IRAP Assessment in Australia: Process, Requirements and What to Expect

IRAP assessment in Australia is an independent security evaluation mandated by the Australian Signals Directorate (ASD). It verifies that systems processing government-classified information meet the security controls outlined in the Information Security Manual (ISM). For organisations supplying services to Commonwealth agencies, defence contractors, or critical infrastructure operators, understanding what the process involves is the essential first step before engaging an assessor or beginning remediation work.

This guide explains what IRAP assessment requires, who needs it, how the process unfolds, and what to look for in an assessor. Organisations seeking structured support from gap analysis through to certification can explore CyberPulse’s IRAP assessment services in Australia.

What Is IRAP Assessment?

IRAP assessment is an evidence-based security evaluation conducted by ASD-registered assessors. Its purpose is to verify that an organisation’s systems and controls meet ISM requirements before those systems are used to process, store, or transmit PROTECTED government information.

The Infosec Registered Assessors Program (IRAP) establishes qualification standards and independence requirements for assessors. Importantly, assessors cannot provide remediation consulting to organisations they assess. This independence is central to assessment integrity.

IRAP assessments evaluate three classification tiers. PROTECTED systems require baseline controls for information that, if compromised, could cause limited damage. SECRET systems require enhanced controls. TOP SECRET systems require the most stringent protections available.

Who Needs IRAP Assessment in Australia?

Commonwealth government agencies managing systems that process PROTECTED information must obtain IRAP assessment. This requirement extends to state and territory agencies collaborating on national security initiatives.

Defence industry contractors require IRAP assessment when handling classified defence information, regardless of contract size. Critical infrastructure operators in energy, water, transport, telecommunications, and healthcare increasingly pursue it, either to meet contractual obligations or to qualify for government procurement opportunities.

Cloud service providers targeting government customers must obtain IRAP assessment for their infrastructure and service offerings. Customer-specific implementations require separate assessment even where major providers such as AWS and Azure hold existing IRAP-assessed services.

Commercial organisations also pursue IRAP assessment as competitive differentiation, particularly when bidding for government contracts where assessed status is a requirement or evaluation criterion. Organisations uncertain whether their situation triggers an assessment obligation should seek specialist IRAP advisory support before committing to a timeline.

The IRAP Assessment Process: Five Phases

Understanding the assessment lifecycle helps organisations allocate resources appropriately and set realistic timelines.

Phase 1: Pre-Assessment Preparation and Scoping

Assessment preparation begins with defining scope. Organisations must identify which systems, networks, data flows, and physical locations fall within the assessment boundary. Classification level determines which ISM controls apply.

An internal gap analysis against ISM requirements should precede assessor engagement. Organisations that assess their own controls first avoid costly surprises during the formal evaluation. Establishing Essential Eight maturity is a practical prerequisite at this stage. Organisations without mature patching, access controls, and application hardening typically face extensive remediation before assessment can proceed. CyberPulse’s IRAP assessment programme includes Essential Eight readiness as a foundation-building step before the formal process begins.

Assessor selection also occurs during preparation. Evaluating sector experience, methodology, and technology stack alignment at this stage avoids delays later.

Phase 2: Evidence Gathering and Documentation

Assessors issue evidence requests covering policies, procedures, configuration standards, and operational records. Technical evidence includes firewall configurations, identity and access management settings, encryption implementations, and logging configurations. Administrative evidence encompasses security policies, training records, access review logs, and incident response procedures.

Common issues at this stage include outdated documentation that does not reflect current implementations, and evidence scattered across multiple systems without centralised management. Both slow assessment progress significantly.

Phase 3: On-Site Assessment Activities

On-site assessment typically spans three to five days depending on scope. Assessors conduct stakeholder interviews, review configurations, and compare actual system settings against ISM requirements. Discrepancies between documented policies and operational reality constitute findings requiring remediation.

Vulnerability scanning and penetration testing occur where ISM controls mandate such activities. Physical security inspections apply when systems process PROTECTED data in physical facilities.

Phase 4: Findings and Remediation

Assessors classify gaps as non-conformances or observations. Non-conformances represent critical failures to meet ISM control requirements and must be remediated before certification proceeds. Observations identify minor weaknesses that do not prevent certification but warrant attention.

Most organisations require four to eight weeks for remediation. During this period, assessors remain available for clarification but cannot provide implementation guidance, maintaining their independence. Re-assessment of critical findings occurs once remediation is complete.

Phase 5: Certification and ASD Submission

The assessor issues a certification report documenting scope, methodology, findings, and residual risks. This report is submitted to both the assessed organisation and ASD. Upon ASD approval, the organisation receives a certification letter valid for two to three years for PROTECTED systems, after which full re-assessment is required.

Ongoing compliance obligations begin immediately after certification. Organisations must maintain implemented controls and conduct annual compliance reviews. Many organisations engage managed IRAP compliance support to handle continuous evidence collection between formal re-assessment cycles rather than building that capability internally.

IRAP Assessment Requirements: Key ISM Control Areas

The ISM structures controls across governance, physical security, personnel security, communications security, and system security. The Essential Eight forms the minimum technical baseline for PROTECTED systems, covering application control, patching, multi-factor authentication, administrative privilege restrictions, user application hardening, backups, and network segmentation.

Technical controls include encryption, network segmentation, endpoint detection and response, security monitoring, and identity and access management. Administrative controls encompass security governance frameworks, documented policies, awareness training, incident response plans, and third-party risk management.

Most PROTECTED assessments focus on 150 to 250 applicable controls based on system characteristics and data sensitivity. Evidence requirements vary by control type. For access control, assessors expect identity and access management configurations, access review logs, and privileged account management evidence. For incident response, assessors review documented playbooks, tabletop exercise records, and incident logs.

How to Choose the Right IRAP Assessor

Organisations select their own assessor from the ASD public register. ASD does not assign assessors. This flexibility allows evaluation based on sector experience, technical expertise, availability, and cost.

Credentials and Registration

All legitimate IRAP assessors appear on the ASD public register. Verify registration before engagement. Common credentials include CISSP, CISA, and CISM. Background security clearances appropriate to the classification level being assessed are mandatory.

Sector and Technology Expertise

Assessor experience should match your organisational context. Cloud-native organisations need assessors fluent in AWS, Azure, or GCP. Organisations operating operational technology benefit from assessors with industrial control system experience. Government agencies benefit from assessors familiar with Commonwealth security policy environments.

Assessment Methodology

Structured assessment approaches produce consistent results. Assessors should articulate a clear methodology. Evidence management systems that provide real-time visibility into progress improve project transparency and reduce administrative burden.

Timeline and Availability

Lead times for established assessors typically extend four to eight weeks. Organisations with specific certification deadlines must account for assessor availability when planning. Responsiveness throughout the assessment lifecycle affects project efficiency.

Cost and Fee Structure

IRAP assessment fees typically range from AUD 25,000 to AUD 80,000 depending on scope and complexity. Total programme costs including remediation often reach AUD 100,000 to AUD 300,000 for organisations implementing controls from a low baseline. Fixed-price engagements provide budget certainty. Time-and-materials arrangements offer flexibility for complex or evolving scopes.

Red Flags

Treat the following as caution signals: unwillingness to provide references or ASD registration details, pressure to engage in remediation consulting, unrealistically short timelines, and lack of sector-specific experience.

IRAP Assessment Timeline: What to Plan For

Well-prepared organisations complete IRAP assessment in 12 to 16 weeks, covering pre-assessment preparation, on-site assessment, remediation, and certification finalisation. Organisations requiring significant remediation should plan for 20 to 24 weeks. Those starting from low security maturity may require six to nine months before assessment commences.

Underestimating preparation time is the most common planning failure. Organisations should begin preparation six to nine months before target certification dates to avoid deadline pressure during remediation. Engaging an experienced IRAP advisory partner at the planning stage significantly reduces timeline risk by identifying control gaps before the formal process begins.

How IRAP Relates to Other Australian Compliance Frameworks

IRAP assessment and ISO 27001 share approximately 60 to 70 percent control overlap, but they serve different purposes. IRAP prescribes specific ISM controls and is mandatory for government-related systems. ISO 27001 allows risk-based control selection and is internationally recognised for commercial purposes. Organisations serving both government and commercial customers often pursue both, with assessment programmes structured to reduce duplication across the two.

The Essential Eight forms a subset of ISM requirements. Achieving Maturity Level 3 is a practical prerequisite for IRAP success. Organisations without mature Essential Eight implementations consistently face the longest remediation periods. SOC 2 demonstrates minimal overlap with IRAP due to different control philosophies, but both make sense for cloud service providers serving diverse customer bases.

Preparing for IRAP Assessment: 90-Day Readiness Activities

Organisations beginning preparation should prioritise the following in the first 90 days: internal gap analysis against ISM controls, executive sponsorship and governance structure establishment, Essential Eight implementation and maturity validation, policy and procedure documentation updated to reflect ISM requirements, and technical control deployment covering multi-factor authentication, encryption, security logging, and vulnerability management.

Access reviews confirming appropriate user access and a mock assessment before formal engagement significantly improve efficiency and reduce findings during the official evaluation. Organisations that treat mock assessments as optional typically encounter more non-conformances and longer remediation periods.

Summary

IRAP assessment in Australia is a structured, evidence-based process that verifies compliance with ASD’s Information Security Manual. Success depends on preparation quality, assessor selection, and the discipline to maintain controls throughout the certification lifecycle. Organisations that approach IRAP assessment as an ongoing compliance commitment rather than a one-off project achieve certification more efficiently and sustain it more reliably.

For structured support across every stage, from initial gap analysis through to certification and ongoing compliance management, speak with CyberPulse’s IRAP assessment team.

Frequently Asked Questions About IRAP Assessment

Frequently Asked Questions

How long does IRAP assessment take in Australia?

Well-prepared organisations complete the process in 12 to 16 weeks. Organisations requiring significant remediation should plan for 20 to 24 weeks or longer.

How much does IRAP assessment cost?

Assessor fees typically range from AUD 25,000 to AUD 80,000. Total programme costs including remediation often reach AUD 100,000 to AUD 300,000 depending on the organisation’s starting position.

What is the difference between IRAP assessment and ISO 27001?

IRAP evaluates compliance with ASD’s ISM and is mandatory for organisations handling PROTECTED government data. ISO 27001 is an international risk management standard. Control overlap is approximately 60 to 70 percent, but they serve different purposes and customer bases.

Do I need Essential Eight compliance before IRAP assessment?

Achieving Essential Eight Maturity Level 3 is a practical prerequisite. Organisations without mature implementations consistently face extended remediation periods.

Can I choose my own IRAP assessor?

Yes. Organisations select their assessor from the ASD public register. ASD does not assign assessors. Evaluation should cover sector experience, technology expertise, methodology, availability, and cost.

How often is IRAP re-assessment required?

PROTECTED system certifications typically remain valid for two to three years. SECRET and TOP SECRET systems require more frequent assessment, typically annually or every 18 months. Annual compliance reviews are required between formal re-assessments.

Can cloud services be IRAP assessed?

Yes. Major providers including AWS and Azure hold IRAP-assessed services, but customer-specific implementations require separate assessment. Provider-level certification does not automatically extend to customer deployments.

Useful Links and Resources

CyberPulse Services:

• IRAP Assessment Services Australia
• Virtual CISO Services
• Essential Eight Compliance Services
• ISO 27001 Audit Services

ASD Resources:

• Protective Security Policy Framework (PSPF)
• Information Security Manual