Contact us

No. The IRAP code of conduct dictates that IRAP assessors must be independent and unbiased. We cannot assess a system that we have had any input into creating. You can choose to hire Redacted to create your security planning, and documentation in line with the ISM, or you can hire us to perform the IRAP assessment.

An assessment can take anywhere from 2 – 6 months. Smaller systems, with a short technology stack can take as little as two months. The larger the system, the longer it will take. In 99% of cases assessment delays are caused by the client organisation. This most commonly happens either just before, or just after the initial report is delivered. Often it is derived from an idea that system documentation and control implementation can be done during the IRAP assessment after some higher risk items have been located. However, it is not possible to do this, and we advise organisations to make themselves ready for the assessment before Stage 1 begins.

Redacted prices every assessment bespoke. In our initial scoping meeting we will require information about the system so we can get an idea of the boundaries, stack, and architecture of what is being looked at. This then allows us to determine how long the assessment will take, how complex it will be, and how much it will cost to complete it.

Redacted charges a flat fee (rather than time based rates) for all IRAP consulting. We believe this represents a greater value for money and cuts straight to purpose of IRAP assessments. The purpose of an IRAP assessment is to provide a report, which contains within a risk based assessment of the implementation of security controls on the system as they align to the Information Security Manual. The number of hours or days it takes the IRAP assessors is not relevant to the quality of the report, nor it’s utility. Because of this Redacted does not consider contracting by the hour or day to be a credible method of engagement for IRAP assessments. There is greater certainty in this method for the client, as they have known expenditure as well as an assurance of quality without continuing to keep a contractor on board for review cycles.

Whilst the ISM is not prescriptive in nature, it states that the following documentation should be held at a minimum:

1. System security plan
2. Incident response plan
3. Continuous monitoring plan
4. Plan of action and milestones

The fifth document outlined in the ISM, the Security Assessment Report, is created through the IRAP process.

Additionally, the following documents should be held if the system owner considers them relevant to the system:

1. Authorised radio frequency and infrared device register
2. Business continuity and disaster recovery plan
3. Cable labelling processes and procedures
4. Cable register
5. Cryptographic key management processes and procedures
6. Cyber security communication strategies
7. Cyber security incident register
8. Data backup processes and procedures
9. Database registers
10. Data restoration processes and procedures
11. Data transfer processes and procedures
12. Denial of service response plan
13. Digital preservation policy
14. Email usage policy
15. Event logging policy
16. Floor plan diagram
17. ICT equipment destruction processes and procedures
18. ICT equipment disposal processes and procedures
19. ICT equipment management policy
20. ICT equipment register
21. ICT equipment sanitisation processes and procedures
22. Intrusion detection and prevention policy
23. Managed service register
24. Media destruction processes and procedures
25. Media disposal processes and procedures
26. Media management policy
27. Media sanitisation processes and procedures
28. Mobile device emergency sanitisation processes and procedures
29. Mobile device management policy
30. Mobile device usage policy
31. Multifunction device usage policy
32. Network diagrams
33. Outsourced cloud service register
34. Patch management processes and procedures
35. Removable media register
36. Removable media usage policy
37. Software register
38. System administration processes and procedures
39. Telephone system usage policy
40. Vulnerability disclosure policy
41. Vulnerability disclosure processes and procedures
42. Web usage polic

All security related documentation should be provided to the assessors in the first instance, including all policies and procedures referenced in this documentation. Delays in providing documentation can result in delays in producing the IRAP report.

It is unlikely Redacted consultants will be engaged to sit in your office from 9 to 5 each day to complete the IRAP. Redacted conducts the bulk of the assessment remotely, unless there is a compelling reason to perform the documentation assessment onsite. This can be done using Redacted corporate cloud systems where the system documentation is below PROTECTED. Where the system documentation is PROTECTED or above Redacted will conduct the documentation assessment remotely, using infrastructure provided by the client.

After the initial report is delivered, Redacted assessors will decide which formats of evidence are required to assess physical implementation of controls as described in documentation. These could include interviews, witnessing configurations on screen, screenshots of configurations, or in some cases even parsing a standard operating environment disk image. Some of the evidence gathering can be conducted remotely, and some will require assessors to physically attend a location with a system administrator, or system component. Where possible Redacted chooses to work remotely.

After evidence is gathered a final report will be made, and a review process follows. We find it is necessary to conduct a face to face meeting at the delivery of the initial report to go through the final report.