IRAP – Information Security Registered Assessors Program
The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD, formerly DSD) initiative to provide high quality information and communications technology (ICT) services to government in support of Australia's security.
ASD endorses qualified ICT professionals, against ASD requirements, to provide quality ICT security services aiming to best secure Australian government information and associated ICT systems.
IRAP provides the framework to endorse individuals from across the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed IRAP Assessors will provide an independent assessment of ICT security, suggest mitigations and highlight associated residual risk. It is the aim of IRAP to assist in safeguarding Australian government information.
- IRAP Assessors may provide assessment up to the TOP SECRET level for:
- IRAP Assessor training and assessment is facilitated by BAE Systems Detica and Saltbush Group for ASD. A dedicated ASD IRAP website is under development.
- Assessment and certification activities are based on Australian Government Protective Security Policy Framework and Information Security Manual principles.
- IRAP documentation and guides are available.
- Audit guides are no longer available. ASD recommends using the Protective Security Policy Framework and Information Security Manual Controls.
How to become an IRAP Assessor
Applicants will be eligible for IRAP Assessor training and examinations when evidence of the following prerequisites is emailed to ASD IRAP Management:
- relevant secondary and tertiary education
- a minimum of a Baseline security clearance – see Australian Government Security Vetting Agency for further details
- two certifications - one from column A and one from column B
A B CISM - Certified Information Security Manager CISA - Certified Information Systems Auditor CISSP - Certified Information Systems Security Professional CRISC ISO 27001 Lead Auditor PCI QSA
- a minimum of 5 years ICT experience with 2 years of information security experience
- contact details of two referees who can attest to the applicant's ICT and/or auditing experience and competence.