What IRAP Assessors Do
IRAP assessors are independent specialists accredited by the Australian Cyber Security Centre (ACSC). They evaluate information security controls implemented within systems and solutions against the requirements outlined in the Information Security Manual (ISM). The ISM defines security controls for Australian Government data at varying classification levels – PROTECTED, SECRET, and TOP SECRET. An IRAP assessment doesn’t certify a product or service; it provides an assessment report and a Statement of Compliance detailing the system’s adherence to the ISM.
IRAP in Australian Procurement
Many Australian Government and Critical Infrastructure procurements mandate solutions that have undergone an IRAP assessment. This ensures a baseline level of security for sensitive data. Microsoft Azure Australia’s PROTECTED region, for example, is designed to support workloads requiring IRAP assessment. Typical assessment scopes can include entire cloud environments or specific applications. Assessment costs vary considerably based on scope and complexity; AU mid-market organisations should budget accordingly, recognising that ongoing maintenance and reassessments are also required to maintain compliance.