IRAP Frequently Asked Questions

IRAP Frequently Asked Questions


What is IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC) to ensure the standard of cybersecurity and information security assessments for Information and Communications Technology (ICT) systems that process or store government information. A certified IRAP Assessor’s role is to conduct independent assessments of any system, network or gateway, for compliance with the Australian Government Information Security Manual (ISM), the Protective Security Policy Framework (PSPF) and other Australian Government guidance, to ensure the safety of government information. An assessment is the first stage in the process towards achieving Australian Government security accreditation for suitability to process, store or communicate government or sensitive information.

 

Why conduct an IRAP Assessment?


Cybersecurity and information security are a top national security priority for government, to prevent cyberintrusions on government systems, critical infrastructure and other information networks that could threaten Australia’s national security and national interests.

An Information Security Registered Assessors Program (IRAP) assessment is the first stage in the process towards achieving accreditation for suitability to process, store or communicate government or sensitive information. Government agencies and commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information (or wish to do so) are required to achieve and maintain Australian Government security accreditation by demonstrating compliance with the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) and other Australian Government guidance.

 

Who is responsible for IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC).

 

Who are IRAP Assessors?


Information Security Registered Assessors Program (IRAP) Assessors are Australian Signals Directorate (ASD)-certified Information and Communications Technology (ICT) professionals from across Australia who have:

  • the necessary experience and qualifications in ICT, security assessment and risk management, and
  • a detailed knowledge of Australian Government information security compliance requirements.*

Becoming a certified IRAP assessor requires extensive, prerequisite qualifications and experience and the completion of IRAP training and examinations. Thereafter, IRAP assessors are required to maintain these prerequisite qualifications and complete annual training.

Shearwater has several Security Consultants who are certified IRAP Assessors.

* ACSC, Who are IRAP Assessors?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/who_assessors.htm>.

 

What can an IRAP Assessor assess?


Assessments of up to SECRET classified systems can be undertaken by agency Information Technology Security Managers (ITSMs) and Information Security Registered Assessors Program (IRAP) Assessors. Assessments of TOP SECRET systems can only be undertaken by the Australian Signals Directorate (ASD) and IRAP Assessors with appropriate clearance.

IRAP Assessors may provide assessment for:

  • Cloud services
  • Gateways
  • Information systems
  • Gatekeeper
  • FedLink

 

What is the Australian Government security accreditation process?


The accreditation process is as follows:

  1. Assessment
    • Audit stage 1 –Assessor provides a Findings Report to the system owner
    • System owner implements controls
    • Audit stage 2 – When controls have been met, an Audit Report is sent to the Certification Authority
  2. Certification Authority Assessment of Audit Report and residual risk. If successful;
  3. Certification awarded. Certification Report is then sent to the Accreditation Authority.
  4. Assessment of Certification Report, residual risk and other factors. If successful;
  5. Accreditation awarded.*

In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

* Abbreviation of process described by ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the IRAP Assessment process?


An Information Security Registered Assessors Program (IRAP) assessment has two stages:

  • Audit Stage 1 – Security deficiencies are identified and a Findings Report is provided to the System Owner.
  • Audit Stage 2 – Remediated security deficiencies are audited and an Audit Report is sent to the Certification Authority.

During Audit Stage 1, the IRAP Assessor:

  • defines the statement of applicability in consultation with the system owner
  • gains an understanding of the system
  • reviews the system architecture and the suite of system security documentation, including:
  • seeks evidence of compliance with Australian Government Information and Communications Technology (ICT) requirements and recommendations, and
  • highlights effectiveness of ICT controls and recommends actions to address or mitigate non-compliance.

The outcome of a Stage 1 Security Assessment is a Findings Report, given to the System Owner.

During Audit Stage 2, the IRAP Assessor looks deeper into the system’s operation, focusing on seeking evidence of compliance with, and the effectiveness of, security controls. The IRAP Assessor will conduct a site visit where they will:

  • conduct interviews with key personnel
  • investigate the implementation and effectiveness of security controls in reference to the security documentation suite, and
  • sight all physical security and information system certifications and any related waivers.

The outcome of a Stage 2 Security Assessment is an Audit Report, given to the Certification Authority that:

  • describes areas of compliance and non-compliance
  • suggests remediation actions, and
  • makes a certification recommendation.

The Certification Authority uses the report to:

  • assess the residual risk relating to the operation of the system
  • assess any remediation activities the system owner has undertaken, and
  • make a decision on whether to grant certification.

* ACSC, What is an IRAP Assessment?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/irap_assessments.htm>.

 

Who is the Certifying Authority and what is their role?


The certification authority for government systems is generally the owning agency’s Information Technology Security Advisor (ITSA). The Australian Signals Directorate (ASD) is the certification authority for all TOP SECRET systems and for gateways and cloud services hosting multiple government agencies. The certifying authority is responsible for reviewing the Audit Report provided by the Information Security Registered Assessors Program (IRAP) Assessor. Certification will be awarded if the Certification Authority is satisfied that:

  • The system has been appropriately audited, and
  • Associated security controls have been implemented and are operating effectively.

The Certification Authority will then make a recommendation to the Accreditation Authority based on any identified non-compliance and mitigation strategies.*

* ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

Who is the Accreditation Authority and what is their role?


The Accreditation Authority is typically the agency head or a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The Accreditation Authority:

  • Accepts any residual risks that were identified during the audit and certification process, and
  • Awards accreditation.

Accreditation of a system ensures that either sufficient security issue remediation has been achieved or that deficiencies have been accepted by an appropriate authority.*

*ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the Protective Security Policy Framework (PSPF)


The Protective Security Policy Framework (PSPF) is the responsibility of the Attorney-General’s Department. Its purpose is to provide policy, guidance and best practice advice for security governance, personnel security, physical security and information security for government agencies or commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information.*

*Australian Government Attorney-General’s Department, The Protective Security Policy Framework, accessed 9 October 2018, <https://www.protectivesecurity.gov.au/Pages/default.aspx>

 

What is the Australian Government Information Security Manual (ISM)?


The Australian Government Information Security Manual (ISM) is the responsibility of the Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC). It is the standard which governs the security of government Information and Communications Technology (ICT) systems. All government agencies and commercial ICT systems, Cloud providers, Networks and Gateways that process or store government information are required to comply with the ISM.

 

How often is reaccreditation required?


In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

 

How long does an IRAP Assessment take?


The length of time for an Information Security Registered Assessors Program (IRAP) Assessment can vary depending on the complexity of the system being assessed. Typically, this could range from 1-3 months.

 

What is an organisation expected to do during an IRAP Assessment?


Your organisation will be expected to participate in several activities throughout the Information Security Registered Assessors Program (IRAP) assessment, including:

  • Scheduling and participating in interviews with key stakeholders
  • Organising the IRAP assessors’ access to all system documentation
  • With the guidance of the IRAP Assessor, schedule meetings with system administrators, engineers, and/or security operations personnel to validate the implementation of security controls
  • Outline and demonstrate any additional security controls implemented.

 

Useful Links