Any Australian organisation can engage an IRAP Assessor, not just Australian government agencies.
IRAP Assessors provide assessment services based on:
- the Protective Security Policy Framework (PSPF)
- the Australian Government Information Security Manual (ISM), and
- other Australian Government security guidance and advice.
You can select an IRAP Assessor here.
IRAP Assessors will:
- learn and understand your system architecture
- independently identify security compliance against Australian Government security policy
- ensure that the required physical certification has been attained
- ensure that assessed security controls are implemented and operating effectively
- propose mitigation strategies for any non-compliance, and
- assist you to understand the risks to your system.
IRAP services include providing advice for, and assessments of,:
- specialised government network connections
- government systems
- system documentation, and
- risk mitigation.
When you engage an IRAP Assessor you:
- should clearly define the scope of work and expected deliverables, and
- must not define favourable assessment outcomes because this jeopardises the integrity of the assessment.
If you are engaging an IRAP Assessor to:
- re-certify a system, you should allow sufficient time to ensure the assessment can be completed before the current certification expires, or
- re-certify a ASD Certified PROTECTED Gateway, you should engage the IRAP Assessor approximately three months before the current certification expires.
ASD recommends seeking at least three quotes when engaging an IRAP Assessor. Note ASD does not recommend specific IRAP Assessors nor assist in selecting an IRAP Assessor for a particular task.
Do not restrict engagement to those IRAP Assessors geographically closest to you.