IRAP (Information Security Registered Assessors Program)
IRAP—the Information Security Registered Assessors Program—provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements, as outlined in the Information Manual (ISM) and Protective Security Policy Framework (PSPF). IRAP was created by the Australian Cyber Security Center (ASCS) which is a part of the Australian Signals Directorate (ASD).
Previously, IRAP certification meant an organization would be listed on the ASD's Cloud Services List (CCSL). In July 2020, the ACSC deprecated the CCSL and concurrently released the Cloud Security Guidance package. This guidance provides organizations, cloud service providers (CSPs), and IRAP assessors with a framework on how to perform a comprehensive assessment of CSPs in order to make a risk-informed decision about their suitability to handle organizations’ data.
An independent third-party assessor evaluated Google Cloud Platform and Google Workspace against OFFICIAL and PROTECTED ISM controls, and found both to be strongly aligned with PROTECTED level control requirements. These requirements include guidelines for cyber security roles, detecting and managing cyber security incidents, physical and personnel security, system hardening, networking, and cryptography. The evaluation was performed based on the ACSC’s updated IRAP framework, outlined in the Cloud Security Guidance package.
IRAP certification not only provides a path for our customers to work with the Australian government, it also opens the door for Australian federal, state, and local government agencies to store data and run workloads on GCP and Google Workspace.