IRAP: Infosec Registered Assessor Program
IRAP is a combination of activities to endorse and register IT security assessors as competent to assess up to HIGHLY PROTECTED and RESTRICTED level information security systems in accordance with Commonwealth information security standards and policy documents.
Registered assessors are endorsed to conduct specific information security assessments to Commonwealth best practice policy standards.
What is IRAP?
The Infosec Registered Assessor Program (IRAP) is an initiative of the Defence Signals Directorate and is designed to register suitably qualified information security assessors to conduct work to Commonwealth best practice standards. The program has been developed to the Commonwealth's strict requirements, and is administered by, Securelink.
IRAP registration can only occur once an individual has successfully completed the registration process. This process involves the following requirements:
1. Demonstration of relevant industry education, certification and experience;
2. Attending the IRAP course; and
3. Passing the IRAP exam.
In order to pass the IRAP exam applicants need to have a very good understanding of Commonwealth information security policy, including the Commonwealth Protective Security Manual (PSM) and the Australian Government Information Security Manual (ISM). Applicants also need to have a good understanding of IRAP policy and procedural requirements, aspects of Commonwealth information security requirements including those for FedLink, and an understanding of information system audit principles.
Individuals who have qualified as IRAP assessors are endorsed to carry out information security work to Commonwealth best practice standards up to HIGHLY PROTECTED and RESTRICTED level, including:
- Gateway assessments
- Information System Reviews (Commonwealth policy compliance reviews)
- FedLink connection assessments, and
- FedLink audits.
An Internet based register of IRAP assessors has been established as part of the program and is managed by Securelink Pty.Ltd.: www.irap.securelink.com.au. The register contains endorsement and business contact details for IRAP assessors. It also contains helpful information about IRAP including application closing dates, applicant training session schedules and venue details.
It is envisaged that Commonwealth agencies (and other organisations with similar needs), that would normally request the DSD to assess up to HIGHLY PROTECTED and RESTRICTED level systems, will use the Program and its associated Register as a means of selecting qualified assessors to carry out the assessments using IRAP endorsement as a reference of competency. The selection of assessors registered in the Program would be on a commercial competitive basis.
Program Operation
Securelink Pty. Ltd. has been appointed as the Program administrator. All the details of IRAP operation, including requirements, administration procedures, administrator contact details and fees are contained in the IRAP Policy and Procedures (www.irap.securelink.com.au).
IRAP Documents
Gateway/CDS Information Security Assessment Guide (incorporating checklist)
| Version | DOC | ISM Conformance | |
| 5.0 | [PDF, 312KB] | [DOC, 277KB] | September 2009 |
Gateway Certification Guide*
(superseded December 2009)
| IRAP FedLink Audit Checklist | [PDF, 108KB] | ||
| Gateway Certification Checklist V3.0.0 | [PDF, 459KB] | [DOC, 271KB] | |
| Information System Review Checklist V4.0.0 | [PDF, 672KB] | [DOC, 441KB] | |
| Gatekeeper Guidelines and Checklist V3.0.1 | [PDF, 219KB] | [DOC, 564KB] | |
| IRAP Gateway Certification Report Template | [PDF, 234KB] | [RTF, 458KB] |
Having trouble viewing the PDFs then see PDF troubleshooting