Australian Government Information Security Manual (ISM) Compliance

Organisations that wish to do business with the Australian Federal Government must have a compliance assessment conducted by an accredited Information Security Registered Assessors Program (IRAP) assessor. The assessment process is complex and time-consuming, but the benefits from a sales perspective are many. By completing the assessment, companies can attest to the appropriateness and effectiveness of the system’s security controls and their compliance posture so that agencies can determine if the risk of using the system to process their data is at an acceptable level. Companies that have undergone an IRAP assessment demonstrate to their clients that they take cybersecurity seriously and have taken proactive steps to comply with ISM requirements, as the Australian government requires. This helps win new business and provides a valuable boost to their reputation.

There are currently only a limited number of certified assessors in Australia. This can make it difficult to find someone to assess your security controls. Lucky for you, 38North partners with several certified IRAP assessors with a long history of helping companies achieve Australia’s highest levels of security compliance. Collaboratively, we can help ensure that you document your best compliance posture to agency customers. Trust Us to Get You There.

Contact Us Now

38North and IRAP-Certified Partners Are Your Expert Advisors

38North is recognized as an expert cybersecurity organisation. Partnering with certified in-country IRAP assessors, we prepare organisations to tackle the IRAP compliance assessment process— working side-by-side with them throughout the full process.

A little or a lot, we can provide guidance — or help with documentation development, gap analyses, and security engineering — to help you achieve ISM compliance.

Our Advisory Lifecycle

The IRAP Compliance Assessment Process

The Australian IRAP compliance assessment process is deceptively long and complex, with updates to the Information Security Manual (ISM) being published by the Australian Cyber Security Centre (ACSC) on a quarterly basis. The applicant and the assessor determine the size and scope of the assessment, meaning there can be a great deal of variability. Fortunately, 38North is an established cloud security compliance advisory firm — providing expert guidance and support — to help you define your boundary and ensure that your compliance posture is clear when undergoing an IRAP assessment. No matter where you are in your IRAP compliance assessment process, 38North can make it easier. ‌Talk with one of our IRAP experts.

IRAP Assessment Process Guide

Planning and Preparation

IRAP assessor informs the ASD IRAP Administrator of the IRAP engagement and conducts planning activities, to include developing a security assessment plan.

Boundary and Assessment Scoping, and Documentation

IRAP assessment team, in conjunction with the System Owner, defines and validates the scope of both the authorisation boundary of the system under assessment, as well as the security controls application to the assessment. Any system components or environments deemed out-of-scope are clearly documented and accompanied by a justification for its exclusion from the assessment.

ISM Requirement Compliance Assessment

IRAP assessor performs a design effectiveness review and an operational effectiveness review by collecting evidence and conducting interviews to determine the implementation status of security controls.

IRAP Assessor Compliance Security Assessment Report (SAR) and Security Controls Matrix (SCM)

IRAP Assessor produces a security assessment report and security controls matrix that describes:

The scope of the security assessment.
The effectiveness of the implementation of security controls.
Security risks associated with the operation of the system.
Any recommended remediation actions.

The IRAP SAR does not provide a risk assessment of ineffective controls, but identifies the security risks and risk mitigating controls for the consumer to analyze.

Ready for Agency Review

The IRAP SAR and SCM are made available to agencies. Each agency will take the reports as input during their own assessment process to determine if the risk of using the system in their environment is acceptable.

IRAP Assessment Challenges

Undergoing an IRAP assessment can be a challenging process due to the complexity and rigor of the security requirements, as well as the quarterly updates to the ISM. Overall, these challenges can cause delays and increased costs in pursuing Australian Federal customers and contracts.

Scoping

Each contractor must understand their business and risk posture to properly scope their cybersecurity practices to meet the requirements of the ISM. Failure to have an appropriate plan can result in an IRAP assessment showing the implementation of controls is neither appropriate nor effective across the environment.

Expertise

Companies are challenged to understand what they must do to demonstrate compliance with ISM requirements and the number of IRAP-certified assessors is limited. 38North is one of the few companies in the United States that partners with certified assessors that have a long history of expert in-country security services.

Continuous Maturity

Organisations must also maintain their cybersecurity posture over time in order to keep up with evolving threats and quarterly changes to the ISM requirements. This involves regularly monitoring systems and documenting changes made to their security architecture throughout the certification process.

38North IRAP Services

38North can help you demonstrate ISM compliance, no matter where you are in the process.

Boundary Scoping

We start by helping you understand what data you have that must be protected . This lets us know what assets are in scope, and excludes those that aren’t.

Workshops

Our workshops get you started — with control requirement training and consulting. We also help by using Australian Federal Government practices to design systems and approaches that will withstand IRAP assessments.

ISM Requirements Gap Analysis

Gap analyses help cloud providers and contractors understand what they need to do to comply with the ISM. Our gap analysis will find your gaps against the requirements and deliver a prioritized roadmap of actions required to close compliance gaps.

ISM Advisory Support

38North’s senior security advisors can help you design, deploy, document and maintain a scalable security approach that meets your desired ISM compliance level.

Get Started Now

What do I need for my IRAP compliance assessment?

The IRAP assessor will request documentation and artifacts that show the appropriateness and effectiveness of the system’s security controls. This includes policies, procedures, and samplings of artifacts to show procedures are being followed in a consistent and repeatable manner. 38North advisors can work with your teams and help with developing this documentation, in preparation for assessment.

Typically, you should be prepared to present the following documentation, as a baseline:

System Overview Document (SOD)
Security Risk Management Plan (SRMP)
Incident Response Plan (IRP)
Media Management Policy (MMP) User Access Management (UAM) Plan
Vulnerability and Patch Management Plan (VPM)
Audit and Accountability Policy (AAP)
Cryptographic Key Management Plan (CKM)
System Security Plan (SSP) – including all chapters
Statement of Applicability (SOA)
Business Impact Level Assessment (BIL) template
Configuration Management Plan (CMP)

What do I need for my IRAP authorisation package?

The system owner will compile an Authorisation Package to submit to the authorising authority. In addition to the Security Assessment Report, it should contain:

System Security Plan (SSP)
Incident Response Plan (IRP)
Continuous Monitoring Plan (CMP)
Plan Of Action And Milestones (POA&M)

Two people shaking hands at a meeting with package and cloud icon overlay

Your IRAP Compliance Assessment Starts Here

Book an initial IRAP conversation with one of our Australian cloud security experts today and we’ll help you achieve your goal of IRAP compliance — and stronger security.

Contact Us

Name(Required)

First Name Last Name

Company Name

Email Address

Phone Number

Message

(Please do not provide additional PII in this box)

Name

This field is for validation purposes and should be left unchanged.