The Australian Signals Directorate is supporting higher standards of cyber security assessment and training through the enhanced Information Security Registered Assessor Program (IRAP).
Following the independent review of its Cloud Services Certification Program (CSCP) and IRAP, ASD has released an updated IRAP policy and new IRAP Assessor Training on 15 December 2020. Changes to the program include:
- Increases to the standard and consistency of cyber security advice provided by IRAP assessors, by requiring assessors to maintain and demonstrate ICT security knowledge.
- Enhanced governance arrangements to provide additional assurance that IRAP cyber security assessors are performing their roles as independent third parties.
- A minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 Security Clearance.
- A revised five-day IRAP training course, which covers both IRAP and Information Security Manual fundamentals.
The updated IRAP policy and training has been co-designed by ASD with government and industry representatives through a series of Consultative Forums to improve the culture and governance of the program.
IRAP Assessor Training is now available through CIT Solutions Pty Ltd and the Australian Cyber Collaboration Centre.
In conjunction with the release of the updated policy and IRAP Assessor Training, ASD is now accepting applications for IRAP assessors.
The policy will apply to all assessments initiated after 15 December 2020, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy.
ASD will continue to provide updates to the IRAP community on the enhancement of the program.
This web page and the sections below will be updated with new information and resources as they become available.
What IRAP does
IRAP endorses individuals from the private and public sectors to provide cyber security assessment services to Australian governments.
ASD endorses suitably-qualified ICT professionals to provide relevant security services which aim to secure broader industry and Australian Government information (and associated) systems.
Endorsed IRAP assessors assist in securing your ICT networks by independently assessing your security compliance, suggesting mitigations and highlighting residual risks. IRAP assessors can provide assessment up to the TOP SECRET level for:
IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of an IRAP assessment will generally not cover all Australian Government Information Security Manual (ISM) controls and a completed IRAP assessment does not inherently imply that a system is compliant with the tested controls.
As such, it is integral for customers to read and understand an IRAP assessment report or letter of completion to determine whether a system has been tested against, and meets their security requirements.