Compliance is a cornerstone for organizations, especially in Australia.
One might assume that established organizations are well-versed in navigating compliance frameworks and aligning their operations with stringent standards. However, when aligning systems with the requirements of the Australian Government, these organizations often face the challenge of shifting from a compliance-based mentality to a more risk-focused approach, as embodied by the Australian Government's Information Security Manual (ISM).
The Australian Government uses the Information Security Manual (ISM) as its “cornerstone” for developing cybersecurity principles to protect systems and data. Although not required as a matter of law for compliance, the ISM holds weight as considered advice by the Australian Signals Directorate (ASD), including when used for conducting security assessments performed by assessors appointed by the ASD.
Assessors registered with the ASD Infosec Registered Assessors Program (IRAP) perform these assessments. These people are required to have an appropriate level of experience as determined by the ASD as well as an understanding of the type of system they are assessing and allow Australian Government customers to validate that appropriate controls are in place for the system being assessed.
In addition, these assessments determine the responsibility model for addressing the requirements of the ISM, including relevant remediation actions and guidance for developing of the system’s plan of action and milestones.
The challenging mindset shift is one that US-based organizations experience when seeking to have their systems assessed by an IRAP assessor, specifically when moving from a compliance-based mentality often found in other cybersecurity frameworks (i.e. SOC2, ISO27K). The following are tips that these organizations can adhere to when going through the IRAP assessment process.
When Starting Out, do not Miss the Forest for the Trees
When obtaining evidence from within your organization for the system being assessed, a general rule of thumb is it is most efficient to collate evidence by ISM guidelines, sections, and topics rather than immediately focusing on individual ISM controls. Although individual controls do require assessing down the track, identifying evidence that can be collated by broader strokes provides clarity on who within your organisation is able to assist in evidence collection and interview discussions with the IRAP assessor. Similarly, this will also help quickly identify entire areas of the ISM that can immediately be determined not applicable to the system, though justification is still required when determining why this is the case with the IRAP assessor.
The End Goal is not Perfection, but Understanding Risk
There is often pressure amongst organizations to maximize their adherence to standardized controls within compliance-based frameworks. However, in contrast the value of an IRAP assessment stems from an understanding of the system’s risk profile, as dependent on the security classification of the data managed by that system. Although organizations should still seek to address applicable controls effectively, it is just as important that alternate controls are identified, and business justifications raised for any controls determined not to require implementation.
When in Doubt, Ask your IRAP Assessor the Question
The process of undertaking an IRAP assessment can be a daunting task for organizations that have little or no experience with either the assessment process or the ISM.
Although it is within the best interests of an IRAP assessor to clearly indicate expectations and required evidence as part of the assessment, organizations working with assessors should still come prepared with their questions should any doubts arise as to how the ISM guidelines, sections, topics, or even individual controls would be reviewed. The System Hardening guideline, in particular, can be challenging even for the most experienced assessor!
For instance, if there is any ambiguity in the wording of a given control, organizations should seek clarity from their IRAP assessor, ideally earlier within the assessment, to ensure appropriate evidence is provided, in turn preventing potential misunderstandings.
The IRAP assessment process can already prove challenging for Australian-based organizations, and the additional hurdles that US-based organizations need to tackle can be managed by leaning towards a risk-focused approach. By collaborating with IRAP assessors and through sufficient preparation, these challenges can be successfully navigated and help streamline the overall assessment process.
Click here to learn more about IRAP Assessments and to book your IRAP Assessment discovery call.
