Understanding the Information Security Registered Assessors Program (IRAP)

Cloud EDRMS vendors in Australia have been rushing to obtain IRAP assessments to enhance their attractiveness to the Government Market. Although government agencies must still do their own self-certification, as an IRAP report from a vendor provides just one piece of evidence for that evaluation.

Introduced in 2020 by the Australian Cyber Security Centre (ACSC), the Information Security Registered Assessors Program (IRAP) was designed as a replacement for the Cloud Services Certification Program (CSCP). Its purpose was to allow Government entities to make their own decisions about the potential risks in moving to cloud-based systems. 

To evaluate the risks, Agencies must evaluate the cloud platform against the ACSC’s Cloud Security Controls Matrix. This is a voluntary process and IRAP assessments are not mandatory for agencies adopting an EDRMS.

Different protocols apply depending on the security rating of an agencies systems: for TOP SECRET the security assessments can be undertaken by ASD assessors (or their delegates) while for SECRET and below systems, security assessments can be undertaken by an organisation’s own assessors or IRAP Assessors.
IRAP applies to all Australian federal, state, and local government agencies that use cloud services. 

New Zealand government agencies require compliance with a standard similar to the Australian Government ISM, so they may also use the IRAP assessments.
Enterprise Information Management specialist and EDRMS vendor iCognition is undergoing an independent third-party assessment for IRAP at PROTECTED classification for its cloud service EDRMSaaS.

iCognition CTO/CISO Rohan Ahluwalia - a Certified Information Systems Security Professional (CISSP) – said, “This assessment will form the basis for Commonwealth entities to conduct a risk-based review to determine if the cloud service provider (CSP) and its cloud services are suitable for handling its data.

“However, Commonwealth entities are to continue to self-assess or procure the services of an IRAP assessor to assess their own systems deployed to the cloud, as well as their responsibilities as defined in the shared responsibility model. Commonwealth entities remain responsible and accountable for their own assurance and risk management activities.”

“IRAP opens doors for Australian Federal, State, Local governments, and Regulatory industries to control their increasing costs of information security and focus on delivering value by making their information accessible in an easy and useful way.”

“Commonwealth entities remain responsible and accountable for their own assurance and risk management activities.” - iCognition CTO/CISO Rohan Ahluwalia 

A spokesperson for the (ACSC) told IDM “an IRAP assessor cannot accredit, authorise, certify, endorse or register systems on behalf of a government organisation, nor can a vendor. Statements referring to IRAP accreditation, certification, endorsement, registration for systems, services, or software are inaccurate.”

The ASD publishes a list of IRAP Assessors on its Web site, however it does not publish a list of IRAP Assessed cloud service providers. The customer of an IRAP assessed cloud service provider must rely on an assessment report from an IRAP assessor bearing the official IRAP logo.

According to an EDRMS consultant at one Australian solution provider, “If you’re a vendor you can’t tell a government agency what IRAP outcome they will achieve by using your service. They must assess the end-to-end outcome and make a recommendation to the relevant delegate inside the organisation.

“For many smaller government organisations, such as a municipal council, IRAP certification of a cloud system is meaningless because nothing else in their IT world is that secure. Your cybersecurity is as strong as your weakest link and if you’re adopting a very secure cloud service on a non-secure desktop and network environment and your staff are not security cleared all you are doing is undermining the concept of a certified PROTECTED level service.”

A spokesperson for the (ACSC) told IDM, “Personnel vetting is one such control which contributes to the overall security of a system, and should be considered by government organisations when self-authorising use of cloud services.”

Ryan Harris, General Manager at Kapish, said: “For organisations looking to improve their security posture, we offer the opportunity for them to transition to an out-of-the-box IRAP PROTECTED solution. Kapish Content Manager Cloud meets the requirements of IRAP PROTECTED and provides an immediate a step-change in security for our customers.

"As a scalable cloud-based solution, customers leverage the security investments we have made, and realise a reduced total cost of ownership and implementation time frames,” said Harris.

CSIRO, Austrade and NSW Crown Solicitors Office are among the customers leveraging the Kapish Content Manager Cloud IRAP PROTECTED solution.

With the sharp increase in global cyber security threats, we are finding Federal and State agencies require IRAP PROTECTED solutions as their standard moving forward.” - Kapish General Manager Ryan Harris.

According to one Federal Government Security Consultant and Advisor, “Let’s take Microsoft 365 for example, the cloud has been assessed to PROTECTED level by Microsoft, but as a customer of that system I can go in and configure it such that it does not meet requirements for PROTECTED. 

“Even though an individual cloud service provider (CSP) is assessed to PROTECTED level the customer configuration of that still requires going over with a very fine toothcomb to make sure that the individual customer configuration then meets requirements.

“The IRAP assessment is a risk assessment process and as an organisation you can mark security controls that are not applicable and your organisation’s Chief Information Security officer or Chief Technology Officer or whatever to sign off on that risk, and say ‘I am happy with that’. So, an IRAP assessment from that perspective is a risk assessment exercise. 

“A vendor can say they are happy with the risk of not complying with a particular security control, if that’s the case then the vendor has accepted the risk and whoever adopts that technology has to also accept that risk and they may not know because all they see is that the company has received an authority to operate for IRAP.

“A vendor can say they’ve been IRAP-assessed and their product meets the requirement for PROTECTED level but until you go into the details and ask for the full report and assessment – and also you need somebody who understands these reports to be able to review them – you’ll never know what security controls have been omitted.

“The underlying services of a CSP may be IRAP-assessed, but implementation for Organisation A and Organisation B may be very different.”