Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months.
Topic
Assessment of managed service providers
Applicable to
all
History
Sep 2022
Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months.
A new control was added covering managed service providers and their managed services being assessed by Infosec Registered Assessor Program (IRAP) assessors – as per recent changes to Policy 11 of the Attorney-General’s Department’s Protective Security Policy Framework (PSPF) (ISM-1793). The assessment timeframe for this control was set to ‘at least every 24 months’ to mirror recommendations for outsourced cloud service providers (ISM-1570).