The Australian Signals Directorate is supporting higher standards for security assessments and training through the enhanced Infosec Registered Assessor Program (IRAP).
Following the independent review of its Cloud Services Certification Program (CSCP) and IRAP, ASD has released an updated IRAP policy and new IRAP Assessor Training on 15 December 2020. Changes to the program include:
- Increases to the standard and consistency of cyber security advice provided by IRAP assessors, by requiring assessors to maintain and demonstrate cyber security knowledge.
- Enhanced governance arrangements to provide additional assurance that IRAP assessors are performing their roles as independent third parties.
- A minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 security clearance.
- A revised five-day IRAP training course, which covers both IRAP and Australian Government Information Security Manual (ISM) fundamentals.
The updated IRAP policy and training has been co-designed by ASD with government and industry representatives through a series of consultative forums to improve the culture and governance of the program.
IRAP Assessor Training is now available through CIT Solutions Pty Ltd and the Australian Cyber Collaboration Centre.
In conjunction with the release of the updated policy and IRAP Assessor Training, ASD is now accepting applications for IRAP assessors.
The policy will apply to all security assessments initiated after 15 December 2020, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy.
ASD will continue to provide updates to the IRAP community on the enhancement of the program.
This web page and the sections below will be updated with new information and resources as they become available.
What IRAP does
IRAP endorses individuals from the private and public sectors to provide security assessment services.
ASD endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data.
Endorsed IRAP assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.
IRAP assessors can provide security assessments of SECRET and below for:
IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of a security assessment will generally not cover all Australian Government Information Security Manual (ISM) security controls and a completed security assessment does not inherently imply that a system is compliant with the tested security controls. As such, it is integral for customers to read and understand security assessment reports or letters of completion to determine what a system has been tested against and if it meets their cyber security requirements.
Who are IRAP Assessors?
IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of Australian Government information security compliance requirements.
Why engage an IRAP Assessor?
An IRAP Assessor will assist you to navigate through the accreditation framework, by helping you to understand and implement Australian Government security standards, requirements, controls and recommendations.
Who are ASD's training providers?
ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training.
ASD Certified Gateways
Gateway services that are used by multiple government agencies must be IRAP assessed and certified by the Australian Signals Directorate (ASD), with agencies using the service awarding accreditation.
The Cloud Services Certification Program (CSCP) ceased on 2 March 2020. The Australian Cyber Security Centre (ACSC) ceased the Certified Cloud Services List (CCSL) on 27 July 2020 and concurrently released the Cloud Security Guidance package.
IRAP Community feedback form
IRAP Community feedback form for the community to comment on a range of topics about the course