IRAP update The Australian Signals Directorate is supporting higher standards for security assessments and training through the enhanced Infosec Registered Assessor Program (IRAP). Following the independent review of its Cloud Services Certification Program (CSCP) and IRAP, ASD has released an updated IRAP policy and new IRAP Assessor Training on 15 December 2020. Changes to the program include: Increases to the standard and consistency of cyber security advice provided by IRAP assessors, by requiring assessors to maintain and demonstrate cyber security knowledge. Enhanced governance arrangements to provide additional assurance that IRAP assessors are performing their roles as independent third parties. A minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 security clearance. A revised five-day IRAP training course, which covers both IRAP and Information Security Manual (ISM) fundamentals. The updated IRAP policy and training has been co-designed by ASD with government and industry representatives through a series of consultative forums to improve the culture and governance of the program. IRAP Assessor Training is now available through CIT Solutions Pty Ltd and the Australian Cyber Collaboration Centre. In conjunction with the release of the updated policy and IRAP Assessor Training, ASD is now accepting applications for IRAP assessors. The policy will apply to all security assessments initiated after 15 December 2020, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy. ASD will continue to provide updates to the IRAP community on the enhancement of the program. This web page and the sections below will be updated with new information and resources as they become available. What IRAP does IRAP endorses individuals from the private and public sectors to provide security assessment services. ASD endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data. Endorsed IRAP assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures. IRAP assessors can provide security assessments of SECRET and below for: ICT systems Cloud services Gateways Gatekeeper FedLink IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of a security assessment will generally not cover all ISM security controls and a completed security assessment does not inherently imply that a system is compliant with the tested security controls. As such, it is integral for customers to read and understand security assessment reports or letters of completion to determine what a system has been tested against and if it meets their cyber security requirements. Who are IRAP Assessors? IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD's Information Security Manual. Why engage an IRAP Assessor? An IRAP Assessor will assist you by helping you to understand and implement security controls and recommendations to protect your systems and data. IRAP Assessors ASD's IRAP endorses qualified security professionals to provide information security services. Who are ASD's training providers? ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training. IRAP resources IRAP resources Gateway Security Guidance Package Intent of the guidance The gateway security guidance package is designed to assist organisations to make informed risk-based decisions when designing, procuring, operating, maintaining or disposing of gateway services and captures contemporary better practices. Cloud Services The Cloud Services Certification Program (CSCP) ceased on 2 March 2020. The Australian Cyber Security Centre (ACSC) ceased the Certified Cloud Services List (CCSL) on 27 July 2020 and concurrently released the Cloud Security Guidance package. IRAP application form IRAP application form IRAP Conflict of Interest Declaration IRAP assessors are often entrusted to sensitive information. Additionally, they may be responsible for contributing toward the information security of a Government entity. It is therefore critical that ASD is aware of any potential conflicts of interest to maintain a high level of confidence and trust in IRAP assessors. IRAP Community feedback form IRAP Community feedback form for the community to comment on a range of topics about the course IRAP Assessment feedback form IRAP Assessment feedback form for IRAP assessments
Who are IRAP Assessors? IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD's Information Security Manual.
Why engage an IRAP Assessor? An IRAP Assessor will assist you by helping you to understand and implement security controls and recommendations to protect your systems and data.
IRAP Assessors ASD's IRAP endorses qualified security professionals to provide information security services.
Who are ASD's training providers? ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training.
Gateway Security Guidance Package Intent of the guidance The gateway security guidance package is designed to assist organisations to make informed risk-based decisions when designing, procuring, operating, maintaining or disposing of gateway services and captures contemporary better practices.
Cloud Services The Cloud Services Certification Program (CSCP) ceased on 2 March 2020. The Australian Cyber Security Centre (ACSC) ceased the Certified Cloud Services List (CCSL) on 27 July 2020 and concurrently released the Cloud Security Guidance package.
IRAP Conflict of Interest Declaration IRAP assessors are often entrusted to sensitive information. Additionally, they may be responsible for contributing toward the information security of a Government entity. It is therefore critical that ASD is aware of any potential conflicts of interest to maintain a high level of confidence and trust in IRAP assessors.
IRAP Community feedback form IRAP Community feedback form for the community to comment on a range of topics about the course