What is IRAP (Infosec Registered Assessors Program)
What is IRAP?
IRAP stands for Information Security Registered Assessors Program. It is a government-led program in Australia that endorses individuals from the private and public sectors to provide security assessment services to the Australian government. IRAP assessors are ASD-certified ICT professionals who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD’s Information Security Manual.
The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.
Sekuro IRAP Services
The Infosec Registered Assessor Program (IRAP) is an initiative by the Australian Signals Directorate (ASD) to provide high quality Information and Communications Technology (ICT) security assessment services to Australian Government and Industry.
Sekuro’s IRAP Assessors are endorsed by the ASD, who ensure suitably-qualified cyber security professionals can assist in navigating the Information Security Manual (ISM), Protective Security Policy Framework (PSPF) and other Australian Government Guidance.
Why choose Sekuro to be your IRAP Assessor?
Sekuro is one of the most experienced and respected IRAP Assessors in Australia. A large number of Australian and International organisations have chosen Sekuro to be their IRAP partner.
- Sekuro Assessors conduct independent IRAP assessments up to the SECRET classification as defined in the Protective Security Policy Framework (PSPF).
- Demonstrated ability to advise on your organisation’s risk posture regarding the latest control requirements stipulated within the most recent ISM Version.
- Sekuro Assessors provide ongoing support and assist with continuous improvement in aligning to the most recent ISM Version.
- Sekuro Assessors support you in improving their cyber security maturity in an evolving threat landscape.
- Our Assessors inform you on the latest updates and guidance from the Australian Cyber Security Centre (ACSC).
The IRAP Assessment will help give local, state, and federal government agencies and organizations the reassurance they need to feel comfortable leveraging the Shibumi platform to support the government’s most critical programs of work,” said Bob Nahmias, Founder and CEO of Shibumi.
Dynatrace, a software intelligence company, is seeking the IRAP certification for its cloud platform.
The IRAP certification evaluates the compliance of cloud services with the Australian government's standards. The certification will allow Dynatrace to serve Australian government customers. Dynatrace's platform offers AI-powered observability, automation, and optimisation for complex cloud environments. The platform can improve performance, security, and user experience.
Sekuro IRAP Assessors
Sekuro’s IRAP Assessors have unique skill sets and have provided guidance for Defence, Federal Government, telecommunications, multi-national entities or other organisations looking to do business in Australia, and various cloud service providers.
Our Assessors meet the stringent prerequisites required to be an IRAP Assessor.
- Extensive ISM experience
- NV1 clearance or above
- Industry recognised certifications
How do Sekuro IRAP Assessors Assist and Guide?
Sekuro’s IRAP Assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.
Our Assessors clearly define the scope of work and provide unbiased and independent outcomes for your environment. Upon the completion of an IRAP Assessment, Sekuro will provide you with the following:
- Cloud Security Controls Matrix which details the implementation status of controls from the Information Security Manual.
- Cloud Security Assessment report.
- An IRAP Letter of completion.
Sekuro’s IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD.
What is an IRAP Assessment?
An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. The assessment is conducted against the Australian government’s security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
The results of an IRAP assessment can help organisations to:
- Identify and mitigate security risks
- Improve their security posture
- Demonstrate compliance with Australian government security requirements
- Gain confidence in the security of their systems and data
If you are an organisation that handles Australian government data, you may be required to undergo an IRAP assessment.
Liaising with ACSC
We commonly liaise with agencies and/or ACSC on behalf of our clients to:
- Advise ACSC on customers’ certification requirements.
- Discuss assessment report findings, provide details on specific services recommended for certification.
- Discuss the value these services will bring to the Australian Government.
All that we do helps make the entire process easier for our customers.
What is an IRAP assessment?
An IRAP assessment is an independent assessment of the implementation, appropriateness and effectiveness of a system’s security controls.
The assessment is conducted by an IRAP assessor, who is a cyber security professional endorsed by the Australian Signals Directorate (ASD) to provide security assessment services for systems that handle information up to SECRET level.
The assessment is based on the Australian government’s security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF). The assessment aims to identify security risks and suggest mitigation measures for the system. The assessment outcomes are documented in a security assessment report, which is used by consumers to conduct their own assessment and authorisation of the system’s suitability for their security needs and risk appetite.
An IRAP assessment follows four stages: plan and prepare, define the scope of the assessment, assess the security controls, and produce the security assessment report and security controls matrix.
How long does an IRAP assessment take?
An IRAP assessment is a process that evaluates the security and privacy of a system or service against the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF). The IRAP assessment is conducted by an independent assessor who is certified by the Australian Signals Directorate (ASD).
The duration of an IRAP assessment depends on several factors, such as the complexity and scope of the system or service, the availability and quality of documentation, the level of engagement and cooperation from the system owner and stakeholders, and the number and severity of findings and recommendations.
According to the ASD, a typical IRAP assessment can take anywhere from four to 12 weeks, but some may take longer depending on the circumstances. The IRAP assessment consists of four phases: scoping, testing, reporting, and certification. Each phase can vary in length depending on the specific requirements and challenges of the system or service being assessed.
How do we prepare for an IRAP assessment??
To prepare for an IRAP assessment, you need to follow these steps:
- Identify the system or service that you want to assess and its security classification level.
- Contact an IRAP assessor who is certified by the ASD and has experience in assessing similar systems or services.
- Define the scope and objectives of the assessment with the IRAP assessor and agree on the terms of reference, timeline, and deliverables.
- Provide the IRAP assessor with all the relevant documentation and evidence that demonstrate how your system or service meets the ISM and PSPF requirements.
- Facilitate the IRAP assessor's access to your system or service and support them during the testing phase.
- Review the draft IRAP assessment report and provide feedback to the IRAP assessor.
- Implement the IRAP assessor's recommendations and remediate any findings or gaps identified in the report.
- Obtain the certification from the ASD or an authorised delegate that confirms your system or service is compliant with the ISM and PSPF.
What is the ISM and the PSPF?
The ISM and PSPF are two frameworks that guide the security and privacy of Australian Government information and systems.
The ISM stands for the Information Security Manual, which is a set of mandatory and non-mandatory controls that help protect information from cyber threats. The ISM covers topics such as governance, risk management, access control, encryption, incident response, and auditing.
The PSPF stands for the Protective Security Policy Framework, which is a set of mandatory requirements and guidance that help protect people, information, and assets from physical, personnel, and governance risks. The PSPF covers topics such as security culture, vetting, classification, storage, disposal, and reporting.
Both the ISM and PSPF are updated regularly by the ASD to reflect the changing threat environment and best practices. They are aligned with each other and with international standards such as ISO 27001 and ISO 31000.
How often are the ISM and PSPF updated?
The ISM and PSPF are updated regularly by the ASD to reflect the changing threat environment and best practices. They are aligned with each other and with international standards such as ISO 27001 and ISO 31000.
The ISM is updated twice a year, usually in March and December. The latest version of the ISM was released in December 2023. The ASD publishes a summary of the changes for each update on its website. The ISM is also available in the Open Security Controls Assessment Language (OSCAL) format.
The PSPF is updated as needed, depending on the feedback from stakeholders and the security risk context. The latest version of the PSPF was released in October 2020. The ASD provides guidance on how to report on the maturity and effectiveness of the PSPF implementation on its website.