What is the Infosec Registered Assessors Program (IRAP)?
The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high quality information and communications technology (ICT) security assessment services to government and industry.
What is an IRAP Assessment?
An IRAP assessment provides a framework for assessing the implementation and effectiveness of an organisation's security controls against the Australian government's security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
Who are IRAP assessors?
IRAP Assessors are ASD certified security professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD's Information Security Manual (ISM).
What are the requirements to be an IRAP Assessor?
Cyooda Security has an ASD endorsed, qualified IRAP assessor.
To be qualified as an assessor individuals must:
- be an Australian citizen
- have a minimum NV1 security clearance
- successfully completed an IRAP training course and ASD examination
- have a minimum of 5 years technology experience
- evidence of ICT and auditing qualifications, category A and B
Our assessor provides you with an independent assessment of the security of your systems, provide guidance and remediation advice, and highlight remaining residual risks, so you can make informed decisions for improvement.
What's involved in the IRAP assessment process?
An IRAP assessment contains four key process stages as shown below:
Plan and Prepare
This is where you prepare by gathering all relevant documentation and evidence to be validated ahead of the assessment. This will include reviewing the Systems Security Plan Annex or Cloud Controls Matrix.
Define the Scope
I work with you to establish an agreed scope for the IRAP assessment. This will include relevant systems, networks and security controls to be evaluated.
Assess the controls
Using a series of interviews, documentation reviews and validation of controls the environment that is in-scope is assessed
Produce the security report
A final report detailing the technical findings and recommendations of improvement.
Frequently Asked Questions about IRAP
Cyooda Security have the most experienced and respected IRAP assessor in Australia.
- Cyooda conduct independent IRAP assessments up to SECRET for ICT Systems, Cloud Services, Gateways, Gatekeeper and Fedlink
- We advise on your organisation's risk posture aligned to the latest control requirements of the ISM
- Our assessor supports you to improve your organisation's security posture and cybersecurity maturity
- Cyooda informs you of the latest updates and support and guide you through the entire IRAP process.
Cyooda's IRAP assessor has unique skills and experience gained over the last 25+ years working with government agencies, financial institutions, telecommunications, mining and global organisations looking to conduct business in Australia.
Our assessor meet's the stringent prerequisites to be an IRAP assessor.
Cyooda Security assist and guide UK and American organisations through the complex requirements and approvals pertaining to cybersecurity when conducting business with the Australian Government.
Find out more about how we can help you here.
Cyooda Security IRAP assessors provide an independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.
Our assessors follow a 4 step process that:
- prepares your organisation so that it is ready to undertake the assessment
- clearly defines the scope
- assesses the controls
- finally provide you with an IRAP report and letter of completion
NOTE:
Our IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD
Organisations that are looking to sell their products, cloud or managed service offerings to Australian Government departments and agencies may be asked if their service has been IRAP assessed as part of one of the early procurement checks.
The guidelines from the Australian Information Security Manual (ISM) mandates that managed service providers, outsourced cloud service providers and their cloud services undertake a security assessment by an IRAP assessor once every 24 months.
There are 2 options available to assess if your organisation is ready which are:
- Perform your own self assessment
IRAP assessment collateral is publicly available from the ASD website. These include all of the ISM controls and the cloud security control matrix that we use to assess customers against.
To be ready for an IRAP assessment the minimum set of documents and aligned controls you need are:
- Systems Security Plan
- Security Risk Management Plan
- Incident Response Plan
- Continuous Monitoring Plan
- Plan of actions and milestones (for revalidation only)
If you need assistance or would just like to chat about any of the above requirements then please get in touch.
2. Engage Cyooda Security for an IRAP assessment
Cyooda will work with your management, operations and cybersecurity teams to identify the necessary controls and develop the documentation required for you to undertake an assessment.
Note: If we assist you with preparing any of your documentation or controls then we cannot assess you and you will need to seek the services of another assessor.
Depending on the scope an IRAP assessment can take between 4 - 12 weeks to complete. For more complex environments it can take much longer.
The ISM and PSPF are two different security frameworks that guide the security and privacy of government information, systems and networks.
Benefits
Sign up to receive our cyber security tips and curated global security news.
*Data Privacy
Lvl 17, Angel Place,
123 Pitt Street,
Sydney
NSW 2000
(02) 7230 1350