It is unlikely Redacted consultants will be engaged to sit in your office from 9 to 5 each day to complete the IRAP. Redacted conducts the bulk of the assessment remotely, unless there is a compelling reason to perform the documentation assessment onsite. This can be done using Redacted corporate cloud systems where the system documentation is below PROTECTED. Where the system documentation is PROTECTED or above Redacted will conduct the documentation assessment remotely, using infrastructure provided by the client.
After the initial report is delivered, Redacted assessors will decide which formats of evidence are required to assess physical implementation of controls as described in documentation. These could include interviews, witnessing configurations on screen, screenshots of configurations, or in some cases even parsing a standard operating environment disk image. Some of the evidence gathering can be conducted remotely, and some will require assessors to physically attend a location with a system administrator, or system component. Where possible Redacted chooses to work remotely.
After evidence is gathered a final report will be made, and a review process follows. We find it is necessary to conduct a face to face meeting at the delivery of the initial report to go through the final report.