IRAP Framework
The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
What is an IRAP Assessment?
​
The assessment is an activity undertaken by an IRAP Assessor to assess security controls for a system and its environment to determine if they have been implemented correctly and are operating as intended.
It’s important to note that assessors themselves do not issue any sort of accreditation or certification. Assessments are done in various stages. The first step is to plan and prepare for the assessment, that includes agreement with System Owner on resources, key people, milestones and timeframe, security clearances, etc.
Why is IRAP important and what are the assessment steps?
Adopting the Information Security Registered Assessors Program (IRAP) framework in Australia offers several benefits, particularly for organisations involved in government projects or handling sensitive government information.
1. Pre-engagement Activities
-
Scoping: Define the scope of the assessment, including the systems and boundaries to be evaluated.
-
Documentation Review: Assess relevant documentation, including security policies, procedures, and system architecture.
4. Accreditation Documentation
-
Accreditation Package: Develop an accreditation package that includes the Security Assessment Report (SAR), risk assessments, and other relevant documentation.
-
Accreditation Decision Support: Provide information to support the accreditation decision-making process.
7. Documentation and Reporting
-
Documentation Updates: Keep documentation up-to-date to reflect changes in the ICT system and security controls.
-
Reporting: Provide regular reports on the security status of the ICT system to relevant stakeholders.
2. Security Control Assessment
-
Interviews: Conduct interviews with key stakeholders to gather information about the organisation's security controls and practices.
-
Documentation Validation: Verify the implementation of security controls through the examination of documentation.
-
Technical Testing: Perform technical testing to evaluate the effectiveness of controls.
5. Accreditation Decision
-
Accreditation Authority Approval: Submit the accreditation package to the Accreditation Authority for review and approval.
-
Accreditation Decision: The Accreditation Authority makes a decision on whether to accredit the ICT system.
3. Security Assessment Report (SAR)
-
Compile Findings: Document the findings of the assessment, including strengths, weaknesses, and recommendations.
-
Risk Assessment: Conduct a risk assessment to identify and evaluate potential risks to the ICT system.
6. Continuous Monitoring and Review
-
Ongoing Monitoring: Implement continuous monitoring practices to ensure that security controls remain effective over time.
-
Periodic Reviews: Conduct periodic reviews and assessments to address changes in the security landscape and technology environment.