Information Security Registered Assessment

The Agency is seeking a qualified IRAP Assessor to evaluate the information security measures of the BuyICT Platform and confirm alignment with Australian Government standards. The Assessor will conduct an independent review of the system’s security posture, identify vulnerabilities, and provide recommendations to address associated risks in accordance with the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF).

Key responsibilities include:

• Reviewing BuyICT security practices, policies, and controls to verify compliance with regulatory and accreditation requirements.
• Identifying security vulnerabilities and proposing mitigation strategies where controls are not effective.
• Conducting risk assessments to determine exposure to cybersecurity threats and recommending appropriate mitigations.
• Verifying that assessed security controls are implemented and operating effectively.
• Preparing reports and recommendations to support system accreditation, including presentation of findings to Agency stakeholders.

Key deliverables include:

• IRAP Security Assessment and Compliance Report.
• IRAP Assessor Statement.
• Security Risk Assessment in accordance with the Agency’s System Accreditation Framework.
• Final presentation of findings to Agency stakeholders.

Skills and qualifications required:

• Certification by the Australian Signals Directorate as an IRAP Assessor.
• NV1 security clearance (minimum).
• Meets SFIA Level 5 Specialist Advice requirements.
• Relevant experience and qualifications in ICT, security assessment, and risk management, with detailed knowledge of ASD’s ISM.
• Demonstrated experience conducting IRAP assessments of cloud-based (SaaS) environments.
• Strong analytical skills and effective communication skills to engage with both technical and non-technical stakeholders.