6clicks completes latest IRAP assessment with flying colours
We are pleased to announce that we have completed our second ASD IRAP assessment against the Australian Government's Information Security Manual (ISM). The ISM is a very high bar for security and we're proud to have expanded the scope and scrutiny involved in our assessment.
Keep reading to learn more what it involved and how we achieved such a good result that supports our work with Australian Government departments and agencies, state governments and defence industry.
Learn how to get positive results from an IRAP assessment
1. Establish a justifiably broad scope
Nobody likes a narrowly scoped assessment despite it sometimes being a useful place to start. We expanded the scope of our second IRAP assessment to ensure that controls related to software development as well as system administrator workstations were in scope and not beyond the boundary of the system.
2. Build a dedicated government instance
We built a dedicated 6clicks for Government (Australia) community cloud instance of our 6clicks Governance, Risk and Compliance (GRC) platform to which we applied additional ISM level controls including those related to personnel security. Since then, we've applied our learnings across all our instances.
3. Choose the classification carefully
Our first IRAP assessment was carried in 2021 at the PROTECTED classification level. Since then our 6clicks for Government (Australia) instance has operated at the OFFICIAL: Sensitive level, so our assessment this time around in 2023 was carried out at the OFFICIAL: Sensitive classification level.
Usually it is possible for our customers to avoid putting PROTECTED classified information into our GRC platform. However, if you feel you have a need to do so, we can scale to meet these requirements with a dedicated instance and a differential IRAP assessment.
3. Inherit controls
There's nothing like standing on the shoulders of giants as they say. In this case, we choose Microsoft and its Azure cloud services environment. Through this process we're able to inherit 272 controls from Microsoft's own IRAP assessment mostly related to physical security.
4. Select well regarded IRAP assessor(s)
What's better than one IRAP assessor to complete your IRAP assessment? Two! We chose Phronesis Security as the independent IRAP assessors to perform our assessment and we were lucky to have both Elliot Dellys and Barry Grek working in tandem. The resulting report is fair and meticulously detailed.
5. Use a GRC system
Do not battle through your IRAP assessment on spreadsheets. It's much easier for you and for your IRAP assessor(s) if you have prepared your System Security Plan (SSP) Annex or Cloud Controls Matrix (CCM) against the ISM controls, and integrated it into your operations and risk management activities.
6. Get commitment at all levels
It is no easy task to complete an IRAP assessment with a positive result even after you've implemented a large number of controls. Before you set out on this journey make sure it is right for you. You should ensure the board and executive team are fully across and support the effort involved.
Written by Andrew Robinson
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.