We are pleased to announce that we have completed our second ASD IRAP assessment against the Australian Government's Information Security Manual (ISM). The ISM is a very high bar for security and we're proud to have expanded the scope and scrutiny involved in our assessment.
Keep reading to learn more what it involved and how we achieved such a good result that supports our work with Australian Government departments and agencies, state governments and defence industry.
Nobody likes a narrowly scoped assessment despite it sometimes being a useful place to start. We expanded the scope of our second IRAP assessment to ensure that controls related to software development as well as system administrator workstations were in scope and not beyond the boundary of the system.
We built a dedicated 6clicks for Government (Australia) community cloud instance of our 6clicks Governance, Risk and Compliance (GRC) platform to which we applied additional ISM level controls including those related to personnel security. Since then, we've applied our learnings across all our instances.
Our first IRAP assessment was carried in 2021 at the PROTECTED classification level. Since then our 6clicks for Government (Australia) instance has operated at the OFFICIAL: Sensitive level, so our assessment this time around in 2023 was carried out at the OFFICIAL: Sensitive classification level.
Usually it is possible for our customers to avoid putting PROTECTED classified information into our GRC platform. However, if you feel you have a need to do so, we can scale to meet these requirements with a dedicated instance and a differential IRAP assessment.
There's nothing like standing on the shoulders of giants as they say. In this case, we choose Microsoft and its Azure cloud services environment. Through this process we're able to inherit 272 controls from Microsoft's own IRAP assessment mostly related to physical security.
What's better than one IRAP assessor to complete your IRAP assessment? Two! We chose Phronesis Security as the independent IRAP assessors to perform our assessment and we were lucky to have both Elliot Dellys and Barry Grek working in tandem. The resulting report is fair and meticulously detailed.
Do not battle through your IRAP assessment on spreadsheets. It's much easier for you and for your IRAP assessor(s) if you have prepared your System Security Plan (SSP) Annex or Cloud Controls Matrix (CCM) against the ISM controls, and integrated it into your operations and risk management activities.
It is no easy task to complete an IRAP assessment with a positive result even after you've implemented a large number of controls. Before you set out on this journey make sure it is right for you. You should ensure the board and executive team are fully across and support the effort involved.