Assessment (participant, plus home/site where you deliver supports)
• Support Plan (person-centred, goal-based) + Individual Emergency Plan
• For a participant you're already supporting: their Progress Notes to date (factual, dated, attributed)
• Decision-maker / nominee / guardian details; communication / cultural / language needs
• Transport consent + risk assessment if you do community access
• Confirm the Handbook / Welcome Pack was given; NDIS plan details + how it's managed (plan/self/agency); a goal-review and an exit/transition plan

3d. Stand up your registers

• Incident Register (+ Incident Report Form), Complaints & Feedback Register, Risk Register
• Conflict of Interest Register, Continuous Improvement Register, Corrective Action Register, Data Breach Register
• Training Register, Supervision Register, Worker Screening Register, Staff Compliance/Currency tracker
• Policy review register (each policy with last-reviewed + next-due); Restrictive Practices Register only if applicable At the end of Step 3 your record system holds: your org (with access controls), your live registers, and whatever workers/participants you currently have - fully evidenced.

---

STEP 4 - Run the service and build the evidence

This is the phase auditors care about most: proof you actually do what your policies say. Every support you deliver should leave a record.

⚠️ Before you're registered - what you can and can't do. You may operate as an unregistered provider for many supports, but you must not call yourself an NDIS-registered provider, and you must not deliver supports that legally require registration. Be honest with participants that you're not yet registered (it affects how plan-managed/agency-managed funding works), and keep your records exactly as if you already were.

Day-to-day records

• Progress / shift notes for every support - factual, person-centred, dated and attributed to an author.
• Any incident → logged in the Incident Register with follow-up, and reportable ones notified to the Commission in time:
• Immediate Notification Form - within 24 hours of becoming aware, for: a death; serious injury; abuse or neglect; unlawful sexual or physical contact or assault; sexual misconduct; and a restrictive practice that is unauthorised or not in a behaviour support plan where it caused harm.
• 5 Day Form - within 5 business days of becoming aware, with the detail and actions taken. For an unauthorised restrictive practice that did not cause immediate harm, the 5 Day Form is the only form required.
• Missing these timeframes can itself trigger compliance action - treat them as hard deadlines.
• When these obligations formally apply: reportable-incident notification obligations formally apply once you are a registered NDIS provider (and you may not have portal access to lodge the forms before then). Before registration, still run the same incident system internally and record what would have been reportable, so the system is genuinely set up and you can explain how it works at audit. This is only about the Commission's specific reportable-incident forms - it does not mean an unregistered provider can ignore a serious incident. You are still bound by the NDIS Code of Conduct, and anything serious or unlawful (abuse, neglect, assault, sexual misconduct, a death) must still be reported to the right authorities (police, child protection, the coroner) and to the participant or their decision-maker, and handled properly.
• Any complaint/feedback → Complaints Register, closed out. Worker supervision, training, continuous improvement and policy reviews → recorded as they happen.

Evidence quality rules: records are dated and identify the author; corrections don't delete the original history; notes are factual and objective (not personal opinion); incidents and complaints link to corrective actions; feedback links to continuous improvement; risks link to reviews. ⚠️ No participants yet? Here's how the audit actually treats that. At a provisional certification audit the auditor does not assess mock or dummy participant records - they rely on your real, tailored policies, procedures, templates and registers, and on your knowledge and answers in the interview, to judge whether your systems are sound. So you don't need to manufacture fake participant records. What you do need: every policy and procedure tailored to how you'll actually work, your registers set up and ready, and enough understanding to explain how each system runs. Walking a scenario through your own incident or complaint process is useful preparation for you - just clearly label any scenario as a drill, never as a real participant record. Because you have no participants, expect a provisional outcome: your initial audit still runs Stage 1 + Stage 2, but with no participants to assess the auditor usually gives a qualified recommendation (provisional certification). Then, once you onboard your first participants, you do a second Stage 2 audit (usually within about three months) to move from provisional to full certification - so with no participants you effectively go through Stage 2 twice (and pay the auditor for that stage twice). If you already have a participant and you're confident you'll pass, presenting them at the first audit lets you reach full certification in one process - one Stage 2 instead of two, saving the extra time and cost.

---