APSC2621 - ASD endorsed IRAP Assessor - APSED Platform and Database

The Commission seeks to engage an ASD-endorsed IRAP Assessor to deliver a comprehensive security assessment of the APSCData network, APSED database and its supporting infrastructure. This includes the hosting platform, backup arrangements, and any related IT or operational technology components across both production and development environments.

The objective of this engagement is to obtain a formal IRAP Assessment Report that enables the Commission to make an informed, risk-based decision about the system’s suitability for processing and storing Australian Government data, in alignment with the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM).

The IRAP assessment will assess the effectiveness of controls built into the environment, and identify security risks and vulnerabilities, allowing the Commission to provide mitigation measures against any identified risks that exceed the Commissions tolerance.

The IRAP assessment will:

• Evaluate the effectiveness of implemented security controls.
• Identify risks, vulnerabilities, and control deficiencies.
• Recommend mitigation strategies for risks exceeding the Commission’s tolerance.

The supplier must outline:

• Their assessment approach and methodology.
• Key activities, milestones and timelines.
• Stakeholder engagement strategy.
• Evidence collection and validation process.
• Report structure and content.
• Post-assessment support including responses to ASD or other government queries.

The final deliverable must include:

• A detailed IRAP Assessment Report using the appropriate IRAP and/or Cloud Security template.
• Supporting evidence for ASD quality assurance.
• Clear articulation of control effectiveness, gaps and recommended remediation actions.

The successful supplier must ensure the nominated Assessor is listed on the ASD-endorsed IRAP Assessors list available via https://www.cyber.gov.au.