What is an IRAP Assessment?
An IRAP Assessor will assess the implementation, appropriateness and effectiveness of your system's security controls. This is achieved through two security assessment stages, as dictated in the Australian Government Information Security Manual (ISM):
- A Stage 1 Security Assessment identifies security deficiencies which the system owner rectifies or mitigates.
- A Stage 2 Security Assessment assesses the residual compliance.
Stage 1 Security Assessment
In the Stage 1 Security Assessment an IRAP Assessor:
- defines the statement of applicability in consultation with the system owner
- gains an understanding of the system
- reviews the system architecture and the suite of system security documentation, including:
- the overarching Information Security Policy and Threat Risk Assessment
- the System Security Plan
- the Security Risk Management Plan
- the Incident Response Plan, and
- relevant Standard Operating Procedures
- seeks evidence of compliance with Australian Government ICT requirements and recommendations, and
- highlights effectiveness of ICT controls and recommends actions to address or mitigate non-compliance.
The outcome of a Stage 1 Security Assessment is a findings report.
Stage 2 Security Assessment
In the Stage 2 Security Assessment an IRAP Assessor looks deeper into the system's operation, focusing on seeking evidence of compliance with and the effectiveness of security controls. The IRAP Assessor will conduct a site visit where they will:
- conduct interviews with key personnel
- investigate the implementation and effectiveness of security controls in reference to the security documentation suite, and
- sight all physical security and information system certifications and any related waivers.
The outcome of a Stage 2 Security Assessment is a report to the certification authority that:
- describes areas of compliance and non-compliance
- suggests remediation actions, and
- make a certification recommendation to the certification authority.
The certification authority uses the report to:
- assess the residual risk relating to the operation of the system
- assess any remediation activities the system owner has undertaken, and
- make a decision on whether to grant certification.
- Ensure the environment has achieved the relevant T4 physical accreditation or equivalent.
- Before engaging an IRAP Assessor, conduct a self-assessment of the network against the ISM and PSPF. This will allow you to understand your own compliance and resolve or mitigate any identified non-compliance.
- Before the assessment, update the network security documentation suite. This will enable the IRAP Assessor to focus on compliance rather than identifying errors in your documentation.
- Understand the scope of the network or system you want assessed, and clearly articulate a statement of work in the contract with an IRAP Assessor.
- Do not define or expect favourable outcomes, as it can undermine the integrity of the assessment.