The Australian government has introduced a raft of recent initiatives to upgrade the nation's cyber security capabilities. These measures, designed to help guard against burgeoning security threats, include the Infosec Registered Assessor Program (IRAP). This key legislative framework makes serious demands on government departments and government affiliated organisations. Its successful implementation requires specialised assistance from highly trained cyber security professionals.
Every federal government department utilising outsourced ICT or cloud services needs IRAP Assessments to remain compliant. Every private company that works with defence or supplies any ICT services to defence or federal government entities also requires an IRAP assessment. International companies that supply SaaS or similar services like Microsoft 365 must also be IRAP assessed to ensure entire supply chain security. The federal government outsources countless functions to private companies and cannot afford the risk posed by weak links within this chain of connected and affiliated entities.
IRAP assessments are designed to fulfill several core functions. These include:
The regulatory environment is dynamic in nature, with a renewed focus on protecting Australia’s digital assets. High profile data breaches in recent years have resulted in significant financial and reputational losses for affected companies, and government oversight bodies are determined to upgrade the nation’s defences. The IRAP Assessment process forms a crucial component of this move toward a more regulated business environment built on assured and verifiable cyber security resilience.
IRAP is not designed to be a stand-alone cyber security solution. It builds upon a determined and proactive approach that layers defensive capabilities to achieve comprehensive resilience. IRAP Assessment dovetails with a range of frameworks and strategies including:
The assessment is a process undertaken by an IRAP Assessor to evaluate a system and its environment to determine if they have been effectively implemented and are operating as intended. Assessments are broken in a series of stages.
The first step involves planning and preparation for the assessment, working with the System Owner to map resources, key people, milestones and timeframe, and security clearances. This phase will define the scope using existing documentation such as System Security Plan, network and data flow diagrams, list of services providers, and their shared responsibility matrix.
During the following step, the IRAP Assessor will conduct the security control assessment including documentation review, technical interviews, and evidence collection to verify effectiveness of the controls. At this stage, the assessor will document any non-implemented or ineffective security controls and outline the risks associated with any shortcomings.
The final stage is to produce the IRAP Assessment Report which will:
The IRAP process does not simply rely on a one-off assessment. The Information Security Manual (ISM), on which IRAP assessment is founded, changes every three months. Assessed organisations must therefore remain diligent in determining if any of the three-monthly changes affect their operation. This ongoing commitment lends itself to a retainer type service package that ensures effective control implementation is maintained in the long-term and government contracts are not jeopardised. Once the assessment is completed, further IRAP assessment then typically runs on a two-year assessment cycle.
IRAP assessment builds upon another dynamic government process in the Protective Security Policy Framework (PSPF). This is mandatory for government organisations and can also be referenced for private organisations during IRAP assessments.
The PSPF sets the Australian Government’s minimum protective security standards to achieve effective and efficient secure delivery of government business, both domestically and internationally. Overseen by the Home Affairs Department, it is an essential plank in the nation's attempts to secure its data against a range of current and emerging threats.
Following IRAP assessment, businesses and government departments are required to maintain strong reporting procedures. This includes reporting any observed security incidents within prescribed timeframes. Such reporting can benefit from external assistance from cyber security professionals who are familiar with preferred formats and presentation styles.
Given the complexity involved, IRAP assessment is a very specialised field and there are only approximately 370 IRAP Assessors globally. Infotrust is uniquely positioned among its competitors to have internal IRAP Assessors who have been endorsed by the Australian Signals Directorate (ASD). These team members are available to Infotrust clients as required, normally operating on a retainer service. The IRAP assessment process typically takes three months to complete, when being managed by trained professionals with extensive experience in the field.
The vulnerabilities posed by third parties and lengthy supply chains demand that governments around the world implement rigorous cyber security protocols. The Australian federal government’s response has been to implement the IRAP Assessment. While posing an initial hurdle to Australian organisations, IRAP Assessment and other strategically sound security decisions can unlock a wealth of opportunities and prove your organisation is a trusted partner.
A proactive security stance that includes SOC, Essential 8, GRC, and IRAP sends a strong signal to your clients, business partners, employees, and governmental bodies. It demonstrates a commitment to vigilance in the face of increasingly sophisticated cyber security attacks that threaten all Australian organisations and citizens.
Infotrust expects regulatory oversight on Australian businesses to increase in the coming years. The risk of third-party supply chain attacks that can spread along supply chains is such that any security conscious organisation must be confident that its partners and affiliates have implemented the appropriate checks and protocols. The future success of your organisation depends on being a trustworthy player in the Australian business world.
Infotrust is Australia’s leading cyber security provider. Our team works closely with regulators to ensure all clients receive the best advice based the latest updates. Our IRAP Assessors, who have been endorsed by the Australian Signals Directorate, have helped leading companies upgrade their cyber security defences to capitalise on opportunities from both private and public sectors.
Our world class SOC facility is trusted with protecting some of the nation’s most sensitive data, and given these competitive advantages, the Infotrust team continues to attract the cyber security industry’s brightest talent.
Regardless of industry sector, Infotrust can help position your organisation as a trusted and secure partner, ready to deliver on future contracts.
For more information about IRAP Assessment, contact Infotrust today.