20th March 2024, Australia.
The Infosec Registered Assessors Program (IRAP) is a key initiative by the Australian Signals Directorate (ASD). Cyber.gov.au states that
IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD's Information Security ManualEndorsed IRAP assessors provide high quality independent assessment of ICT security and highlight associated residual risks. To achieve this, ASD sets high standards for security assessments and trains auditors through their training partners, empowering them to provide adequate services.
To qualify as an IRAP assessor, ASD's requirements under four categories must be met: Personal Qualities, Qualifications, Demonstrating security experience and passing IRAP training and examination. The breakdown of the four requirements is presented below. Through these rigorous requirements, ASD sets a high bar that Information Security Professionals must meet to achieve endorsement.
Applicants must be able to provide qualifications from both Category A and Category B
Applicants need to provide evidence to substantiate five (5) years of technical ICT experience with at least two (2) years of information security experience securing systems using the Australian Government Information Security Manual (ISM) and supporting publications.
Applicants must complete IRAP New Starter Training and pass the IRAP assessor examination. (Disclaimer: These requirements are set by the ASD and accurate during the time of writing, but they are subject to change over time as they improve the program, so always check the requirements at https://www.cyber.gov.au/irap before undertaking the IRAP journey)
Over the last ten years as an information security professional, I have gained much experience in governance, risk, and compliance, including auditing. In parallel, I worked on obtaining globally recognised certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, Certified in Risk and Information Systems Control (CRISC) etc. I felt the timing was just right to pursue the IRAP Exam.
I am interested in learning about security frameworks and standards worldwide, particularly in Australia. I believe the best way to gain knowledge about the Information Security Manual is by participating in ASD-approved training offered by the Australian Cyber Collaboration Centre (https://www.cybercollaboration.org.au/irap). I am grateful to my manager and CISO at Pegasystems for sponsoring this training, as it has greatly boosted my knowledge and skills in this area.
During the training, which lasted for four and a half days, we underwent IRAP fundamentals and Information Security Manual Fundamentals Courses. The exam was conducted on the last half-day of the training. The IRAP fundamental part focuses on the assessment process, while the Information Security Manual Fundamentals Course concentrate on understanding the ISM controls and the Protective Security Policy Framework. We were allowed to interact with the IRAP and ISM teams and ask them questions, which was beneficial for us in understanding the why aspects of the program and the manual. It was great to meet the people behind the program as well. The training was enjoyable as the more experienced participants shared their perspectives and journeys. Our trainer covered the materials well and answered our questions patiently and clearly. He also had a great sense of humour. However, he did mention that only 50% of the people who take the exam pass it, and even experienced security practitioners sometimes fail☹
Even though the exam is an open book – multiple choice exam, there is a time limit of 120 minutes for answering all questions. I need to score 80% to pass. I prepared a lot for the exam, and it was challenging. I was racing against time to reason and answer the questions. It was a complex and challenging exam for me. I logged off and thought that If I failed, I would get another attempt at answering the exam, so I was mentally prepared. I emailed the coordinator and asked when the results would be published. She said they would arrive by Friday. But it didn’t; this made me even more anxious, but they eventually reached the following Monday.
I received an email with the subject “Congratulations, IRAP Exam Results”. I leapt with joy. I passed the exam, scoring 86% in the ISM and 86.36% in the IRAP part.Even though I have passed the exam now, I have a few more requirements to meet before I apply for ASD’s endorsement to call myself an “IRAP Assessor”, but as I work toward achieving that goal, I will write another post to share with you, fine people.
Cheers, Thomas Irudayaraj