Everything you need to know about IRAP



In this article I will take you through everything you need to know about an IRAP assessment; what it is, what's involved, why it's important and a checklist of things you will need to do to kick start your IRAP journey.  

What is IRAP?

The Information Security Registered Assessors Program (IRAP) provides a framework for assessing the implementation and effectiveness of an organisation’s security controls against the Australian government’s security requirements, as outlined in the Information Security Manual (ASD ISM) and Protective Security Policy Framework (PSPF).  IRAP was created by the Australian Cyber Security Center (ACSC) which is a part of the Australian Signals Directorate (ASD).

The ASD endorses suitably qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data. 

Who are IRAP assessors?

IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of the ASD's Information Security Manual.  A rigorous process is involved to become IRAP certified, which beyond relevant experience includes attending and passing an intensive Australian IRAP bootcamp, as well as gaining the required security clearances.

Endorsed IRAP assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. IRAP provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines. The IRAP goal is to maximise the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it.

Why is IRAP important?

Endorsed IRAP Assessors assist in securing your systems and data by independently assessing an organisation’s cyber security posture, identifying security risks and suggesting mitigation measures. IRAP Assessors can provide security assessments of SECRET and below for ICT systems, Cloud services, Gateways, Gatekeeper and FedLink. IRAP Assessors do not accredit, certify, endorse or register systems on behalf of the ASD.

What Risk Frameworks does IRAP use? 

For government entities both the PSPF and ISM frameworks are used.  These are both updated on a regular basis.

The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.

The ISM is categorised into 22 cyber security guidelines and encompasses 850+ controls which are created to provide practical guidance on how an organisation can protect their systems and data from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, data, network and application technology security topics.

The purpose of an IRAP assessment is for each organisation to consider a risk-based approach in determining which of the guidelines are relevant to each of the systems they operate when interacting with Australian Government data.

The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) SP 800-37.   The risk management framework used by the ISM has six steps:

  • Define the system
  • Select security controls
  • Implement security controls
  • Assess security controls
  • Authorise the system
  • Monitor the system

Additional compensating controls can be implemented on a risk-managed basis by individual agencies prior to agency authorisation and subsequent use of these cloud services.

How long do IRAP assessments take?

This entirely depends on what is in scope and assessments can be time-consuming, involving a comprehensive evaluation of an organisation’s information security practices, policies, procedures, and technical controls.  

IRAP assessments typically cover various aspects of information security, including risk management, access controls, incident response, network security, physical security, and personnel security. The assessors identify vulnerabilities and weaknesses in the assessed entity’s information security defences and recommend improvements.  If an assessment is well defined in terms of scope, documentation, processes, and proof of controls are available, then an assessment could be completed in as little as a few weeks, but larger more complex ones may run into many months.

When do you need an IRAP Assessment?

The short answer is that if you supply services, products to an Australian Government agency or partner with them, then it is likely you will need to undertake an IRAP assessment.

Any entity can engage an IRAP Assessor, not just Australian government entities.

When you don’t need an IRAP assessment?

If you don’t handle or process Government data then you will not need to complete an IRAP assessment.  Like other assessments an IRAP is not a box ticking exercise or a badge to gain simply for marketing purposes.  What you should be doing is aligning security to the goals of the business and choosing a framework that is recognised internationally, well understood and that improves security.   The ASD essential eight framework is an example of a good place to start but equally there are other frameworks that may be better suited to your goals or industry sector.

What is involved in an IRAP assessment?

The IRAP certification process contains four distinct phases as shown below.    

1. Plan and Prepare

The plan and prepare phase consists of the following activities:

  • assessment start date, duration and milestones
  • access to resources required to undertake the assessment including documentation, systems, tools, personnel and facilities
  • system and control testing activities
  • evidence collection process and evidence protection
  • approach to stakeholder engagement and consultation
  • version of the ISM that will be used for the assessment
  • appropriate use and marketing of the security assessment report 
  • availability of the security assessment report and evidence to ASD for quality assurance

2. Define the Scope

The scope of an IRAP assessment includes both the authorisation boundary of the system under assessment, as well as the security controls applicable to the assessment of that system. The scope of an IRAP assessment should be defined early in the assessment by the IRAP assessor coming to an agreement with the System Owner on: 

  • The system version and environment under assessment (e.g. PROD or TEST, and the implications of the latter).
  • The intended security classification of the data stored, processed or communicated by the system.
  • The authorisation boundary of the system (i.e., the system components under assessment as well as the people, processes, technologies and facilities that the system relies on or impact its security posture).

3. Assess the controls

In this phase, the IRAP assessor reviews evidence provided by the client organisation to determine the implementation status of security controls. Security control review activities are typically divided into two categories:

  • Design effectiveness review
  • Operational effectiveness review

IRAP assessors must consider the quality of evidence provided during an assessment and its impact on assessment outcomes. The goal is to review evidence that provides a high level of assurance on the implementation of a security control. If an IRAP assessor cannot obtain sufficient evidence during an assessment, this limitation should be documented within the security assessment report.

4. Produce the report

Upon completion of the assessment, the assessor produces a security assessment report to document the outcomes of the assessment. At a high-level, a security assessment report describes:

  • The scope of the security assessment.
  • The effectiveness of the implementation of security controls.
  • Security risks associated with the operation of the system.
  • Any recommended remediation actions.

IRAP assessors are not required to undertake a risk assessment of ineffective controls, only identify security risks and risk mitigating controls so that the consumer of the report can undertake their own assessment of those risks.

In addition to the security assessment report, the IRAP assessor documents the security controls matrix (SCM) or cloud SCM (CSCM). The SCM contains assessment observations against each ISM control.

Need further help?

Hopefully this has provided a good overview of what is involved in an IRAP assessment.  

If you would like further assistance or a confidential chat to understand how Cyooda Security can help you on your IRAP journey then please get in touch.


Leave a Comment