IRAP Assessments
Cyooda Security has ASD endorsed, qualified IRAP assessors.
The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high quality information and communications technology (ICT) security assessment services to government and industry.
IRAP provides a framework for assessing the implementation and effectiveness of an organisation's security controls against the Australian government's security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
Our assessors are here to provide you with an independent assessment of the security of your systems, provide guidance and remediation advice, and highlight remaining residual risks, so you can make informed decisions for improvement.
Cyooda Security have the most experienced and respected IRAP assessors in Australia.
- Cyooda assessors conduct independent IRAP assessments up to SECRET for ICT Systems, Cloud Services, Gateways, Gatekeeper and Fedlink
- We advise on your organisation's risk posture aligned to the latest control requirements of the ISM
- Our assessors support you to improve your organisation's security posture and cybersecurity maturity
- Cyooda assessors inform you of the latest updates and support and guide you through the entire IRAP process.
Cyooda's IRAP assessors have unique skills and experience gained over the last 25+ years working with government agencies, financial institutions, telecommunications, mining and global organisations looking to conduct business in Australia.
Our assessors meet the stringent prerequisites to be IRAP assessors.
Cyooda Security assist and guide UK and American organisations through the complex requirements and approvals pertaining to cybersecurity when conducting business with the Australian Government.
Find out more about how we can help you here.
Cyooda Security IRAP assessors provide an independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.
Our assessors follow a 4 step process that:
- prepares your organisation so that it is ready to undertake the assessment
- clearly defines the scope
- assesses the controls
- finally provide you with an IRAP report and letter of completion
NOTE:
Our IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD
Organisations that are looking to sell their products, cloud or managed service offerings to Australian Government departments and agencies may be asked if their service has been IRAP assessed as part of one of the early procurement checks.
The guidelines from the Australian Information Security Manual (ISM) mandates that managed service providers, outsourced cloud service providers and their cloud services undertake a security assessment by an IRAP assessor once every 24 months.
There are 2 options available to assess if your organisation is ready which are:
- Perform your own self assessment
IRAP assessment collateral is publicly available from the ASD website. These include all of the ISM controls and the cloud security control matrix that we use to assess customers against.
To be ready for an IRAP assessment the minimum set of documents and aligned controls you need are:
- Systems Security Plan
- Security Risk Management Plan
- Incident Response Plan
- Continuous Monitoring Plan
- Plan of actions and milestones (for revalidation only)
If you need assistance or would just like to chat about any of the above requirements then please get in touch.
2. Engage Cyooda Security for an IRAP assessment
Cyooda will work with your management, operations and cybersecurity teams to identify the necessary controls and develop the documentation required for you to undertake an assessment.
Note: If we assist you with preparing any of your documentation or controls then we cannot assess you and you will need to seek the services of another assessor.
ASD Essential 8 Assessment
Cyooda Security are endorsed by the Australian Signals Directorate (ASD) as an authorised IRAP assessor which includes providing ASD Essential Eight assessments.
The Essential Eight assessment comprises of 3 distinct phases:
- Consult and prepare – understand scope, desired maturity level, process, policy, and people.
- Engage and gather evidence – interview relevant system and policy owners, review architecture and system documentation, assess a sample of systems that represent the in-scope environment.
- Analyse and assess – analyse findings and provide a detailed report.
Assessment against the Essential Eight are conducted using the Essential Eight Maturity Model and specific criteria for each control taken from the ASD Information Security Manual (ISM).
As a minimum an organisation should be aiming to reach maturity level one to be considered to have effective controls.