Infosec Registered Assessors Program (IRAP)

The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.

IRAP update

The Australian Signals Directorate is supporting higher standards for security assessments and training through the enhanced Infosec Registered Assessor Program (IRAP).

Following the independent review of its Cloud Services Certification Program (CSCP) and IRAP, ASD has released an updated IRAP policy and new IRAP Assessor Training on 15 December 2020. Changes to the program include:

• Increases to the standard and consistency of cyber security advice provided by IRAP assessors, by requiring assessors to maintain and demonstrate cyber security knowledge.
• Enhanced governance arrangements to provide additional assurance that IRAP assessors are performing their roles as independent third parties.
• A minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 security clearance.
• A revised five-day IRAP training course, which covers both IRAP and Information Security Manual (ISM) fundamentals.

The updated IRAP policy and training has been co-designed by ASD with government and industry representatives through a series of consultative forums to improve the culture and governance of the program.

IRAP Assessor training is now available through CIT Solutions Pty Ltd and the Australian Cyber Collaboration Centre.

In conjunction with the release of the updated policy and IRAP Assessor Training, ASD is now accepting applications for IRAP assessors.

The policy will apply to all security assessments initiated after 15 December 2020, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy.

ASD will continue to provide updates to the IRAP community on the enhancement of the program.

This web page and the sections below will be updated with new information and resources as they become available.

What IRAP does

IRAP endorses individuals from the private and public sectors to provide security assessment services.

ASD endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data.

Endorsed IRAP assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.

IRAP assessors can provide security assessments of SECRET and below for:

• ICT systems
• Cloud services
• Gateways
• Gatekeeper
• FedLink

IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of a security assessment will generally not cover all ISM security controls and a completed security assessment does not inherently imply that a system is compliant with the tested security controls. As such, it is integral for customers to read and understand security assessment reports or letters of completion to determine what a system has been tested against and if it meets their cyber security requirements.