In a rapidly transforming digital landscape, private organizations aren’t the only ones attempting to protect themselves from evolving cyber threats—governments are too. In the United States, FedRAMP and StateRAMP have risen to prominence as “gatekeeper” frameworks to doing work with those levels of American government, and on the opposite side of the globe, Australia has IRAP.
An initiative by the Australian Signals Directorate (ASD), the Australian Information Security Registered Assessors Program (IRAP) is a program designed to provide high-quality information and communication technology (ICT) security assessment services to the Australian government and the industry as a whole. ASD, through IRAP, endorses suitably qualified and experienced cybersecurity professionals to provide relevant security services that aim to secure broader Industry and Government information and associated systems.
To do business with Australian government agencies, private organizations are expected to complete this program, and what would make that easier is knowing what you’re getting into. As part of our diverse suite of services, Schellman offers IRAP assessment services, and in this article, we’re going to provide an overview of the IRAP framework and requirements, as well as some preliminary strategies to help you comply.
An Introduction to Australia’s IRAP
In IRAP assessments, the ASD Information Security Manual (ISM) is used, as it outlines security controls and guidelines deemed necessary for protecting ICT systems. Initially developed for ICT systems within the Australian government, the ISM has since been adopted as the cybersecurity guideline for private sector organizations that provide—or wish to provide—services to Australian government agencies.
Such organizations must be assessed by an IRAP assessor at the security classification level their system is designed to support. There are four different classification levels, each based on how sensitive the information is within your ICT system as well as the potential impact a security breach would have on the confidentiality, integrity, and availability of that information:
Official: Sensitive* |
ICT systems of low to medium business impact with limited damage. |
Protected |
ICT systems that handle high business impact with potential damage. |
Secret |
ICT systems that handle information that could cause serious damage to the Australian nation with potential extreme business impact. |
Top Secret |
ICT systems that handle information that could cause exceptionally grave damage to the national interest, organizations, or individuals with potentially catastrophic business impact. (Top Secret ICT systems are only assessed by ASD Assessors.) |
*Note that the Official designation is a protective marking that is non-mandatory and is not considered classified.
To complete the program, you’ll need to establish your security classification level and implement the related, necessary security controls before having your efforts evaluated by accredited IRAP assessors who will review the security of your ICT systems and determine whether it meets the requirements outlined in the Australian Government ISM.
What are the Requirements of Australia’s IRAP?
As for those mandates, the ISM is comprised of 22 domains that cover a wide variety of different cybersecurity aspects. While IRAP’s requirements will vary based on your organization’s ICT architecture and classification level, some common domains include:
- Risk Management: You must create a risk management framework to identify, assess, and mitigate security risks to ICT systems that includes:
- Conducting regular risk assessments;
- Implementing appropriate controls; and
- Monitoring the effectiveness of your risk mitigation measures.
- Access Control: Using user authentication mechanisms, role-based access controls, and methods to detect unauthorized access or misuse, you must ensure that only authorized individuals have access to sensitive information and ICT resources.
- Data Protection: You must protect the confidentiality, integrity, and availability of sensitive information in your care through encryption, data masking or redaction, and data loss prevention controls.
- Security Configuration Management: You must ensure that your ICT systems are securely configured and maintained by promptly applying security patches and updates and implementing secure coding practices for custom applications.
- Incident Response and Reporting: You must have procedures in place to detect, respond to, and recover from security incidents—including defined roles and responsibilities for those on your response team—as well as documented steps for reporting and investigating security incidents.
- Physical Security: To defend ICT infrastructure and sensitive information from unauthorized access, theft, or tampering, you must implement access controls, surveillance systems, and environmental controls that will also protect your systems against natural disasters or other physical threats to your environment.
- Training and Awareness: You must train personnel on security policies and procedures, best practices for protecting sensitive information, and how to recognize and report security threats or incidents.
- Continuous Monitoring: You must perform ongoing monitoring and maintenance of security controls to ensure that your ICT systems remain secure over time, which includes performing regular audits to identify and address any security vulnerabilities.
What is Australia’s IRAP Process?
Your adherence to all of IRAP’s requirements—in the aforementioned areas and otherwise—will be evaluated during the total assessment process, which involves the following four phases:
Phase |
Details |
---|---|
Preparation |
Ahead of your assessment, you’ll need to:
|
Assessment |
During this phase, your assessor will:
|
Reporting and Recommendation |
Once their work is complete, your assessor will prepare a detailed report documenting their findings that includes their analysis of your security posture and areas needing remediation and improvement. |
Ongoing Monitoring and Maintenance |
You’ll be expected to work towards remediating findings from initial IRAP assessment and track that in a Plan of Action & Milestones (POA&M) while also continuously monitoring and maintaining your security control baseline—that will require an independent IRAP assessment every 24 months and ad hoc assessments for any significant changes to your system that impact the established security control baseline and updates to address emerging threats and vulnerabilities. |
Six Steps to Help Prepare for Australia’s IRAP
To help you get started with IRAP certification, here are six preliminary steps you can take to get your organization on the path to success:
- Familiarize Yourself with the Standard: Review the relevant sections of the ISM to understand the relevant security controls and best practices that apply to your organization's ICT systems and the sensitivity of the information you handle so that you can set correct and reasonable expectations.
- Identify Stakeholders: Establish a team with representatives from IT, security, risk management, legal, and any other departments relevant to your certification requirements, and clearly define each person’s responsibilities to ensure accountability throughout the process.
- Conduct a Gap Analysis: Review existing policies, procedures, and technical configurations against the ISM's security controls and guidelines so that you can develop a plan and realistic timelines to implement controls/make updates to address any deficiencies so that your ICT is compliant with ISM requirements.
- Document Policies and Procedures: Make sure your recorded security policies, procedures, and technical configurations are all clear, comprehensive, and readily accessible to relevant personnel, as well as in alignment with IRAP requirements.
- When preparing this required evidence, it might also help to organize it by ISM sections/topics, as grouping things by these broader strokes can help clarify who within your organization will also be involved in interview discussions with your IRAP assessor.
- Conduct Training and Awareness Programs: Provide security awareness training to personnel who have access to sensitive information or ICT resources to ensure they understand their roles and responsibilities in maintaining the security of ICT systems and that sensitive information.
- Set the Stage to Maintain Compliance: Implement processes for ongoing monitoring, maintenance, and continuous improvement of your organization's security posture—if you don’t already have them—and set cadences to regularly review and update security controls so that you stay informed about emerging threats and vulnerabilities.
Moving Forward with IRAP
Cybersecurity remains a huge priority, not just for the private sector, but also governments around the world. Australia, with IRAP, represents just one country that is taking its own steps to safeguard its assets and information, as compliance with the program’s security mandates is required for organizations wishing to do business with Australian government agencies.
Now that you’ve had a high-level introduction to the Program, you have a baseline understanding of its framework and can move forward in discerning what classification level your organization will pursue, as well as making sure you have the controls in place to satisfy the related requirements.
To learn even more about IRAP and Schellman’s ability to help you get certified, contact us today.
About Doug Stonier
Doug Stonier is a Senior Manager at Schellman based in Knoxville, Tennessee. He has over 8 years of experience performing assessments on cybersecurity programs in the Government & Public Sector. After joining Schellman in 2016, Doug focused his attention on FedRAMP; assessing cloud service provider systems at all security baselines and through the different authorization routes (Agency and JAB). In addition to performing numerous FedRAMP assessments, Doug has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53 and DoD CC SRG.