Information Security Registered Assessors Program (IRAP)
The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD).
Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable the customer to create secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services, and provide improved security outcomes for the Australian Government.
AWS is IRAP compliant. An independent IRAP assessor examined the AWS controls including people, process, and technology to ensure they address the needs of the ISM. This assessment and Letter of Compliance is the basis on which a Certification Authority gains assurance to certify AWS infrastructure and provide a recommendation to the Accreditation Authority for appropriate use of the platform.
An agency accreditation is the culmination of an IRAP assessment and formal certification by the ASD operating as the Certification Authority for the Australian Government. This certification provides assurance that AWS has in place the applicable controls required by the ISM and is the immediate precursor in accrediting AWS for Australian government workloads.
What IRAP documents are available to me?
In support of our Australian government customers, we provide a package of security guidance and documentation to enhance your understanding of security and compliance while using AWS as a certified cloud services supplier. AWS provides the following publicly available whitepapers:
- Understanding the ASD’s Cloud Computing Security for Tenants in the Context of AWS
- Using AWS in the context of Australian Privacy Considerations
Australian government customers can use our ASD certification and our independent IRAP Assessors Letter of Compliance in order to accelerate their certification and accreditation objectives. The following documents are publicly available:
Additional IRAP documents are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
- The Control Implementation Summary
- IRAP Report Stage 2
Additional reports are available that evaluate and test controls implemented by AWS infrastructure and which are available under NDA (as required):
- Service Organisation Controls 1 (SOC1) Type II Report
- Service Organisation Controls 2 (SOC2) Type II Report
- ISO 27001 Certificate & Statement of Applicability
- PCI Attestation of Compliance and PCI Responsibility Summary
A Quick Start is available for users who want to create cloud-based workloads that use AWS controls meeting the ISM requirements for sensitive government data handling at the PROTECTED classification level. It automatically deploys the IRAP PROTECTED Reference Architecture on the AWS Cloud in about an hour. The Reference Architecture demonstrates how multiple AWS services are brought together to support a multi-tier web application with associated security and management services that meet ISM PROTECTED requirements. While this solution implements many of the controls that are outlined in the IRAP PROTECTED Reference Architecture, not all of the recommended controls are included in this Quick Start. Remember to follow the guidance in the IRAP PROTECTED package, available on AWS Artifact, before using this solution to store PROTECTED data.
For more information about the additional reports, see the AWS Compliance FAQs.
Why do I need an IRAP accredited assessor?
IRAP accredited assessors are individuals accredited by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program (IRAP) as being appropriately qualified to conduct assessments against the ASD’s control framework, the Information Security Manual (ISM).
IRAP accredited assessors are the only individuals accredited as qualified to perform an assessment of an information and communication technology (ICT) system against the Australian Government Information Security Manual (ISM). And IRAP accredited assessor describes areas of compliance and non-compliance, describes residual risks and remediation actions, and provides recommendations to a Certification Authority on certification.
What is the ISM?
The ISM is the Australian Government Information Security Manual (ISM) published by the Australian Signals Directorate (ASD), an organisation within the Department of Defence that has a mission to protect Australian government systems and information.
The ISM is the standard that governs the security of Australian government information and communication technology (ICT) systems. It complements the Protective Security Policy Framework (PSPF) produced by the Australian Government Attorney-General’s department. Together the ISM and the PSPF provide guidelines for implementing appropriate controls to operate all classifications of workloads in an ICT environment.
It is compliance to the ISM that is used to assess a cloud service provider’s membership to the ASD Certified Cloud Services List, which provides a list of cloud services where ASD has acted as the certification authority. Certification is required for agencies to have workloads accredited to run on cloud services that are procured through the Department of Finance’s whole-of-government Cloud Services Panel as the primary procurement vehicle for cloud services for the Australian Government.
In October 2014, the Australian Department of Finance and Department of Communications jointly released the Australian Government Cloud Computing Policy 3.0, this mandated a “cloud first” approach for adoption of cloud services by federal government agencies.
“Under the [Australian] Government’s Cloud Policy agencies now must adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for money.”
For more about ASD’s role in protecting Australian information security, see Information security (InfoSec) role on the ASD website.
Does AWS meet the requirements of the ISM?
Yes, AWS has been audited by an independent assessor from the Information Security Registered Assessors Program (IRAP). The assessment examined the security controls of Amazon’s people, process, and technology to ensure that they met the needs of the ASD 2014 ISM. For more information, see the IRAP ISM Letter of Compliance on the AWS website.
Where can I find more information about the IRAP program?
Which AWS Regions and services are covered by the IRAP Assessment?
The IRAP assessment and ASD Certification covers the AWS Sydney Region. However, AWS treats all AWS Regions equally in terms of the controls, policies, and processes that are used to operate them. Agencies should assess their workloads and business needs to determine which AWS Region to use.
The covered AWS services that are in scope for the IRAP Assessment can be found on the AWS Services in Scope by Compliance Program webpage.
Can I use other AWS services that are not included in the IRAP Assessment?
Will compliance with the ISM increase AWS service costs?
No, there is no increase in service costs as a result of AWS compliance with the ISM.
Is AWS on the ASD Certified Cloud Services List?
Yes, the Australian Signals Directorate (ASD) has completed an IRAP assessment of AWS and granted ASD Certification for PROTECTED and Unclassified DLM workloads. For more information, see the ASD Certified Cloud Services List (CCSL).
Australian government agencies can significantly reduce their costs and risks by relying upon the deep expertise of the ASD as the Certification Authority to determine that the residual risk of services are well understood and appropriately assessed. This creates a significantly improved security outcome for Australian government departments, while also reducing their costs related to such assessments.