IRAP Compliance | Australian Cybersecurity Standards

What is the Information Security Registered Assessors Program? What does it mean to be compliant with IRAP? Keep reading to find out.

What is IRAP? Information Security Registered Assessors Program (IRAP) assessors assist businesses doing work for the Australian government by independently assessing their cybersecurity posture, identifying risks, and suggesting mitigation measures. This helps ensure that those businesses have the right policies and controls for security to meet Australian Government Information Security Manual requirements.

What Is IRAP?

Australia, like other countries, has implemented significant cybersecurity laws and regulations to address the increasing challenges of hacking, fraud, and state-sponsored attacks. Like any other set of rules, qualified organizations must assess these regulations that can understand the law and how it is applied in real-world situations.

The Information Security Registered Assessors Program is a unique compliance program that attests to the ability of private and public organizations to meet cybersecurity requirements. Independent assessors employ two different sets of guidelines:

• The Information Security Manual: A document of guidelines focused on helping organizations build internal security frameworks based on risk assessment.
• The Protective Security Policy Framework (PSPF): A set of regulations that apply to Australian government agencies that emphasize common security standards.

IRAP sets policies and procedures in place for assessing the assessors against these security standards so that there is a standard of auditing that maintains high-quality security.

In order to earn IRAP certifications, applicants must adhere to several different qualifications:

• Be Australian citizens
• Behave ethically
• Meet all requirements to apply for Negative Vetting Level 1 (NV1), which provides “secret” level clearance

In addition to the above, each applicant must be able to demonstrate qualifications from two different categories, one per category:

Category A	Category B
Certified Information Systems Security Professional (CISSP)	Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)	Payment Card Industry Qualified Security Assessor (PCI QSA)
GIAC Security Leader Certification (GSLC)	ISO 27001 Lead Auditor
	GIAC Systems and Network Auditor (GSNA)
	Certified in Risk and Information Systems Control (CRISC)

Finally, the assessor must have five years of technical information and communication technology, with two years of experience securing systems against Australian government information security regulations. They must then complete the IRAP New Starter Training and assessor examinations.

As can be inferred from the table, it is clear that the potential IRAP assessor should be well-versed in several assessment techniques and certifications. Furthermore, the standard requires, above and beyond the knowledge of Australian cybersecurity law, potential understanding of CISSP, ISO assessment guidelines, Payment Card Industry (PCI) assessment standards, and other frameworks.

What Is the Information Security Manual?

Part of what an IRAP assessor looks for is adherence to the ISM. The core focus of the ISM is to help organizations implement a cybersecurity framework based on risk management practices.

The ISM is codified cybersecurity advice provided by the Australian Cyber Security Centre as part of the Australian Signals Directorate, targeting chief information security officers and chief information officers in businesses and other enterprises. ISM is not strictly required by law unless the organization is working with the government or in another capacity where the law compels them to adhere to the ISM guidelines.

The ISM provides guidelines on an extensive set of IT and cybersecurity infrastructure. Much like the National Institute of Standards and Technology in the United States, the ISM covers guides for security in the following areas:

• Roles: How organizations staff and maintain positions related to cybersecurity—most prominently, the CISO
• Incident response: How the organization detects, manages, and reports hacks or breaches
• Outsourcing: How an organization selects and implements third-party services like cloud infrastructure and applications securely
• Documentation: How an organization documents security plans, policies, and implementations
• Physical security: How organizations physically secure resources like data centers, workstations, offices, and IT equipment
• Personnel security: How to safely and securely hire, onboard, train, allow access, and terminate employees
• Communications infrastructure: How the organization installs and protects communications technology, specifically cabling and Wi-Fi/RF communications
• Communication systems: How organizations protect communication technology like telephones, videoconferencing, fax machines, and digital VoIP services
• Enterprise mobility: How organizations secure the use of IT systems connected to mobile devices, how those devices are secure, and how those devices are provisioned
• System management: How an organization logs events in a system, including incidents, and maintains secure logs for reporting and forensics
• Database systems: How databases are managed and secured as well as how those database platforms are selected
• Email: Use of secure email platforms, secure email with encryption, and avoidance of disclosing sensitive information via email
• Cryptography: Minimum approved requirements for cryptography, including the use of Transport Layer Security, Secure Shell, and S/MIME

For a complete list of guidelines, review the core ISM documentation.

What Is an IRAP Assessment?

An IRAP assessment is authorized and required under ISM for organizations either 1) required by law to seek ISM certification or 2) if an organization wants to achieve certification outside of any legal requirements.

Generally speaking, IRAP assessments are broken into two stages:

• Stage 1: The assessor consults with the assessed party to define the scope of the assessment, understand their IT systems, and reviews a series of documents related to the assessment, including:
  • An overarching Information Security Policy and Threat Risk Assessment
  • A System Security Plan
  • A Security Risk Management Plan
  • An Incident Response Plan
  • A Standard Operating Procedures document

  In addition, the assessor investigates the organization’s IT infrastructure as it relates to these documents and the scope of the assessment, highlighting compliance or lack thereof and documenting ways to mitigate systems that fall short of requirements.

• Stage 2: While Stage 1 is rather thorough, Stage 2 takes that further by digging deeper into the organization’s IT systems. This includes a site visit where the assessor interviews personnel, investigates actual system implementation, audits physical security measures, and generally determines if the actual reality of those systems matches the documentation from Stage 1.

  Additionally, the assessor provides a Stage 2 Security Assessment report that describes the state of the system and further suggestions for remediation.

Different categories of data call for more thorough assessments based on their classifications.

Kiteworks IRAP Compliance Addressing Australian Cybersecurity Standards

The Australian government recognizes the threats to its federal and state agency supply chain, and IRAP plays an important role in ensuring that technology providers and suppliers use technologies that comply with a set of strict governance and security standards. Kiteworks is the only global vendor in the sensitive content communications space to be IRAP assessed to PROTECTED level controls. For federal and state agencies as well as companies conducting business with the Australian government, Kiteworks helps ensure that they retain control of privacy of their data hosted in single-tenancy clouds. The outcome is that there is no intermingling of data, metadata, or shared application resources. Kiteworks also enables third-party risk management (TPRM) by ensuring that sensitive content communications with third parties is protected and governed according to prescribed policies.

IRAP compliance is just one of a number of global compliance standards met by Kiteworks, which includes FedRAMP, General Data Protection Regulation (GDPR), SOC 2, Cybersecurity Maturity Model Certification (CMMC), Federal Information Processing Standard (FIPS), among others. Kiteworks’ single pane of glass through its CISO Dashboard provides organizations with a real-time view on what confidential content is being accessed and by whom, to whom it is being shared and transferred, over what communication channels, and when it occurred.

Schedule a custom demo of Kiteworks to see how it works and to learn more about Kiteworks’ IRAP assessment to PROTECTED level controls.

Back to Risk & Compliance Glossary