The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.
The Australian Signals Directorate is supporting higher standards for security assessments and training through the enhanced Infosec Registered Assessor Program (IRAP).
Following the independent review of its Cloud Services Certification Program (CSCP) and IRAP, ASD has released an updated IRAP policy and new IRAP Assessor Training on 15 December 2020. Changes to the program include:
- Increases to the standard and consistency of cyber security advice provided by IRAP assessors, by requiring assessors to maintain and demonstrate cyber security knowledge.
- Enhanced governance arrangements to provide additional assurance that IRAP assessors are performing their roles as independent third parties.
- A minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 security clearance.
- A revised five-day IRAP training course, which covers both IRAP and Information Security Manual (ISM) fundamentals.
The updated IRAP policy and training has been co-designed by ASD with government and industry representatives through a series of consultative forums to improve the culture and governance of the program.
IRAP Assessor training is now available through CIT Solutions Pty Ltd and the Australian Cyber Collaboration Centre.
In conjunction with the release of the updated policy and IRAP Assessor Training, ASD is now accepting applications for IRAP assessors.
The policy will apply to all security assessments initiated after 15 December 2020, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy.
ASD will continue to provide updates to the IRAP community on the enhancement of the program.
This web page and the sections below will be updated with new information and resources as they become available.
What IRAP does
IRAP endorses individuals from the private and public sectors to provide security assessment services.
ASD endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data.
Endorsed IRAP assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.
IRAP assessors can provide security assessments of SECRET and below for:
- ICT systems
- Cloud services
IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of a security assessment will generally not cover all ISM security controls and a completed security assessment does not inherently imply that a system is compliant with the tested security controls. As such, it is integral for customers to read and understand security assessment reports or letters of completion to determine what a system has been tested against and if it meets their cyber security requirements.
Who are IRAP Assessors?
IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD's Information Security Manual.
Why engage an IRAP Assessor?
An IRAP Assessor will assist you by helping you to understand and implement security controls and recommendations to protect your systems and data.
ASD's IRAP endorses qualified security professionals to provide information security services.
Who are ASD's training providers?
ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training.
Gateway security guidance
This page lists the ACSC’s publications on the hardening of gateway services.
The Cloud Services Certification Program (CSCP) ceased on 2 March 2020.
IRAP Appplication form
Register to become an endorsed ASD IRAP assessor.
IRAP assessment feedback form
Provide feedback for a recent IRAP Assessment.
IRAP community feedback form
IRAP community members can provide comment on a range of topics about the course.