Managed service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET managed services undergo an Infosec Registered Assessor Program (IRAP) assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
Topic
Assessment of managed service providers
Applicable to
Non Classified, Official, Protected, Secret
History
Dec 2024
Managed service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET managed services undergo an Infosec Registered Assessor Program (IRAP) assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
The existing control recommending that managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months was amended to specify that this recommendation relates to non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET managed services. In addition, the recommendation was amended to specify that the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release) needs to be used.
Sep 2022
Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months.
A new control was added covering managed service providers and their managed services being assessed by Infosec Registered Assessor Program (IRAP) assessors – as per recent changes to Policy 11 of the Attorney-General’s Department’s Protective Security Policy Framework (PSPF) (ISM-1793). The assessment timeframe for this control was set to ‘at least every 24 months’ to mirror recommendations for outsourced cloud service providers (ISM-1570).