Who is required to be compliant?
Government agencies and commercial ICT systems, Cloud providers, Networks and Gateways that process or store government information (or wish to do so) are required to comply with the ISM and PSPF and must achieve and maintain Australian Government security accreditation.
Experienced IRAP Assessors
Shearwater’s, IRAP certified, Security Consultants have extensive experience in conducting IRAP assessments and providing guidance for achieving and maintaining Australian Government security accreditation. They will be happy to also assist you with the development of your compliance framework, gap analysis, risk assessments, remediation, security advice, security solution design, product implementation and management, and more.
Scope of the Service
An IRAP scope definition focusses on clearly identifying and categorising the technologies and operations that are within scope for a given system. This scope is used to build a Statement of Applicability (SOA) for the system(s). The SOA will then be used as the foundation for PSPF/ISM compliance activities as well as the IRAP assessment process for the system(s).
PSPF/ISM Compliance Preparation
Often defined by a gap analysis, PSPF/ISM Compliance Preparation may include writing or updating documentation, conducting risk assessments, architectural reviews, control implementation and other activities that may be necessary to prepare for an IRAP Assessment.
Certified Cloud Services List (CCSL) Assessment
A Cloud IRAP assessment is comprised of two separate stages, both of which are used to identify a cloud vendor’s compliance with ISM controls (and/or the ability to meet the intent of any one control to an acceptable level of risk) and include continual and open liaison with the Certification Authority (CA). By the completion of the assessment, a detailed IRAP security assessment report is issued and is used by the CA to investigate all compliant and non-compliant controls to determine a certification outcome. When certification is awarded, the CA issues a certification letter and report and the cloud service is added to the published Certified Cloud Services List (CCSL). Re-certification is required, periodically, according to the cloud vendor’s classification level.
What Our Customers Say
“We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment
because of their reputation for rigour and expertise.”
“Security is an on-going process, and as an IT Security Advisor, I am comfortable with having a peer company like Shearwater to rely upon. If I have an issue or need advice I am confident that Shearwater can provide a pragmatic and cost-effective solution.”