Infosec Registered Assessors Program (IRAP)
The Infosec Registered Assessors Program (IRAP) guarantees that organizations have access to top-tier security assessment services.
About IRAP
Australia’s IRAP (Information Security Registered Assessors Program) is an assessment ensuring robust cybersecurity measures for organisations. Established by the Australian Cyber Security Centre (ACSC), IRAP provides a comprehensive framework for assessing and enhancing the security posture of government and critical infrastructure entities.
IRAP assessment is an independent assessment of the implementation,
suitability and effectiveness of security controls of a system . IRAP assessment outcomes are documented within a security assessment report which is used to enhance a system’s suitability for the security needs and risk appetite.
Enhancing cybersecurity resilience is paramount in today’s digital landscape. Australia’s IRAP assessment plays a pivotal role in this endeavor, offering a structured approach to assessing and mitigating cyber risks.
Understanding Australia’s IRAP assessment:
IRAP assessment is tailored for Australian government agencies and organisations handling critical infrastructure. It involves rigorous assessments conducted by certified IRAP assessors to evaluate an entity’s compliance with stringent security standards. The assessment process encompasses thorough reviews of security controls, risk management practices, and incident response capabilities.
Quick Quote
Fill out the form below to find out more
Benefits of IRAP Assessment
- Enhanced Security Assurance: Achieving IRAP assessment demonstrates a commitment to robust cybersecurity practices, instilling confidence in stakeholders and customers.
- Regulatory Compliance: IRAP aligns with Australian government cybersecurity policies, ensuring adherence to regulatory requirements and industry best practices.
- Risk Mitigation: By identifying and addressing potential vulnerabilities, IRAP helps mitigate the risk of cyber threats and data breaches, safeguarding sensitive information.
- Competitive Advantage: Organizations holding IRAP assessment gain a competitive edge in procurement processes, as many government contracts require adherence to IRAP standards.
How to Obtain IRAP Assessment Report
To obtain IRAP assessment, organizations must undergo a rigorous assessment process by certified assessors.
- Engage Certified Assessors: Collaborate with certified IRAP assessors with expertise to guide you through the assessment process.
- Conduct Security Assessments: Undergo comprehensive security assessments to evaluate the effectiveness of your organization’s security controls and risk management strategies.
- Address Identified Gaps: Address deficiencies identified during the assessment phase, implementing necessary remediation measures to align with IRAP requirements.
- Submit Assessment Application: Once all requirements are met, submit your assessment application to the Australian Cyber Security Centre (ACSC) for review and approval.
Assessment Process
Assesment involves GCC IRAP Assessors assessing your organisation in order to ascertain that management systems meet the requirements. The IRAP assessment process contains four key stages as shown in the figure below.
Application and Preparation
- Application for assessment by client
- GCC will review and provide assessment proposal
- Client accepts the agreement and return to GCC
- GCC IRAP assessor informing the ASD IRAP Administrator, of the IRAP engagement by submitting a Conflict of Interest (COI) declaration form
- IRAP Assessor and client confirm assessment start date, duration and
milestones, access to resources including documentation, systems, tools, personnel and facilities
The scope of the assessment
- The scope of an IRAP assessment should be defined coming
to an agreement with client on system version and environment under
assessment, intended security classification of the data stored, processed or communicated by the system and authorisation boundary of the
system - Version of the ISM that will be used for the assessment should be confirmed
- A security assessment plan will be preapred
Assessment of security controls
IRAP assessor reviews evidence provided by the client organisation to determine the implementation status of security controls. Security control review activities are divided into two categories:
1- Design effectiveness review and
2- Operational effectiveness review
Security assessment report
IRAP assessor produces a security assessment which includes:
• The scope of the security assessment.
• The effectiveness of the implementation of security controls.
• Security risks associated with the operation of the system.
• Any recommended remediation actions
In addition to the security assessment report, the IRAP assessor documents the security controls matrix (SCM) or cloud SCM (CSCM). The SCM contains assessment observations against each ISM control.
Frequently Asked Questions
Eligibility requirements for the Infosec Registered Assessors Program include a robust IT security background, relevant training completion, and a rigorous examination.
IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD’s Information Security Manual.
An IRAP Assessor will assist you by helping you to understand and implement security controls and recommendations to protect your systems nd data.
ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training.
The time to complete the assessment process varies depending on individual preparation and scheduling availability but typically ranges from several weeks to a few months.
GCC Training
Empower your team with our self-paced efficient training.
Quality Management System - ISO 9001 Courses
Find out more
Environment Management System - ISO 14001 Courses
Find out more
OHS Management System - ISO 45001 Courses
Find out more
