What is an IRAP Assessment?
Cybersecurity and information security are a top national security priority for government; to prevent cyber intrusions on government systems, critical infrastructure and other information networks that could threaten Australia’s national security interests.
The Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC), provides cybersecurity advice and assistance to Australian Government, businesses and individuals.
The ACSC produces programs, strategies and standards including the ISM, IRAP and guidance on fortifying security technologies.
Experienced IRAP Assessors
Scope of the Service
An IRAP scope definition focusses on clearly identifying and categorising the technologies and operations that are within scope for a given system. This scope is used to build a Statement of Applicability (SOA) for the system(s). The SOA will then be used as the foundation for PSPF/ISM compliance activities as well as the IRAP assessment process for the system(s).
PSPF/ISM Compliance Preparation
Often defined by a gap analysis, PSPF/ISM Compliance Preparation may include writing or updating documentation, conducting risk assessments, architectural reviews, control implementation and other activities that may be necessary to prepare for an IRAP Assessment.
Certified Cloud Services List (CCSL) Assessment
A Cloud IRAP assessment is comprised of two separate stages, both of which are used to identify a cloud vendor’s compliance with ISM controls (and/or the ability to meet the intent of any one control to an acceptable level of risk) and include continual and open liaison with the Certification Authority (CA). By the completion of the assessment, a detailed IRAP security assessment report is issued and is used by the CA to investigate all compliant and non-compliant controls to determine a certification outcome. When certification is awarded, the CA issues a certification letter and report and the cloud service is added to the published Certified Cloud Services List (CCSL). Re-certification is required, periodically, according to the cloud vendor’s classification level.