IRAP Assessment

What is the Infosec Registered Assessors Program (IRAP)?

The Infosec Registered Assessors Program (IRAP) is an Australian Signals Directorate initiative that endorses cyber security professionals to provide security assessment services to the Australian Government and the private sector. IRAP endorsed cyber security professionals are known as IRAP Assessors.

What is an IRAP Assessment?

An IRAP Assessment is an independent security assessment, performed by an IRAP Assessor, of a system or an environment’s cyber security posture and it’s alignment to Australian Government cyber security frameworks and publications, including:

• The Information Security Manual (ISM),
• The Protective Security Policy Framework (PSPF), and,
• Other Australian Government security guidance and advice.

What is the IRAP Assessment Process?

The approach to each IRAP assessment will depend on the size and complexity of the system being assessed, however all assessments include the same four stages.

Stage 1: Plan and prepare

• After consulting the client, a IRAP assessment plan will be produced which will outline the following:
  • The schedule,
  • How access to resources such as documentation, systems, tools, personnel, and facilities will be provided,
  • The system and control testing activities,
  • The evidence collection and protection process,
  • The version of the Information Security Manual that will be used.

Stage 2: Define the scope of the assessment

• The IRAP assessor will work with the client to define the scope of the assessment. The scope includes the system or environment to be assessed, as well as all security controls applicable to the environment. Further considerations include:
  • The system or environment being assessed and whether it’s in production or test,
  • The intended security classification of the data stored, processed, or communicated by the system or environment,
  • The authorisation boundary of the system or environment including the people, processes, technologies, and facilities that the system or environment depends on or that could impact it’s security posture.
• In determining the scope, the assessor will have to gain an understanding of:
  • The systems functionality, processes, data, users, architecture, and technology stack,
  • Any third-party suppliers or vendors responsible for providing security controls,
  • Any shared responsibility of security functions and any security control inheritance.
• Out-of-scope components should also be documented.

Stage 3: Assess the security controls

• Design effectiveness review
  The IRAP assessor evaluates the system documentation, such as the system security plan (SSP), system architecture, security policies, and standard operating procedures (SOPs) to ensure that relevant controls have been identified for the system and that unique risks have been addressed. Personnel interviews may be conducted to validate the accuracy of the documentation or to fill in any gaps.
• Operational effectiveness review
  The IRAP assessor performs control validation activities to determine if the documented security controls have been implemented and are operating effectively. This involves a combination of personnel interviews, live demonstrations, system testing, and site inspections (if applicable). The operational effectiveness review provides a higher level of assurance regarding the implementation and effectiveness of security controls.
• IRAP assessors need to consider the quality of evidence provided during the assessment and its impact on the assessment outcomes. The objective is to review evidence that provides a high level of assurance regarding the implementation of security controls. If the assessor is unable to obtain sufficient evidence, this limitation should be documented in the security assessment report.

Stage 4: Produce the security assessment report and security controls matrix

• After completing the assessment, the IRAP assessor prepares an IRAP report that documents the assessment’s outcomes. The report includes the following information:
  • Scope: Describes the extent of the security assessment.
  • Effectiveness of security controls: Assesses the implementation of security controls and determines their effectiveness.
  • Security risks: Identifies and describes the risks associated with operating the system.
  • Recommended remediation actions: Provides suggestions for addressing any identified issues or vulnerabilities.
• It’s important to note that IRAP assessors do not perform a risk assessment of ineffective controls. Instead, they focus on identifying security risks and suggesting risk mitigating controls. The consumer of the report is responsible for assessing the level of risk exposure in their environment.
• The IRAP assessor documents the Security Controls Matrix (SCM) or Cloud SCM (CSCM), which contains assessment observations for each ISM control.

Who should engage an IRAP Assessor?

• Any entity, including non-government organisations, could benefit from an IRAP assessment of their systems or environments.
• Security assessments of systems or environments classified as SECRET or below can be undertaken by an organisations internal security assessors, however, it’s strongly recommended that a third-party, independent IRAP assessor be engaged to perform an IRAP assessment.
• For commercial or government gateways, as well as outsourced cloud service providers and their cloud services, an IRAP assessment carried out by an independent IRAP assessor is mandatory.

Official IRAP Resources

---