IRAP Reports in Practice

Demystifying How IRAP Reports Are Consumed Inside Government

IRAP Assessments have become a critical requirement for Cloud Service Providers (CSPs), Managed Service Providers ( MSPs), and SaaS vendors selling to the Australian Government. This paper provides an inside view of how departments interpret IRAP findings, assess risk, and make system authorisation decisions.

How Australian Government Departments and Agencies Use IRAP Reports

For many vendors, government procurement feels like a black box. You’re asked to obtain an IRAP Report. You Google IRAP Assessor Australia. You engage an IRAP Assessor, engineering teams document controls, prepare evidence, and an IRAP Assessment is performed and a report delivered. The report is submitted… and procurement progresses. But what actually happens next? This blog lifts the curtain.

Setting the Landscape

All Australian Government entities must comply with the Protective Security Policy Framework(PSPF). Under PSPF Section 13 – Technology Lifecycle Management. Departments must ensure all technology is authorised to operate or be used in the entity. The authorisation process ensures that an appropriate level of security is being applied to the technology system and that residual security risks have been accepted by the relevant authority. The appropriate level of security is determined by the implementation of controls from the Information Security Manual. This approach also provides confidence that the technology system meets security objectives and addresses known security vulnerabilities. An IRAP Report by an ASD-endorsed IRAP assessor is an independent security assessment used in this authorisation decision. This is where IRAP Reports become foundational to procurement and system authorisation.

What is (and isn’t) an IRAP Report

An IRAP report is an independent cybersecurity assessment conducted byan ASD-endorsed assessor. It evaluates a system or cloud service against the Australian Signals Directorate Information Security Manual (ISM), commonly called the ASD Information Security Manual, the Information Security Manual (ISM), or the ACSC ISM. The ISM control set forms the backbone of Government Cybersecurity Compliance

Typical IRAP Report Coverage

An IRAP report provides detailed assurance across:

• The Organisation - Ownership, locations, hosting arrangements
• Organisational Security Certifications - ISO27001, SOC 2, FedRAMP, etc.
• Organisational Governance & Risk Management - Enterprise risk, personnel security, change management
• Cloud / System Architecture
• Dependencies & Control Inheritance
• Administrative Environments
• Cloud Service Environments
• Shared Responsibility Model and controls required by consumer to implement
• ISM Controls - Ineffective, alternate, or not implemented controls

How Government Departments Use IRAP Reports

IRAP reports support multiple phases of the procurement and security lifecycle.

Procurement & Vendor Due Diligence

Every federal procurement process requires cyber due diligence. As outlined in the earlier section, IRAP reports also contain a lot of organisation-specific detail, which has been independently verified by an IRAP assessor. Vendors that enter the market with a high quality completed IRAP report …typicallyexperience faster procurement and reduced assurance overhead. This is particularly true for SaaS services competing in crowded panels or marketplaces.

Control Inheritance, Shared Responsibility and Consumer Guidance.

IRAP Reports and supporting Cloud Security Controls Matrix generally outline the controls that an entity inherits either from the Cloud Service Provider or SaaS Provider. Controls such as Guidelines for Physical Security and Guidelines for Infrastructure are generally inherited from Cloud Service Providers such as Amazon Web Services or Microsoft Azure. Whilst a SaaS provider may take care of Operating System and Application Patching. Each cloud platform, service and application is different. The IRAP report helps clearly articulate the responsibilities of the service provider and the entity consuming the service.

IRAP Reports also provide consumer guidance, outlining the controls the entity should implement to use the system securely. This may involve controls such as client-side encryption of data that is stored outside of Australia, or enabling phishing-resistant multifactor authentication.

Security Documentation Development

As part of internal system authorisation, government entities are required to develop ‘system authorisation packs’. As both the Cloud Service Provider and the government entity are unable to independently verify the system architecture and the implementation and effectiveness of controls, the IRAP report is relied on heavily to provide this information to support the development of internal documentation. These documents may include:

• Concept of Operations
• System Security Plans
• SSP Annex A mappings
• Shared Responsibility Models
• Standard Operating Procedures
• Security Risk Management Plans
• Continuous Monitoring Plans
• Incident Response Plans

The depth of the above documents is dependent on how much responsibility the consumer assumes in the Shared Responsibility Model.

Risk Assessments and Authorisation Decisions

Australian government security teams rely on IRAP Reports to gain an understanding of the service provider security posture as well as the service being consumed. If IRAP reports were unavailable, individual entities would need to conduct detailed independent audits themselves, which, given the growth of cloud services, is an unsustainable model. Government entities consider the findings in the IRAP report, along with their use of the system, to determine the risk they face in using the system. If an IRAP Report has uncovered significant ISM implementation gaps in vulnerability management and patching, it will generally be assumed that the system they intend to use will not bepatched effectively and may be subject to exploitation of vulnerabilities, giving malicious actors’ access to government data. If significant gaps are identified in the review of the IRAP Report, the system may not be authorised, or be authorised with a HIGH or CRITICAL risk rating, requiring the government system owner to accept an unfavourable risk when using the system. Therefore, it is commercially critical to demonstrate close alignment to the ASD Information Security Manual through the IRAP Report.

Continuous Assurance and Lifecycle Management

IRAP reports support ongoing PSPF compliance, not just the initial procurement activity.

Agencies use IRAP reports for:

• System reassessments
• Assurance of service threat-landscape management
• Verifying new ISM controls are considered and implemented by the service.
• Delta IRAP Audits after architecture change
• Continuous monitoring inputs
• Re-authorisation triggers

Expired reports can halt procurement or force last minute reassessment requests.

This makes IRAP preparation and continuous compliance essential. It’s just not a one-off exercise.

IRAP reports for cloud service providers and managed service providers are valid for 24 months.

Why IRAP Preparation Matters

Approaching IRAP as a late-stage compliance exercise is costly. IRAP should be considered as a functional requirement and supporting compliance developed alongside the product or service. Navi by CanIComply can assist you on this journey. Contact us for a demonstration on how you can accelerate your IRAP journey and minimise maintenance overhead.