Leading a global collaboration to meet Australian ISM requirements

SAP needed an assessment by an Information Security Registered Assessors Program (IRAP) assessor under the Australian Signals Directorate’s requirements. In addition, it needed to rapidly produce documentation while reengineering some system components to meet Australia’s data sovereignty requirements. It also required coordinating with the IRAP assessor to ensure requirements and facilitate a seamless assessment. 

Working with SAP, 38North provided in-country boots-on-the-ground resources to help navigate the changes in Australia and helped it select and communicate with an IRAP assessor, keeping the assessor in the loop so there were no surprises. 38North then advised on some modest system re-architecture to help meet Australia’s data sovereignty requirements.  

38North’s continued support helped SAP create a complete package of Australia-required documentation, including a prefilled IRAP assessor Statement of Applicability and lots of upfront communication with the IRAP assessor, facilitating a rapid, low-risk assessment.

SAP quickly cleared the documentation and engineering challenges needed to meet Australian requirements. Additionally, because of 38North’s upfront work with the IRAP assessor and having pre-filled out the IRAP assessor Statement of Applicability, they sailed through the audit without significant issues.

Challenges

  • SAP needed to develop documentation to meet Australian requirements and navigate data sovereignty challenges.
  • During the effort, SAP needed to address draft legislation for critical infrastructure protection and adapt to changes in the IRAP process.

Solutions

  • Documentation Development
  • Security Gap Analyses
  • Security Architecture

Results

  • A complete package of Australia required documentation.
  • The prefilled IRAP assessor Statement of Applicability, combined with lots of up front communication with the the IRAP assessor, facilitated a rapid, low risk assessment.
  • Engineering support to help them bring all data within Australia’s borders.