The expert's guide to Information Security Registered Assessors Program (IRAP)
Introducing the Expert's Guide to Information Security Registered Assessors Program (IRAP)
This authoritative guide provides a comprehensive overview of the Infosec Registered Assessors Program (IRAP) and the Australian Government Information Security Manual (ISM). The guide covers the fundamentals of the program, including the the pre-requisites to become an IRAP Assessor, roles and responsibilities of IRAP Assessors, the assessment process and the ISM. This guide is intended to be a valuable resource for those considering becoming an IRAP Assessor or existing IRAP or entity assessors conducting IRAP assessments or equivalent assessments against the ISM for the purpose of seeking or maintaining system authorisation.
What is an IRAP Assessment?
The Information Security Registered Assessors Program (IRAP) is a cybersecurity assessment program that was established by the Australian Signals Directorate (ASD) to assist Australian government agencies and organizations in protecting their information and communications technology (ICT) systems from cyber threats.
IRAP assessments are carried out by qualified and ASD ensorsed assessors who have been trained in the ISM and the program's policies and procedures. IRAP assessors are responsible for evaluating the security of ICT systems and ensuring that they meet the requirements of the Australian Government Information Security Manual (ISM).
The ISM is the standard to which IRAP assessments are carried out. It is a comprehensive document that provides detailed requirements for organizations to manage and protect their information and ICT systems. The ISM sets out a range of security controls that organizations must implement to protect their information and ICT systems based on classification levels including Official, Official: Sensitive, Protected, Secret and Top Secret.
The ultimate goal of IRAP assessments is to ensure that organizations have implemented appropriate security controls to protect their information and ICT systems from cyber threats. Organizations that have been assessed through IRAP, and are eligible to provide these services to the Australian government or handle sensitive government information after receiving an Authorisation To Operate (ATO) from their Australian Government department or agency customers.
Who is an IRAP assessor?
To become an IRAP (Information Security Registered Assessors Program) assessor, there are specific prerequisites and qualifications that need to be met. There are:
- Australian Citizenship - Must hold Australian citizenship.
- 5 Years Technical ICT Experience - Possess a minimum of 5 years of technical experience in Information and Communications Technology (ICT) or a related field.
- Category A Qualification - Possession of recognized foundational qualifications in information security, such as CISSP, CISM or GSLC.
- Category B Qualifications - Specialized qualifications required by the IRAP program, such as CISA, CRISC, GSNA, ISO 27001 LA or PCI QSA.
- Completion of the IRAP Training Course - Successful completion of the official IRAP training course, which covers the IRAP methodology and cloud security assessment principles.
- Pass the IRAP Exam - Successful completion of the IRAP exam to demonstrate knowledge and understanding of the IRAP methodology and cloud security assessment practices.
- Attain a Minimum NV1 Security Clearance - Obtain a minimum NV1 security clearance. The Australian Signals Directorate (ASD) will sponsor the clearance process if necessary.
- Submit a Conflict of Interest Declaration - Provide a conflict of interest declaration to disclose any potential conflicts that may arise during the assessment process.
- Submit a Confidentiality Deed - Sign and submit a confidentiality deed, agreeing to maintain the confidentiality of sensitive information encountered during the assessment process.
- Provide Contact Information - Provide your contact information including given name, family name, organisation, state, email address and availability to ASD for publishing on the IRAP assessor list webpage.
You can view the list of ASD endorsed IRAP assessors on the ASD/ACSC website.
What are the stages of an IRAP assessment?
There are is a traditional IRAP assessment process for on premises systems that involves 1) Plan and prepare, 2) Defining the scope of the assessment 3) Assessing security controls and 4) producing a security assessment report. However, nearly all IRAP assessments these days involve use of cloud service providers and as such, ASD has developed the more contemporary Anatomy of a Cloud Assessment and Authorisation process for this purpose.
Phase 1: CSP security fundamentals and cloud services assessment
The CSP security fundamentals and cloud services assessment details the processes for assessing a CSP and its cloud services by an IRAP assessor. If required, the cloud consumer or IRAP assessor can assess supplementary, new or updated cloud services in Phase 1b. Phase 1 concludes with the review of the CSP security fundamentals and cloud services assessment report by the cloud consumer. The cloud consumer determines if the CSP and its cloud services meet its security needs and risk tolerance, and if so, approves the CSP and cloud services and progresses to Phase 2.
Phase 1a: Assess the CSP and its cloud services
During Phase 1a of the Cloud Security Assessment and Authorization process, an IRAP assessor evaluates two key areas. Firstly, they assess the security fundamentals of the cloud service provider (CSP), documenting their security practices and posture. This assessment allows potential cloud consumers to determine if the CSP is operating securely and if their cloud services are suitable for handling the consumer's data.
Secondly, the IRAP assessor assesses the cloud services themselves, focusing on those that are in scope for the assessment. These services are evaluated against the applicable security controls outlined in the Information Security Manual (ISM), which enables cloud consumers to assess the security risks of using the CSP's services.
The results of the assessment, including findings, evidence, and remediation actions, are documented in the Cloud Security Assessment Report Template. This report is shared with the CSP, who can then provide it to potential cloud consumers as evidence of their security posture and the security of their cloud services.
Phase 1b: Supplementary, new and updated cloud services assessment
Phase 1b assessment is performed only when a cloud consumer intends to use a CSP’s cloud service that has not been previously assessed. This could be due to the cloud service being out of scope in the CSP’s cloud security assessment report, a new cloud service release by the CSP, or significant changes made to an existing cloud service that impact the security documented in the cloud security assessment report.
The assessment can be performed independently by an IRAP assessor or the cloud consumer. It is intended to be smaller, less intensive, and less time-consuming, focusing on the unique aspects of the cloud service. The cloud consumer can leverage the CSP’s cloud security assessment report to perform their own Phase 1b assessment, reducing the need for multiple assessments of the same cloud service. The assessment is documented without the Introduction and CSP Security Fundamentals Assessment sections.
Phase 1c: Review cloud security assessment report
In Phase 1c, the cloud consumer reviews the cloud security assessment report and, if necessary, the supplementary, new, or updated cloud services report. This is done to assess whether the CSP and its cloud services meet the security requirements and risk tolerance of the cloud consumer. If the CSP and its cloud services meet the cloud consumer's security needs, the cloud consumer's Authorising Officer or delegate may approve the use of the CSP and its cloud services. However, this approval may come with certain conditions, such as only allowing the use of certain services or regions. These specific conditions are documented and form part of the approval evidence generated by the Authorising Officer or their delegate.
Phase 2: Cloud consumer systems assessment and authorisation
Most cyber security breaches related to cloud computing occur because cloud consumers do not implement the necessary controls for the aspects of the cloud environment they are responsible for. Cloud consumers must understand their responsibilities for securing their own cloud systems and implement necessary controls to mitigate the risk of cyber-attacks. It is important to assess the completed cloud solution, including the CSP and its cloud services, as well as the cloud consumer's systems, to ensure they meet the security requirements and risk tolerance of the cloud consumer.
Phase 2a provides guidance for assessing and authorizing the cloud consumer's own cloud systems, which can be conducted by an IRAP assessor or the cloud consumer themselves. The review of the Cloud Authorization Package by the cloud consumer's Authorizing Officer or delegate concludes Phase 2. The package includes the CSP's cloud security assessment report, any supplementary, new or updated cloud services report, and the cloud consumer cloud systems report. The Authorizing Officer grants authority to operate based on the acceptance of security risks associated with the operation of the entire cloud solution.
Phase 2a: Assessment of cloud consumer developed systems
Cloud consumers must ensure that their own cloud systems, which use the CSP's cloud services, meet their security requirements and risk tolerance, without reducing the security baseline provided by the CSP or introducing new weaknesses. To assess their own systems, cloud consumers should refer to guidance from the ACSC, including the Cloud Controls Matrix and the ISM. They must also identify which controls have and have not been inherited from the CSP and implement necessary compensating controls. An iterative approach to assessing and validating these systems is necessary, with the use of Agile and DevSecOps practices encouraged. The shared responsibility model must also be reviewed and updated as necessary. The findings of the Phase 2a assessment are documented in the Cloud Authorisation Package and reviewed by the cloud consumer's Authorising Officer.
Phase 2b: Review cloud authorisation package
Before granting authorisation to operate, the authorising officer or their delegate needs sufficient information to make an informed risk-based decision on whether the security risks associated with the cloud environment are acceptable. This information should be provided in an authorisation package that includes the CSP’s cloud security assessment report, any supplementary, new or updated cloud services report (if required), and the cloud consumer cloud systems report. The Cloud Authorisation Package is then reviewed by the authorising officer or their delegate to determine if the security requirements are met and risk tolerances are not exceeded. Depending on the outcome, authorisation to operate may be granted with or without constraints on system use, or further work and potentially another security assessment may be required. If security risks are deemed unacceptable, authorisation to operate may be denied until sufficient remediation actions have been completed to an acceptable standard.
All Phases: Continuous monitoring and assurance
Continuous monitoring and assurance involve keeping up-to-date with emerging cybersecurity risks, vulnerabilities, threats, security controls, and incidents to ensure the security of a system is maintained over time. This is a shared responsibility between the CSP and cloud consumer, and involves ongoing security assessments and activities to support monitoring of the threat environment and security controls.
The ACSC provides publications and advisories to assist CSPs and cloud consumers with identifying and mitigating security risks, and while it is not mandatory to comply with every update to the ISM, timely processing of changes is recommended. Measures to proactively monitor and manage security vulnerabilities can provide valuable information about exposure to cyber threats, and intentional changes to a system should also be considered for their impact on security risks.
The ACSC Partnership Program can provide additional benefits to supplement existing threat intelligence and situational awareness capabilities. Overall, continuous monitoring and assurance are crucial for maintaining the effectiveness of security controls and enabling informed risk management decisions.
What are the evidence types assessed as part of an IRAP assessment?
When assessing a CSP, IRAP assessors must gather credible evidence to determine the effectiveness of security controls. Evidence quality can vary from weak evidence, such as a claim that a control exists, to strong evidence, such as evidence of routine policy compliance or a simulated test demonstrating a technical control's effectiveness. IRAP assessors should prioritize the quality of evidence presented to them in their assessments, as well as consider what evidence can be gathered efficiently. They may need to make decisions on a case-by-case basis on when they have sufficient evidence to consider a control effective. Depending on the size of the assessment, the IRAP assessors may need to ensure that their team has the necessary skills to efficiently collect and interpret the evidence.
The four levels of IRAP assessment are:
Poor evidence: A policy statement (e.g. repeating the ISM control in an internal document, irrespective of the amount of boilerplate included).
Fair evidence: Reviewing a copy of the relevant system’s configuration to determine if it should enforce the expected policy.
Good evidence: Reviewing the technical configuration on the system (through the systems’ interface) to determine if it should enforce the expected policy.
Excellent evidence: Testing the control with a simulated activity designed to confirm it is in place and effective (e.g. attempting to run an application to check for application control, or attempting to access an external website using a privileged account).
What are the sampling principles used in an IRAP assessment?
Assessments of CSPs involve categorizing, measuring, and estimating alignment with standards and risk, and therefore, they are abstract in nature. Factors such as the size of the CSP, its technology stack configuration, and the distribution of its operations may impact the assessment. To evaluate the effectiveness of controls across the systems and cloud services, sampling is a logical approach. However, an adequate sampling scheme depends on the situation and can vary from one assessment to another. Assessors can design a suitable sampling approach by considering the following factors:
The four levels of IRAP assessment are:
Level of standardisation: Many ICT environments are centrally managed. For example, if checking the validity of configuration on servers which are configured using one technical policy, then potentially one server can be representative of all systems. Also, CSPs often have cloud services that support other cloud services. The built-in security (security that cannot be altered by cloud consumers) of these supportive cloud services can provide a security baseline representative of many cloud services.
Truly representative: IRAP assessors need to ensure that any points they sample are truly representative, and not a contrived example created only for assessment purposes.
Different management zones/arrangements: Systems may be operated and administered in different security zones, for different purposes and under different management arrangements. IRAP assessors should consider these differences, and determine if they need to sample data points from across these zones.
Ease of data collection: IRAP assessors should plan to use and leverage tools as part of their assessment. By driving down the cost of each individual sample, this allows the assessor to more comprehensively gather evidence which will lead to a more accurate assessment.
Confirmation of unexpected results: IRAP assessors may find they come across results which are inconsistent with their professional experience, such as a CSP demonstrating significant over or underperformance against assessment criteria relative to other similar CSPs. In these situations, IRAP assessors should determine how to take an additional sample/s to confirm the unexpected result.
Who needs to undergo an IRAP assessment?
Yes, Australian government entities are required to undertake security assessments themselves. This is due to the shared responsibility model, which states that while cloud service providers (CSPs) are responsible for the security of the cloud services they provide, the agency itself is responsible for the security of its own systems and data when using cloud services.
The Australian Signals Directorate (ASD) has developed the Information Security Registered Assessors Program (IRAP) to provide assurance to government agencies that CSPs and their cloud services are suitable for handling government data. However, this assessment is only a starting point, and government agencies must still undertake their own security assessments.
Government agencies must assess the security of their own systems and data when using cloud services. This includes assessing the security controls of the CSP, such as authentication, access control, encryption, logging, and monitoring. It also includes assessing the security of the systems and data deployed to the cloud, such as the configuration of the systems, the security of the data, and the security of the network.
In addition to assessing the security of their own systems and data, government agencies must also assess the security of the CSP’s cloud services. This includes assessing the CSP’s security policies, procedures, and controls, as well as assessing the security of the cloud services themselves. This assessment should be performed on a regular basis to ensure that the CSP’s security controls remain up-to-date and effective.
The ASD has developed the Cloud Security Assessment Report Template (CSART) to help government agencies assess the security of CSPs and their cloud services. This template is used by an IRAP assessor to assess the security of a CSP’s cloud services and is then used by the agency to conduct a risk-based review to determine if the CSP and its cloud services are suitable for handling its data.
Government agencies are also able to conduct their own supplementary assessments when they want to use a CSP’s cloud services that have not been previously assessed. This removes the need to wait for full reassessments before agencies can adopt new cloud services.
In summary, Australian government entities are required to undertake security assessments themselves to ensure the security of their systems and data when using cloud services. The ASD’s IRAP and CSART provide a starting point for assessing the security of CSPs and their cloud services, but it is the responsibility of the government agency to assess the security of their own systems and data and to conduct supplementary assessments when necessary.
What are the controls to be assessed?
During an IRAP (Information Security Registered Assessors Program) assessment, an IRAP assessor evaluates the compliance of a system or service with a set of security controls. These controls are based on the Australian Government Information Security Manual (ISM) and will depend on the classification of the system and information.
The control domains for the ISM are extensive and include:
- Cyber Security Roles
- Cyber Security Incidents
- Security Documentation
- Physical Security
- Personnel Security
- Communications Infrastructure
- Communications Systems
- Enterprise Mobility
- Evaluated Products
- ICT Equipment
- System Hardening
- System Management
- System Monitoring
- Software Development
- Database Systems
- Data Transfers
The ISM is currently updated by ASD on a quarterly basis and ASD releases a change spreadsheet along with materials associated with the most current version.
An IRAP assessment may also encompass assessment against additional requirements including the PSPF, Privacy Act and any industry specific compliance requirements.