Cyber Security 
Audit Assessment

The InfoSec Registered Assessors Program (IRAP) is an Australian government cybersecurity assessment and certification program. It is designed to help organizations ensure that their IT systems and services meet the Australian government's security standards. 

The IRAP program is managed by the Australian Signals Directorate (ASD), which is responsible for providing cybersecurity guidance and support to the Australian government. The program consists of a network of independent security assessors who are authorized by the ASD to assess and certify the security of IT systems and services. 

Organizations that participate in the IRAP program can have their IT systems and services assessed for compliance with the Australian government's Information Security Manual (ISM). The ISM is a comprehensive set of security guidelines that outlines the requirements for protecting government information and IT systems. 

The IRAP program has several levels of certification, which reflect the level of security required for the IT system or service being assessed. These levels range from "Baseline" (which is the minimum level of security required for all government systems) to "Protected" (which is the highest level of security required for systems that handle sensitive or classified information). 

The IRAP program is primarily aimed at organizations that provide IT services to the Australian government, but it is also available to private sector organizations that wish to demonstrate their compliance with the government's security standards. 

ISO 27001 is an internationally recognized standard that specifies the requirements for establishing, implementing, maintaining, and continuously improving an information security management system (ISMS) within an organization. An ISO 27001 assessment is an evaluation of an organization's compliance with the standard. 

ISO 27001 assessments typically involve a review of an organization's policies, procedures, and technical controls related to information security. The assessment is conducted by an independent auditor who is qualified and experienced in information security management. 

The assessment process typically involves the following steps: 

• Scoping - the auditor works with the organization to identify the scope of the assessment, which includes defining the boundaries of the ISMS and identifying the assets that need to be protected. 
• Gap analysis - the auditor compares the organization's existing policies, procedures, and controls against the requirements of the ISO 27001 standard, identifying any gaps or areas for improvement. 
• Risk assessment - the auditor helps the organization identify and assess the risks to its information assets, based on the likelihood of an event occurring and the potential impact of that event. 
• Remediation - the organization takes action to address any gaps or deficiencies identified in the assessment, by implementing new policies, procedures, or controls. 
• Certification - once the organization has addressed any gaps or deficiencies, the auditor conducts a final review to confirm that the organization is compliant with the ISO 27001 standard. If the organization meets the requirements of the standard, it is awarded an ISO 27001 certificate. 

ISO 27001 assessments provide organizations with an independent verification of their information security management practices and can help them identify areas for improvement. The certification can also be used to demonstrate to customers, stakeholders, and regulators that the organization takes information security seriously and has implemented appropriate controls to protect its assets.

The Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC) that outlines eight essential strategies for mitigating cyber threats. An Essential Eight assessment is an evaluation of an organization's compliance with these strategies. 

The Essential Eight strategies are: 

• Application whitelisting - the use of a whitelist to only allow approved applications to run on a system. 
• Patching applications - keeping software applications up to date with the latest security patches. 
• Patching operating systems - keeping operating systems up to date with the latest security patches. 
• Restricting administrative privileges - limiting access to administrative privileges to only those who require them. 
• Using multifactor authentication - requiring multiple forms of authentication to access systems or data. 
• Backing up important data - regularly backing up data to protect against data loss due to cyber attacks or other disasters. 
• Enabling email filtering - filtering out malicious email content to prevent phishing attacks and malware infections. 
• Blocking macros from email attachments - preventing malicious macros from being executed from email attachments. 

An Essential Eight assessment typically involves a review of an organization's policies, procedures, and technical controls related to these strategies. The assessment is conducted by an independent auditor who is qualified and experienced in cybersecurity. 

The assessment process typically involves the following steps: 

• Scoping - the auditor works with the organization to identify the scope of the assessment, which includes defining the assets that need to be protected and identifying the systems and applications that are in scope. 
• Gap analysis - the auditor compares the organization's existing policies, procedures, and controls against the Essential Eight strategies, identifying any gaps or areas for improvement. 
• Risk assessment - the auditor helps the organization identify and assess the risks to its information assets, based on the likelihood of an event occurring and the potential impact of that event. 
• Remediation - the organization takes action to address any gaps or deficiencies identified in the assessment, by implementing new policies, procedures, or controls. 
• Certification - once the organization has addressed any gaps or deficiencies, the auditor conducts a final review to confirm that the organization is compliant with the Essential Eight framework. If the organization meets the requirements of the framework, it is awarded an Essential Eight certification. 

Essential Eight assessments provide organizations with an independent verification of their cybersecurity practices and can help them identify areas for improvement. The certification can also be used to demonstrate to customers, stakeholders, and regulators that the organization takes cybersecurity seriously and has implemented appropriate controls to protect its assets. 

The Protective Security Policy Framework (PSPF) is a set of security policies and guidelines developed by the Australian Government to protect its people, information, and assets. A PSPF assessment is an evaluation of an organization's compliance with the PSPF. 

The PSPF provides a comprehensive framework for the implementation of physical, personnel, and information security measures. It is applicable to all Australian Government agencies, as well as organizations that work with the government and handle sensitive or classified information. 

A PSPF assessment typically involves a review of an organization's policies, procedures, and controls related to physical security, personnel security, and information security. The assessment is conducted by an independent auditor who is qualified and experienced in security assessment. 

The assessment process typically involves the following steps: 

• Scoping - the auditor works with the organization to identify the scope of the assessment, which includes defining the assets that need to be protected and identifying the systems and applications that are in scope. 
• Gap analysis - the auditor compares the organization's existing policies, procedures, and controls against the requirements of the PSPF, identifying any gaps or areas for improvement. 
• Risk assessment - the auditor helps the organization identify and assess the risks to its information assets, based on the likelihood of an event occurring and the potential impact of that event. 
• Remediation - the organization takes action to address any gaps or deficiencies identified in the assessment, by implementing new policies, procedures, or controls. 
• Certification - once the organization has addressed any gaps or deficiencies, the auditor conducts a final review to confirm that the organization is compliant with the PSPF. If the organization meets the requirements of the PSPF, it is awarded a PSPF certification. 

PSPF assessments provide organizations with an independent verification of their security practices and can help them identify areas for improvement. The certification can also be used to demonstrate to customers, stakeholders, and regulators that the organization takes security seriously and has implemented appropriate controls to protect its assets.