What is the IRAP Compliance Process? A Comprehensive Guide

38 North logo
38North Security
38North Security

Understanding the Information Security Registered Assessors Program (IRAP) is crucial for organizations aiming to work with the Australian Federal government. Organizations that achieve IRAP certification gain numerous benefits, such as:

  • Increased industry credibility;
  • Regulatory compliance;
  • Improved risk management;
  • Enhanced security posture, and
  • A competitive advantage — especially when bidding on Federal government contracts.

However, companies who want these benefits must earn them by undergoing an IRAP compliance assessment. It’s critical to understand the process and be prepared to invest the time and resources necessary to achieve such high levels of security compliance. 

What is an IRAP Compliance Assessment?

An IRAP compliance assessment is a process used to evaluate and certify the information security practices of organizations that handle sensitive government information. The IRAP is administered by the Australian Cyber Security Centre (ACSC) and aims to ensure that organizations meet specified security requirements for handling government data, according to the Information Security Manual (ISM). 

ISM: The Foundation of IRAP

The ISM or Information Security Manual is a framework that provides guidelines for Australian Federal government agencies and contractors on how to secure their information and communication technologies. It covers various aspects of security, from personnel roles and clearances to system management and incident response. 

Aside from cyber security guidelines, the ISM also contains guidance on how to use the framework, definitions of terminology, an archive of updates over the years, and more.

The ISM aligns with international standards and best practices in information security. It incorporates concepts and controls from standards such as ISO/IEC 27001 and is designed to be adaptable to the evolving threat landscape.

The ISM continues to evolve to address emerging cyber security threats, technological changes, and the evolving landscape of government operations. 

The Importance of IRAP Compliance

IRAP compliance is essential for all Australian Federal government agencies that rely on cloud services. It demonstrates an organization’s commitment to robust security standards and effective risk management protocols. This compliance is not only a requirement for working with the government but also a mark of credibility and trust in the industry.

Need help with IRAP Compliance Assessment? Get in touch with a 38North Security expert today.

What is the IRAP Compliance Assessment Process?

The IRAP certification process is long and intricate. The process is also a dynamic one because the ISM is updated by the Australian Cyber Security Centre (ACSC) quarterly. The following steps are integral to achieving IRAP certification and maintaining the high standard of cybersecurity necessary for handling sensitive government data.

Learn more: A Comprehensive IRAP Assessment Checklist

Planning and Preparation

This step involves the IRAP assessor and the Australian Signals Directorate (ASD) IRAP Administrator. The assessor informs the administrator of the engagement. From here, they formulate a path to IRAP certification,  including an assessment plan.

Boundary and Assessment Scoping + Documentation

This second step involves the IRAP assessment team and the System Owner. Together, they define and validate the scope of assessment. This includes the authorization boundary of the system being evaluated, and the security controls application to the assessment.

If any system components or environments are deemed out-of-scope, this is the time to document it, as well as justify its exclusion.

ISM Requirement Compliance Assessment

The IRAP assessor performs reviews for two things:

  • Design effectiveness
  • Operational effectiveness

This is done by collecting evidence and conducting interviews. The goal here is to determine the implementation status of security controls.

IRAP Assessor Reporting

After the review, the assessor produces two documents:

  • Security Assessment Report (SAR)
  • Security Controls Matrix (SCM)

These documents describe the following:

  • The scope of the security assessment
  • The effectiveness of security controls implemented
  • Security risks associated with the operation of the system
  • Any recommended remediation actions

The IRAP SAR does not provide a risk assessment of ineffective controls. Rather, it identifies the security risks and risk-mitigation controls for the consumer to analyze. 

38North Security works with the most trusted in-country IRAP assessors. Get in touch with one of our security experts today to get started.

Ready for Agency Review

At this stage, each agency will individually decide whether your organization complies with IRAP requirements. The agencies will use the documentation produced by the IRAP assessor: the SAR and SCM.

Each agency has their own policies and some are more strict than others. Because of this, they will individually decide whether the residual risk is acceptable for them to allow you to process their data.

What Cloud Service Providers Should Keep in Mind

Providing secure cloud services to Australian Federal government agencies is a big responsibility that comes with a unique set of challenges. Cloud service providers (CSPs) must take a comprehensive approach to IRAP compliance to showcase the depth of their preparedness.

Understanding Cloud-Specific Requirements

Cloud service providers must understand the specific requirements of the IRAP as they apply to cloud services. This includes being familiar with cloud architecture, virtualization security, data sovereignty issues, and multi-tenancy risks.

Protective Security Policy Framework (PSPF)

This high-level policy framework outlines the Australian Government’s standards for securing its people, information, and assets. While the PSPF provides a framework for overall protective security, including information security, IRAP focuses specifically on assessing the information security aspects of ICT systems, ensuring they comply with the government’s security standards. In this sense, IRAP assessments may use the PSPF as a reference, but they are more tailored to the specific security concerns of ICT systems.

Learn more: The Essential Guide to the Protective Security Policy Framework (PSPF)

Essential Eight

This is a set of mitigation strategies developed by the Australian Government. It serves as a baseline recommended to all organizations to help protect against cyber attacks. While the Essential Eight is not explicitly mandated by IRAP, its strategies can contribute to a robust and compliant security posture for ICT systems subjected to IRAP assessments.

Hosting Certification Framework

The HCF outlines security controls and requirements that hosting providers must meet to deliver services to government agencies. Government agencies that use hosting services, especially those provided by third-party hosting providers, are required to assess the security of their ICT systems through the IRAP. In the context of hosting services, government agencies using external hosting providers would consider the HCF requirements when assessing the security posture of those providers.

Alignment with Cloud Security Principles

Providers should align their services with the cloud security principles outlined in the ISM and the PSPF. This alignment ensures that the cloud services are designed and operated in a manner that meets government security standards.

Regular Compliance Updates

Given the dynamic nature of cloud technology and the evolving threat landscape, providers must regularly update their compliance posture. This involves staying informed about the latest ISM updates and adjusting security controls accordingly.

Incident Response and Management

Cloud providers should have a robust incident response and management plan. This plan must be capable of addressing potential security incidents effectively and in compliance with government requirements.

Data Protection and Encryption

Special attention should be given to data protection mechanisms, including encryption in transit and at rest, to ensure the confidentiality and integrity of government data.

Third-Party Risk Management

If the cloud provider relies on third-party services or infrastructure, it’s important to manage these third-party risks effectively. This includes conducting due diligence and ensuring that subcontractors or partners also adhere to the required security standards.

It’s important to note, however, that using third-party software or services means those software or services must also have gone through the IRAP process. Otherwise, you have to include them in your boundary and document how they are also meeting the ISM requirements.

Continuous Monitoring and Reporting

Implementing continuous monitoring of the cloud environment to detect and respond to threats in real-time is crucial. Regular reporting on security posture and compliance status to relevant stakeholders is also important. If significant changes occur, a new IRAP compliance assessment might be required.

User Access Control and Management

Implementing stringent user access controls and management procedures to ensure that only authorized personnel have access to sensitive data.

Documentation and Evidence of Compliance

Maintaining comprehensive documentation of security policies, procedures, and controls is essential. This documentation is critical during the IRAP compliance assessment and for ongoing compliance verification.

Post-Certification Reviews and Audits

After achieving IRAP certification, cloud providers should prepare for regular reviews and audits to maintain their compliance status. This includes periodic reassessment by IRAP assessors to ensure ongoing adherence to the ISM standards.

Achieve Compliance With the Leading US-Based IRAP Experts

38North is the most experienced cloud security team providing IRAP advisory services in North America. If you’re headquartered in the United States and already compliant, or planning to be, with FedRAMP, DoD CC SRG, CMMC, SOC2, ISO27001,  and other international compliance standards, then come to talk to us.  Our intimate knowledge of these other standards allows us to map your existing compliance efforts to ISM requirements quickly and efficiently, relieving the burden on your teams.  We will also coordinate with Australian stakeholders in their local timezone so you don’t have to.  

Searching for an IRAP assessor? 38North Security and our certified Australia-based IRAP assessors can help with that and much more. Our global experience, partnered with local specialization, will help you expertly navigate the many nuances that come with IRAP compliance. 

Contact us today to learn how our team can help pave the way toward ISM compliance for your organization.

About the Author
38 North logo
38North Security
38North Security