This article is an edited version of the same article by the writer, previously posted on Privasec, a Sekuro company’s website.
The InfoSec Registered Assessors Program, or IRAP, is a program that endorses suitably qualified cyber security professionals. Designed by the Australian Signals Directorate (ASD), IRAP aims to help secure Australian Government and broader industry systems and data, by independently assessing an organisation’s cyber security posture, identifying security risks and suggesting mitigation measures. The purpose of an IRAP assessment is for each organisation to consider a risk-based approach in determining which of the guidelines are relevant to each of the systems they operate when interacting with Australian Government data.
The framework used within an IRAP assessment is known as the Information Security Manual (ISM). Created by the Australian Cyber Security Centre (ACSC), it is updated on a regular basis. Categorised into 22 cyber security guidelines and encompassing over 800 controls, the ISM outlines a cyber security framework that an organisation can apply using their risk management framework, in order to protect their systems and data from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security topics.
The Role of an IRAP Assessor
IRAP Assessors are independent consultants that the ASD has approved to conduct security assessments and provide valuable recommendations for improvement for ICT systems, Cloud services, Gateways, Gatekeeper and FedLink, at a security clearance level of up to SECRET. They do not however accredit, certify, endorse or register systems on behalf of ASD.
The approval process requires meeting the following requirements:
- Be an Australian citizen
- Have at least 5 years of experience in technical ICT and security systems including possession of relevant certifications
- Complete the IRAP Training Course
- Pass the IRAP Training Exam within 80% or higher score
Key benefits of engaging an IRAP Assessor
Engaging with an IRAP Assessor can provide numerous benefits for organisations aiming to enhance their security posture:
- Expert Knowledge: IRAP Assessors possess specialised knowledge and expertise in information security and risk management. Their experience allows them to identify potential vulnerabilities and propose effective strategies to mitigate risks.
- Independent Assessment: The independent nature of IRAP Assessors ensures an unbiased evaluation of an organisation’s security controls and practices. This objectivity adds credibility to the assessment process and gives organisations a reliable benchmark for measuring their security maturity.
- Trust: By engaging an IRAP Assessor, organisations demonstrate their commitment to maintaining high security standards and alignment with relevant regulations. This commitment helps build trust with stakeholders, clients, and customers, enhancing their confidence in the organisation’s ability to protect sensitive information.
Steps to Applying a Risk-based Approach Using the ISM
The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
In the six steps outlined by the Australian Government, the risk management framework used by the ISM are:
- Define the system: Determine the type, value and security objectives for the system based on an assessment of the impact if it were to be compromised. Document this in the system’s system security plan.
- Select controls: Select controls for the system and tailor them to achieve desired security objectives. While the cyber security guidelines can assist with risk identification and risk treatment activities, an organisation will still need to undertake their own risk analysis and risk evaluation activities due to the unique nature of each system, its operating environment and the organisation’s risk tolerances.
- Implement controls: Implement controls for the system and its operating environment. Once suitable controls have been identified for a system, and approved by its authorising officer, they should be implemented and documented in the system’s CCM.
- Assess controls: The IRAP Assessor will assess controls for the system and its operating environment to determine if they have been implemented correctly and are operating as intended. At the conclusion of a security assessment, an IRAP Cloud Security Assessment Report should be produced. This will assist in performing any initial remediation actions as well as guiding the development of the system’s plan of action and milestones.
- Authorise the system: Before a system can be granted authorisation to operate, sufficient information should be provided to the authorising officer, in order for them to make an informed risk-based decision as to whether the security risks associated with its operation are acceptable or not. This information should take the form of an authorisation package that includes (amongst other documents) the IRAP Cloud Security Assessment Report.
- Monitor the system: Monitor the system, and associated cyber threats, security risks and controls, on an ongoing basis. Following the implementation or modification of any controls as a result of risk management activities, another security assessment should be completed. In doing so, the system’s authorisation package should be updated.
How to Prepare/ Plan for Your Service
Are you ready to engage an IRAP Assessor? Follow these steps to begin your organisation’s journey:
- Ensure that you are working with Australian Government data, be it at rest, in transit, or in storage, and that your organisation requires compliance with security controls.
- Take a look at your network and system architecture and review the ISM controls and guidelines to determine what controls you think are in scope.
- Ensure that you have resources and time ready for the duration of the IRAP engagement.
- Prepare and create policies and procedures or update all internal processes, employee training and education and organise these documents into a shared file.
How We Can Help
Principal Consultant, Sekuro
Sita Bhat is a Principal Consultant at Sekuro, and leads the Governance, Risk and Compliance (GRC) team across various states in Australia - working with numerous global tech giants. Sita is an IRAP Assessor and is passionate about sharing her skills and knowledge, and championed the first GRC related stream inside Sekuro's Hackcelerator program.