Best Practice Guide
IRAP and information security
Housed within Australia’s Department of the Defence, the Australian Signals Directorate is responsible for guarding the federal government’s information and systems. In this age of digital transformation, the two, information and systems, must be treated cohesively and coherently. After all, vast quantities of the sensitive government information and classified intelligence gets stored in online systems.
To enhance information security in the midst of wider digital changes, the government employs measures like the ISM, the Australian Government Information Security Manual, which is put out by the Australian Signals Directorate. The ISM is “designed to assist Australian government agencies in applying a risk-based approach to protecting their information and systems… and includes a set of information security controls that, when implemented, will help agencies meet their compliance requirements for mitigating security risks to their information and systems".
Essentially, the ISM lays out the required technical measures that organizations have to take in order to handle information at various levels of secrecy. Service providers looking to handle sensitive government information must therefore comply with the security dictates spelled out in the ISM. Which brings us to the Information Security Registered Assessors Program, better known as IRAP.
It is IRAP that provides the framework for assessing thirdparty IT system providers who seek to process, store, and/ or transmit government data up to the protected level of classification, the compromising of information held at this level of classification causes damage to the national Interest, organizations, or individuals.
So, what, then, does the Assessors program actually do? Well, IRAP provides customers of the Australian government the validation (of their information security controls) they need to handle sensitive government information.
Download the guide to continue reading >>