IRAP standards for the InfoSec Registered Assessors Program (IRAP) and was designed by the Australian Signals Directorate (ASD). ASD endorses suitably qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data. Endorsed IRAP Assessors assist in securing your systems and data by independently assessing an organisations cyber security posture, identifying security risks and suggesting mitigation measures. IRAP Assessors can provide security assessments of SECRET and below for ICT systems, Cloud services, Gateways, Gatekeeper and FedLink. IRAP Assessors do not accredit, certify, endorse or register systems on behalf of ASD.
The framework used within an IRAP assessment is known as the Information Security Manual (ISM) which was created by the Australian Cyber Security Centre (ACSC) and is updated on a monthly and/or quarterly basis. The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.
The ISM is categorised into 22 cyber security guidelines and encompasses 800+ controls which are created to provide practical guidance on how an organisation can protect their systems and data from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security topics.
The purpose of an IRAP assessment is for each organisation to consider a risk-based approach in determining which of the guidelines are relevant to each of the systems they operate when interacting with Australian Government data.
The role of an IRAP Assessor
IRAP Assessors are independent consultants that have been approved by the ASD to conduct security assessments and provide valuable recommendations for improvement. The approval process requires meeting the following requirements:
- Be an Australian citizen
- Have at least 5 years of experience in technical ICT and security systems including possession of relevant certifications
- Complete the IRAP Training Course
- Pass the IRAP Training Exam within 80% or higher score
Key benefits of engaging an IRAP Assessor
Engaging with an IRAP Assessor can provide numerous benefits for organisations aiming to enhance their security posture:
- Expert Knowledge: IRAP Assessors possess specialised knowledge and expertise in information security and risk management. Their experience allows them to identify potential vulnerabilities and propose effective strategies to mitigate risks.
- Independent Assessment: The independent nature of IRAP Assessors ensures an unbiased evaluation of an organisation’s security controls and practices. This objectivity adds credibility to the assessment process and provides organizations with a reliable benchmark for measuring their security maturity.
- Compliance and Trust: By engaging an IRAP Assessor, organisations demonstrate their commitment to maintaining high security standards and compliance with relevant regulations. This commitment helps build trust with stakeholders, clients, and customers, enhancing their confidence in the organisation’s ability to protect sensitive information.
Steps to applying a risk-based approach using the ISM
The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
Broadly, the risk management framework used by the ISM has six steps which are listed below:
- Define the system: Determine the type, value and security objectives for the system based on an assessment of the impact if it were to be compromised. Document this in the system’s system security plan.
- Select controls: Select controls for the system and tailor them to achieve desired security objectives. While the cyber security guidelines can assist with risk identification and risk treatment activities, an organisation will still need to undertake their own risk analysis and risk evaluation activities due to the unique nature of each system, its operating environment and the organisation’s risk tolerances. Following the selection and tailoring of controls for a system, they should be recorded in the system’s Cloud Controls Matrix (CCM), system’s incident response plan and continuous monitoring plan. Finally, the selection of controls for a system, should be approved by the system’s authorising officer.
- Implement controls: Implement controls for the system and its operating environment. Once suitable controls have been identified for a system, and approved by its authorising officer, they should be implemented and documented in the system’s CCM.
- Assess controls: The IRAP Assessor will assess controls for the system and its operating environment to determine if they have been implemented correctly and are operating as intended. In conducting a security assessment, it is important that the IRAP Assessor and system owners first agree to the scope, type and extent of assessment activities. At the conclusion of a security assessment, an IRAP Cloud Security Assessment Report should be produced. This will assist in performing any initial remediation actions as well as guiding the development of the system’s plan of action and milestones.
- Authorise the system: Before a system can be granted authorisation to operate, sufficient information should be provided to the authorising officer, in order for them to make an informed risk-based decision as to whether the security risks associated with its operation are acceptable or not. This information should take the form of an authorisation package that includes (amongst other documents) the IRAP Cloud Security Assessment Report. IRAP Assessors do not accredit, certify, endorse or register systems on behalf of ASD.
- Monitor the system: Monitor the system, and associated cyber threats, security risks and controls, on an ongoing basis. Following the implementation or modification of any controls as a result of risk management activities, another security assessment should be completed. In doing so, the system’s authorisation package should be updated.
How to Prepare/ Plan for your Service
Are you ready to engage an IRAP Assessor? Follow these steps to begin your organisation’s journey:
- Ensure you are working with Australian Government data i.e., at rest, in transit or storing and your organisation requires compliance to security controls.
- Take a look at your network and system architecture and review the ISM controls and guidelines to determine what controls you think are in scope.
- Ensure that you have resources and time ready for the duration of the IRAP engagement.
- Prepare and create policies and procedures or update all internal processes, employee training and education and organise these documents into a shared file.