Skip to main content

IRAP

Information Security Registered Assessors Program.

IRAP logo

Information Security Registered Assessors Program (IRAP)

Mar 2, 2020 - The Information Security Registered Assessors Program (IRAP) ensures Commonwealth entities can access high-quality information and communications technology (ICT) assessment services.

IRAP Assessors

Apr 1, 2020 - The Australian Signals Directorate's (ASD) Information Security Registered Assessors Program (IRAP) endorses qualified ICT security professionals to provide information security services.
Latest news

Joint Australian Signals Directorate and Digital Transformation Agency Public Statement on Independent Review of CSCP and IRAP

Mar 2, 2020 - In late July 2019, the Australian Signals Directorate (ASD) commissioned an independent review of its Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP). The Review considered the perspectives of industry and government stakeholders to ensure the proposed recommendations support Commonwealth entities, Australian businesses and the community while maximising cyber security and resilience to protect against evolving cyber threats. The review made the following recommendations:

Cloud Services

Mar 2, 2020 - ASD has certified the listed cloud service providers for specified cloud services. ASD has issued the providers with a Certification Letter outlining the details of the certification. This certification scheme has been discontinued as of March 2020. All existing certifications will expire in June 2020.

IRAP Tool Kit

Jul 1, 2018 - The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to government. ASD endorses suitably-qualified ICT professionals to provide relevant security services which aim to secure broader industry and Australian Government information (and associated) systems. IRAP Assessors assist in securing your ICT networks by assessing your security compliance and highlighting the information security risks facing your organisation.

Accreditation

Jul 1, 2018 - Why Achieve Accreditation? Achieving system accreditation will: identify the strengths and weaknesses of your system allow you to focus your resources on the areas most at risk, and highlight your system's security non-compliance and any associated residual risks. Determining the authorities in your system accreditation framework will identify clear lines of accountability. Segregating these authorities will provide you with an impartial framework with which to assess the security of your system.

ASD Certified Services

The Australian Signals Directorate (ASD) has certified gateway services for use by multiple government agencies for many years, and in 2015 commenced certifying cloud services too. Following a recommendation from an independent review, as of 2 March 2020 ASD will no longer be the Certification Authority for cloud services. All services listed on the Certified Cloud Services List (CCSL) will remain ASD-certified until 30 June 2020. All ASD certifications and re-certification letters will be void from this date.

Why Engage an IRAP Assessor?

An IRAP Assessor will assist you to navigate through the accreditation framework, by helping you to understand and implement Australian Government security: standards requirements controls, and recommendations. Any Australian organisation can engage an IRAP Assessor, not just Australian government agencies. IRAP Assessors provide assessment services based on:

ASD Certified Gateways

Gateway services that are used by multiple government agencies must be IRAP assessed and certified by the Australian Signals Directorate (ASD), with agencies using the service awarding accreditation. The following providers maintain a PROTECTED gateway environment for government use. This environment has been IRAP assessed and ASD certified.

What is IRAP?

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to government. ASD endorses suitably-qualified ICT professionals to provide relevant security services which aim to secure broader industry and Australian Government information (and associated) systems.

Who are IRAP Assessors?

RAP Assessors are ASD-certified ICT professionals from across Australia who have: the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of Australian Government information security compliance requirements. Individuals can apply to become IRAP Assessors if they can:

Who are ASD's Training Providers?

ASD endorses ICT training providers to develop and facilitate IRAP New Starter Training. The course was developed to meet ASD IRAP Learning Outcomes. You have a choice of training providers:

What is an IRAP Assessment?

An IRAP Assessor will assess the implementation, appropriateness and effectiveness of your system's security controls. This is achieved through two security assessment stages, as dictated in the Australian Government Information Security Manual (ISM): A Stage 1 Security Assessment identifies security deficiencies which the system owner rectifies or mitigates. A Stage 2 Security Assessment assesses the residual compliance.

Compliance and Non-Compliance

There are two categories of compliance associated with ISM controls: 'must' and 'should'. These compliance requirements are determined according to the degree of security risk an agency would be accepting by not implementing the associated control. The Australian Signals Directorate's (ASD) assessment of whether a control is a 'must' or a 'should' is based on ASD's experience in providing cyber and information security advice and assistance to the Australian Government and reflects what ASD assesses the risk level to be.