SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Does FedRAMP Authorization Help with IRAP Assessments? Blog Feature
Doug Stonier

By: Doug Stonier

Print/Save as PDF

Does FedRAMP Authorization Help with IRAP Assessments?

Federal Assessments

When deciding to take on a new compliance initiative, one question that often gets asked is whether or not work done for prior assessments can be leveraged to save time or money. For those who have pursued FedRAMP Authorization and now wish to go through IRAP—both frameworks that must be adhered to as a means to do business with two different governments—the good news is that your experience with FedRAMP will provide a solid foundation for IRAP.

That being said, while prior FedRAMP compliance can be a solid foundation and helpful boon, bringing your environment up to another, unique standard will still require some degree of work, which is why you should absolutely leverage any overlap between FedRAMP and IRAP so that your organization can save some time and effort.

Of course, to leverage any overlap, you have to understand where such overlap exists, and in this, we can help, since we are currently the leading provider of FedRAMP assessments on the Marketplace and IRAP assessors as well.

In this article, we’ll put that expertise to use and detail the ways having prior FedRAMP authorization can jumpstart your IRAP journey, as well as how you can get started leveraging FedRAMP for IRAP.

Does FedRAMP Help with IRAP?

 

As we mentioned, both FedRAMP and IRAP are frameworks established by governments—America’s and Australia’s, respectively—but that’s not where the similarities between them end. As such, having previously progressed through FedRAMP can help with your IRAP assessment for the following reasons.

There’s a Similar Basis in the Security Framework and Controls.

To start, it’ll help you that FedRAMP and IRAP were built in similar ways. While FedRAMP was spun off from the Federal Information Security Modernization Act (FISMA)—which contains underlying requirements from the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53—IRAP was engendered from Australia’s Information Security Manual (ISM).

 

Both baseline documents—NIST SP 800-53 and the ISM—feature comprehensive security controls, and there’s considerable overlap between both frameworks in their requirements for access control, incident response, and continuous monitoring:

 

  • Access Control - Both FedRAMP and IRAP discuss the implementation of the following:
    • Least Privilege: I.e., you must confirm that users are only granted the minimum level of access—or permissions—needed to perform their job functions.
    • Separation of Duties: I.e., you must divide critical tasks among different individuals to prevent fraud and errors.
    • User Authentication and Authorization: I.e., you must install strong authentication mechanisms to verify user identities before those users are granted access to your systems and data.
    • Access Control Policies and Procedures: I.e., you must document your established policies and procedures regarding how your organization governs how access rights are granted, reviewed, and revoked.
  • Incident Response
    • Both FedRAMP and IRAP discuss formalized incident response plans, incident reporting, and handling procedures, and those you create for the former can be directly leveraged to meet the same requirements for IRAP.
  • Continuous Monitoring
    • Similarly, both FedRAMP and IRAP include continuous monitoring post-assessment, and yet again the elements you implement that are required by FedRAMP—including vulnerability scanning, logging, and real-time threat detection—will set your organization up to meet IRAP’s requirements in the same area.

There’s Also a Similar Approach to Risk Management.

Aside from the baseline documents and control similarities, both FedRAMP and IRAP also emphasize a risk management approach to security, so yes, the related practices you’ve developed for FedRAMP—including regular risk assessments—can be leveraged for IRAP assessments.

Of course, you’ll need to do some additional tailoring to ensure full alignment with IRAP, but your experience with FedRAMP will help you develop risk management processes and practices to satisfy this additional framework.

 

There Are Commonalities Between Both Assessment Processes.

When you undergo an IRAP assessment—having already gone through FedRAMP—you’ll likely note how familiar it feels, as both the assessments for FedRAMP and IRAP require your third-party assessor to perform:

As such, your prior experience with FedRAMP will likely provide helpful starting points regarding the types of evidence, locations, and personnel that will be involved during your IRAP assessment.

 

There’s Overlap in the Documentation and Reporting Aspects.

Speaking of documentation, you likely already understand that FedRAMP requires comprehensive records and reporting as part of your demonstration of compliance with its security requirements.

When you pursue IRAP post-FedRAMP, you won’t need to start from scratch, as the experience you’ll have gained in how thoroughly to note your security controls, policies, procedures, and technical configurations for FedRAMP will prepare you when developing similar documentation for IRAP assessments.

How to Leverage FedRAMP for IRAP Assessments

 

All these similarities bode well for organizations who have achieved FedRAMP Authorization and are now pivoting to IRAP with hopes of a streamlined experience with their second government framework, but there are still steps you should take to successfully leverage your FedRAMP efforts for your IRAP assessment.

1. Perform a Gap Analysis/Mapping Exercise.

As we noted before, your experience with implementing and assessing controls under FedRAMP can be beneficial when preparing for an IRAP assessment, but you’ll need to conduct a mapping exercise to identify the specific overlaps between your controls and the ISM.

 

To do so, first create a matrix that maps FedRAMP controls to ISM controls. Then, to ensure you meet all the particulars of IRAP—perform a detailed gap analysis to identify areas where additional controls need to be implemented or existing controls need to be adjusted to satisfy the ISM controls.

If one or more ISM controls are unable to be implemented per the wording of the control, IRAP allows for the use of alternate controls that address the intent of the original ISM control—i.e., if you have technical limitations in implementing a control, you can find other ways to meet the objective. That being said, it’s important to note that your alternate controls must provide equal or better mitigation for the associated risk.

2. Implement Additional Controls.

 

Once you understand where you still have not met specific ISM controls, implement any additional controls identified during the gap analysis. This could involve:

  • Implementation of additional technical controls;
  • Enacting any necessary procedural changes; or
  • Creating additional documentation, or—at the very least—updating your existing policies and procedures to cover IRAP-specific controls and practices.

3. Address Australian-Specific Requirements.

 

As FedRAMP is American and IRAP is Australian, you should also address any legal, regulatory, or privacy requirements specific to Australia—including those regarding data residency, privacy laws, and specific and current government mandates.

4. (Optional) Engage an IRAP Assessor for a Readiness Assessment.

 

To ensure you’ve done everything necessary to set yourself up for a first-time IRAP assessment, you can also choose to work with an endorsed IRAP assessor for a readiness assessment. Keep in mind, that in order to meet the independence requirements for IRAP, you should not use the same IRAP assessor to evaluate your readiness to also perform your full IRAP assessment, as there may be a conflict of interest.

Though this isn’t a required step, you may find extra peace of mind or assurance in it, as the assessor could review your existing FedRAMP documentation and controls ahead of your assessment and provide guidance on additional requirements, sparing you any surprises in your actual IRAP assessment process.

Moving Forward with an IRAP Assessment

 

When pursuing an IRAP assessment, organizations that have already progressed through FedRAMP will have a significant leg up, as you’ll be able to use that existing security posture and documentation to reduce the time and effort required to satisfy the IRAP.

Still, it's important to recognize that there are also important differences between the two programs in terms of scope, requirements, and assessment processes, so you’ll still need to carefully consider the specific requirements outlined in ISM.

Working with an experienced IRAP assessor will also help ensure you achieve a positive outcome. If you’re interested in learning more about Schellman’s capabilities and potential fit with your organization, contact us today.

About Doug Stonier

Doug Stonier is a Senior Manager at Schellman based in Knoxville, Tennessee. He has over 8 years of experience performing assessments on cybersecurity programs in the Government & Public Sector. After joining Schellman in 2016, Doug focused his attention on FedRAMP; assessing cloud service provider systems at all security baselines and through the different authorization routes (Agency and JAB). In addition to performing numerous FedRAMP assessments, Doug has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53 and DoD CC SRG.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.