Information Security Registered Assessors Program (IRAP)
The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
Protecting Australian government data from access, unauthorized and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable them to create secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services, and provide improved security outcomes for the Australian government.
AWS Cloud services have been assessed as ISM compliant. An independent IRAP assessor examined the AWS controls including people, processes, and technology against the requirements of the ISM. This assessment provides assurance that, in respect of the products that AWS has in place, the applicable controls required for Australian government workloads at the PROTECTED level are implemented.
What is the impact since the cessation of CSCP and CCSL?
On Monday, 2 March 2020 the Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA) announced the results of the review of the Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP). The review made the following recommendations:
- Close the CSCP and create new co-designed cloud security guidelines with industry
- Grow and enhance IRAP
- Establish Government and Industry Consultative Forums for cyber security
- Update incentives in Procurement and Administrative Instructions and Guidance to reflect the cessation of the CSCP
As of March 2, 2020, the ASD is no longer be the Certification Authority and has ceased all certification activities, including re-certification activities. All ASD certifications and re-certification letters will be void from July 27, 2020 and the Australian government Information Security Manual (ISM) has been updated to remove the requirement to select cloud services from the Certified Cloud Services List (CCSL).
Under the Australian government Secure Cloud Strategy, Commonwealth agencies are able to self assess cloud services using practices already used to assess ICT systems.
On July 27, 2020, the Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) released new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry. AWS continues to undertake IRAP assessments to maintain currency of the assessment and to onboard new services. Commonwealth entities will continue to be responsible for their own assurance and risk management activities. In accordance with the Australian government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems. ASD will enhance existing cloud security guidance through the development of co-designed guidelines with industry. These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience.
To date, ASD has developed a number of useful guides for organisations to undertake the appropriate security assessments in relation to cloud services. It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including:
The DTA continues to encourage Commonwealth agencies to use the Australian government Secure Cloud Strategy to support their adoption of cloud services.
What IRAP documents are available to me?
In support of our Australian government customers, we provide a package of security guidance and documentation to enhance your understanding of security and compliance while using AWS. AWS provides the following publicly available material:
- Understanding ASD’s Cloud Computing Security for Tenants in the Context of AWS
- Using AWS in the context of Australian Privacy Considerations
- New Quick Start deploys the Compliance IRAP PROTECTED Reference Architecture on the AWS Cloud
You can access the IRAP PROTECTED pack via AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console or learn more at Getting Started with AWS Artifact. This information provides the ability to plan, architect, and self-assess systems built in AWS under the Australian government Secure Cloud Strategy. This pack gives public sector customers everything needed to evaluate AWS at the PROTECTED level and helps individual agencies simplify the process of adopting AWS services. Documentation in the pack include:
- The Compliance Letter;
- The Control Implementation Summary;
- IRAP Stage 2 Report;
- Reference Architecture; and
- Consumer Guide.
Additional reports are available under NDA (as required) that evaluate and test controls implemented by AWS infrastructure and which are available under NDA (as required):
- Service Organisation Controls 1 (SOC1) Type II Report;
- Service Organisation Controls 2 (SOC2) Type II Report;
- ISO 27001 Certificate and Statement of Applicability; and
- PCI Attestation of Compliance and PCI Responsibility Summary.
A Quick Start is available for users who want to create cloud-based workloads that use AWS controls meeting the ISM requirements for sensitive government data handling at the PROTECTED classification level. It automatically deploys the IRAP PROTECTED Reference Architecture on the AWS Cloud in about an hour. The Reference Architecture demonstrates how multiple AWS services are brought together to support a multi-tier web application with associated security and management services that meet ISM PROTECTED requirements. While this solution implements many of the controls that are outlined in the IRAP PROTECTED Reference Architecture, not all of the recommended controls are included in this Quick Start. Remember to follow the guidance in the IRAP PROTECTED package, available on AWS Artifact, before using this solution to store PROTECTED data.
For more information about the additional reports, see the AWS Compliance programs.
Why do I need an IRAP accredited assessor?
IRAP accredited assessors are ICT professionals from across Australia who are accredited by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program (IRAP) as being appropriately qualified to assess information and communication technology (ICT) systems against ASD’s control framework, the Information Security Manual (ISM).
IRAP assessors have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of Australian government information security compliance requirements.
What is ISM?
The Australian government Information Security Manual (ISM) outlines a cyber security framework that organisations can apply to protect their information and communication technology (ICT) systems from cyber threats. It complements the Protective Security Policy Framework (PSPF) produced by the Australian government Attorney-General’s department. The ISM and the PSPF provide guidelines and obligations for Commonwealth agencies in implementing appropriate controls in an ICT environment. In addition, Commonwealth agencies should consider relevant guidance published specifically by or for them.
In 2017, the Digital Transformation Agency (DTA) worked with other government bodies and industry to develop the Secure Cloud Strategy. The strategy focuses on helping government agencies use cloud technology.
The ISM is published by the Australian Cyber Security Centre (ACSC), the Australian government’s lead organisation on national cyber security and a part of the Australian Signals Directorate (ASD).
For more about ACSC’s role in promoting and improving Australian cyber security, see the Cyber Security webpage on the ASD website or the ACSC website.
Does AWS meet the requirements of the ISM?
Yes, AWS Cloud services have been assessed by an independent IRAP assessor. The assessment examined the security controls of Amazon’s people, process, and technology. This assessment provides assurance that in respect of these products AWS has in place the applicable controls required for Australian government workloads at the PROTECTED level. For more information, you can also go to AWS Artifact to access the IRAP PROTECTED pack from the most recent assessment.
Where can I find more information about the IRAP program?
Which AWS Regions and service are covered by the IRAP assessment?
The IRAP assessment covers in-scope services in the AWS Sydney Region. The covered AWS services that are in scope for the IRAP assessment can be found on the AWS Services in Scope by Compliance Program webpage.
Can I use other AWS services that are not included in the IRAP assessment?
Yes, subject to compliance with applicable regulations, policies and guidelines that govern your use of cloud services. If a service you want to use is not listed on the AWS Services in Scope by Compliance Program webpage, you can evaluate your workloads for suitability with other AWS services.