¶ Infosec Registered Assessors Program (IRAP)
The Australian Signals Directorate (ASD), via the Infosec Registered Assessors Program (IRAP), provides organisations with access to cyber security professionals to conduct high-quality, independent security assessment services.
An IRAP security assessment helps organisations understand their system’s security strengths and weaknesses and provides recommendations that can be utilised as part of their organisational security program.
¶ What IRAP does
ASD endorses individuals from the private and public sectors to provide security assessment services with the aim of enhancing the security of broader industry and Australian Government systems and data.
Endorsed IRAP Assessors assist organisations to secure their systems and data by independently assessing their cyber security posture, identifying security risks and suggesting mitigation measures.
IRAP Assessors can provide security assessments of SECRET and below for:
- ICT systems
- Cloud services
- Gateways
- Gatekeeper
- FedLink
¶ What IRAP does not do
IRAP Assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of a security assessment will generally not cover all ISM security controls and a completed security assessment does not inherently imply that a system is compliant with the tested security controls. As such, it is integral for customers to read and understand security assessment reports or letters of completion to determine what a system has been tested against and if it meets their cyber security requirements.
¶ How to become an IRAP Assessor
ASD publishes a guide on how to become endorsed as an IRAP assessor. Go there to read about how to achieve this. This wiki is aimed at people who are already endorsed IRAP assessors or are responsible for designing or operating systems that need to be assessed.
¶ Stages of an IRAP assessment
¶ Plan and prepare
¶ Define the scope of the assessment
¶ Assess the security controls
¶ Full System Documentation Review
Reviews the system architecture, the suite of system security documentation, and any other relevant artefacts, including but not limited to:
- Overarching Information Security Policy (ISP) and Threat Risk Assessment (TRA).
- System Security Plan (SSP) and SSP Annex.
- Security Risk Management Plan (SRMP).
- Incident Response Plan (IRP).
- Relevant Policies and Procedures.
- Continuous Monitoring Plan (CMP).
- Plan of Action and Milestones (POAM) (for systems authorised to operate).
Highlight key security areas of concern and an overall picture of documented security practices.
¶ Produce the Security Assessment Report