Complete Infosec Registered Assessors Program (IRAP) guidance, from documentation to continuous monitoring. Our local team has specialized expertise and will work with you during your business hours, whichever hemisphere you’re in.
38North Security has successfully taken organizations through the whole IRAP journey —
the first step to opening up new markets.
Trust Us to Get You There.
As former Australian defense insiders, FedRAMP staffers, and experts in other compliance frameworks, the depth and breadth of our capability is unparalleled. 38North Security’s experience ensures the elimination of common errors in the authorization process, cutting down on expenses and reducing compliance risk. We stay on top of shifts in the compliance landscape, so you’re never blindsided by changes in the process. Let us streamline your path to IRAP certification — and beyond.
The Australian IRAP compliance assessment process is deceptively long and complex, with updates to the Information Security Manual (ISM) being published by the Australian Cyber Security Centre (ACSC) on a quarterly basis. The applicant and the assessor determine the size and scope of the assessment, meaning there can be a great deal of variability. Fortunately, 38North is an established cloud security compliance advisory firm — providing expert guidance and support — to help you define your boundary and ensure that your compliance posture is clear when undergoing an IRAP assessment. No matter where you are in your IRAP compliance assessment process, 38North can make it easier.
IRAP assessor informs the ASD IRAP Administrator of the IRAP engagement and conducts planning activities, to include developing a security assessment plan.
IRAP assessment team, in conjunction with the System Owner, defines and validates the scope of both the authorisation boundary of the system under assessment, as well as the security controls application to the assessment. Any system components or environments deemed out-of-scope are clearly documented and accompanied by a justification for its exclusion from the assessment.
IRAP assessor performs a design effectiveness review and an operational effectiveness review by collecting evidence and conducting interviews to determine the implementation status of security controls.
IRAP Assessor produces a security assessment report and security controls matrix that describes:
The IRAP SAR does not provide a risk assessment of ineffective controls, but identifies the security risks and risk mitigating controls for the consumer to analyze.
The IRAP SAR and SCM are made available to agencies. Each agency will take the reports as input during their own assessment process to determine if the risk of using the system in their environment is acceptable.
Undergoing an IRAP assessment can be a challenging process due to the complexity and rigor of the security requirements, as well as the quarterly updates to the ISM. Overall, these challenges can cause delays and increased costs in pursuing Australian Federal customers and contracts.
Each contractor must understand their business and risk posture to properly scope their cybersecurity practices to meet the requirements of the ISM. Failure to have an appropriate plan can result in an IRAP assessment showing the implementation of controls is neither appropriate nor effective across the environment.
Companies are challenged to understand what they must do to demonstrate compliance with ISM requirements and the number of IRAP-certified assessors is limited. 38North is one of the few companies in the United States that partners with certified assessors that have a long history of expert in-country security services.
Organisations must also maintain their cybersecurity posture over time in order to keep up with evolving threats and quarterly changes to the ISM requirements. This involves regularly monitoring systems and documenting changes made to their security architecture throughout the certification process.
38North can help you demonstrate ISM compliance, no matter where you are in the process.
We start by helping you understand what data you have that must be protected . This lets us know what assets are in scope, and excludes those that aren’t.
Our workshops get you started — with control requirement training and consulting. We also help by using Australian Federal Government practices to design systems and approaches that will withstand IRAP assessments.
Gap analyses help cloud providers and contractors understand what they need to do to comply with the ISM. Our gap analysis will find your gaps against the requirements and deliver a prioritized roadmap of actions required to close compliance gaps.
38North’s senior security advisors can help you design, deploy, document and maintain a scalable security approach that meets your desired ISM compliance level.
The IRAP assessor will request documentation and artifacts that show the appropriateness and effectiveness of the system’s security controls. This includes policies, procedures, and samplings of artifacts to show procedures are being followed in a consistent and repeatable manner. 38North advisors can work with your teams and help with developing this documentation, in preparation for assessment.
Typically, you should be prepared to present the following documentation, as a baseline:
The system owner will compile an Authorisation Package to submit to the authorising authority. In addition to the Security Assessment Report, it should contain:
Book an initial IRAP conversation with one of our Australian cloud security experts today and we’ll help you achieve your goal of IRAP compliance — and stronger security.
5335 Wisconsin Ave, N.W. Suite 640
Washington, D.C. 20015
202.640.1472
