The Infosec Registered Assessors Program (IRAP) is crucial to ensuring the Australian Government’s systems meet rigorous cyber security control standards, safeguard sensitive information and bolster national security.
For cyber security service and technology providers seeking to secure new business with public sector agencies in Australia, an IRAP assessment is a common prerequisite.
IRAP Advisory Services
Get in touch to discuss how we can streamline your IRAP preparation and assessment
What is an IRAP assessment?
Refreshed in 2020 by the Australian Signals Directorate (ASD), IRAP provides information and communication technology (ICT) security assessment services to the Australian Government and industry.
Although IRAP assessment is not an endorsement of your ICT system, in a market where stringent security practices are increasingly valued and where incidents in one market can impact global confidence, it promotes continual improvement for resilience against cyber security threats, helping you maintain a competitive edge.
Not only does IRAP assessment support public sector procurement, but it is fast becoming a procurement benchmark in the private sector.
You can read more in our IRAP assessment FAQ >
The IRAP assessment relies on two control frameworks:
- The Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM)
- The Department of Home Affairs' Protective Security Policy Framework (PSPF)
The Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM)
The ISM evaluates the effectiveness of controls in place at a specific moment in time. It assesses your system’s security in areas including governance, risk management, auditing and others.
The Department of Home Affairs' Protective Security Policy Framework (PSPF)
The PSPF assesses your system against 16 policies that cover the Australian Government’s minimum acceptable level of security. It focuses on security culture to protect people, assets and information in Australia and overseas.
IRAP assessment services at KPMG
KPMG streamlines IRAP preparation and assessment, providing the following services for your business:
IRAP Readiness Review
A brief readiness review of your system to assess preparedness for an independent IRAP assessment
IRAP assessment
An independent assessment of your system's design and operation to ensure they meet Australian security standards.
IRAP advisory services
Pre-assess and uplift your systems in preparation for an IRAP Assessment.
Infosec Registered Assessors Program (IRAP) FAQs
Demystifying IRAP Assessments
Here you'll find answers to some common questions and misconceptions. If your questions aren't answered here, use the form below to get in touch.
Is IRAP assessment mandatory?
Successfully completing an IRAP assessment is often a prerequisite for providing digital services that hold, process or transfer Australian Government data. All other products and services are able to undertake the same rigorous process to demonstrate adherence to the IRAP 'gold standard'. By obtaining and maintaining an IRAP assessment, you are demonstrating a commitment to meeting stringent Australian security standards and opening the door to a larger range of government initiatives and opportunities.
How often do we need an IRAP assessment?
Ideally, the ISM frequency recommendation for undertaking an IRAP assessment is every 24 months for each system.
What is the IRAP assessment process?
IRAP assessors conduct independent evaluations of your company's system's cyber security posture and identify any security risks associated with your ICT systems and data.
The IRAP assessment relies on two control frameworks:
- The Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM): The ISM evaluates the effectiveness of controls in place at a specific moment in time. It assesses your system’s security in areas including governance, risk management, auditing and others.
- The Department of Home Affairs' Protective Security Policy Framework (PSPF): The PSPF assesses your system against 16 policies that cover the Australian Government’s minimum acceptable level of security. It focuses on security culture to protect people, assets and information in Australia and overseas.
The specific four phases around which we complete an IRAP assessment are:
Phase 1: Planning and preparation
IIn this phase, we focus on planning and preparing for the IRAP assessment. This process includes establishing timeframes, identifying the resources required, and outlining arrangements for data handling, storage, and disposal, as well as developing a communications plan. The IRAP assessor will notify the ASD IRAP Administrator about the upcoming assessment by submitting a Conflict-of-Interest (COI) declaration. Additionally, we will collaborate with your stakeholders to finalise the assessment schedule and ensure they provide access to the necessary systems, personnel, and facilities required for conducting the assessment.
Phase 2: Validating the scope
In this phase, we will validate the assessment's scope by confirming the system and its environments under review, including the classification of data that is stored, processed, and communicated, as well as delineating the system's boundaries. The IRAP assessor will review several key aspects: system versioning and environment, the security classification of the data handled by the system, the technology the system employs, the system's authorisation boundary, and the security controls relevant to the system’s assessment.
Phase 3: IRAP re-assessment and accreditation
In this phase, the IRAP assessor reviews the system's documentation and evidence, and conducts control testing activities to assess the implementation status of security controls. This status is determined by evaluating two key aspects: firstly, whether the security controls designed for the system are appropriate in relation to its classification, function, and the threat and risk landscape; secondly, whether these security controls are operating effectively in practice.
Phase 4: Report and security control matrix
In the final stage of the assessment, the IRAP assessor will compile an IRAP report detailing the activities conducted during the assessment. This report will offer insights into the scope of the security assessment, implementation status of security controls, the risks associated with the system's use, and areas of strength and weakness. Additionally, a Security Control Matrix will be produced, providing observations on the implementation of each applicable ISM control.
What is the IRAP Readiness Review process?
Many organisations appreciate a brief readiness review to assess their preparedness for an IRAP assessment. This can help estimate the level of investment required to obtain the desired IRAP assessment outcome, expedite the assessment timelines, and provide a more competitive quote for either IRAP Advisory services or IRAP assessments based on complexity. The IRAP Readiness Review occurs in two phases:
Phase 1: Preliminary IRAP gap analysis
- We look at how your system would perform under an IRAP assessment, identify control gaps and establish the level of effort required to remediate them.
- We conduct a design effectiveness review of your system against IRAP security controls: PSPF, ISM and Anatomy of Cloud Assessment and Authorisation (for cloud services).
Phase 2: Security documentation review
- We help you understand your security posture by assessing your documentation against the standards required to be IRAP ready. Documents reviewed include your System Security Plan (SSP) and SSP Annex, Continuous Monitoring Plan, Incident Response Plan.
- We provide recommendations to increase your security posture.
What are the IRAP advisory services?
We provide IRAP advisory services to federal and state government agencies, as well as private sector organisations doing business with governments. Our services range from developing cyber security strategies to implementing organisation-wide security programs and tools. Depending on client needs, we review where your systems stand versus the ideal ISM-recommended/mandatory position, ensuring the best possible outcome in an IRAP assessment. We identify gaps between different industry standards you might adhere to (e.g. NIST, ISO, etc.) and the ISM, should you wish to undertake an IRAP assessment in the future. Our IRAP advisory services are broken down into three phases:
Phase 1: Scoping and planning
In this phase, we undertake a comprehensive exercise to understand the security controls in scope, refine our schedule, and develop a document discovery list of what we require from you in order to undergo an IRAP assessment, should you wish to pursue one.
Phase 2: Fieldwork and workshops
In this phase, we will review your security architecture and understand your security deployment models against the baseline of the ISM.
Phase 3: Report and recommendations
In this phase, we will present our findings and recommendations based on our comprehensive analysis of your security architecture, baselined against the ISM and addressing control gaps as/if applicable.
How long does an IRAP assessment take?
IRAP assessment timeframes can range from two to six months. Determining factors may include:
- the scope of the solution
- the amount of preparation required
- the existing cyber security posture.
For a more specific overview of assessment timeframes, please contact our team.
What investment is required for an IRAP assessment?
For a specific cost estimate tailored to your needs, please contact our team.
