IRAP Readiness and Assessment Preparation

Structured preparation for organisations approaching an IRAP assessment for the first time, or preparing for reassessment.

We help SaaS, cloud and technology providers prepare for IRAP assessment by clarifying scope, information classification, ISM applicability, supplier responsibilities, evidence gaps, RACI and remediation priorities before the external assessment.

Why preparation matters?

Arriving at an IRAP assessment without adequate documentation, clear scope definition, or evidence-mapped controls extends timelines, increases cost, and produces findings that could have been resolved beforehand. Many organisations discover gaps during the assessment itself rather than before it — at the point when addressing them is most disruptive.

IRAP readiness preparation closes that gap. It is not an assessment. It is the structured work that reduces avoidable delay, evidence rework and assessment uncertainty.

Who needs to prepare for an IRAP assessment?

Organisations approaching their first IRAP assessment who are unfamiliar with ISM requirements or what evidence an assessor will need to see. Technology companies building government-facing platforms who need to understand what controls will be assessed before design and build decisions are locked in. Organisations preparing for reassessment after significant system changes, a new classification target, or a gap in maintenance of their previous evidence package. Agencies procuring a new system and wanting to understand what their vendor will need to demonstrate before the assessment begins.

What readiness preparation includes?

1. Pre-assessment gap analysis. A structured review of your current security controls, documentation, and evidence against the relevant ISM requirements for your system’s target classification level. We identify what is in place, what is partial, and what is missing before the formal assessment begins.
2. Scope definition support. Assistance defining your authorisation boundary, identifying which ISM controls apply to your system, and documenting the rationale for any controls assessed as not applicable.
3. Evidence preparation guidance. A clear picture of what evidence is required for each applicable control, how to structure it, and how to organise your evidence package so an assessor can work through it efficiently.
4. Control remediation guidance. Prioritised recommendations for addressing identified gaps before the assessment. We work with your technical and security teams to resolve deficiencies rather than simply documenting them.
5. Pre-assessment readiness review. A final review of your evidence package and control documentation before the formal assessment begins. This reduces the likelihood of findings that extend the assessment timeline or require remediation work mid-assessment.

What you receive?

1. Gap analysis report documenting your current ISM control coverage against your target classification level, with findings rated by assessment risk and recommended actions.
2. Evidence checklist tailored to your system scope, mapping each applicable ISM control to the specific evidence an assessor will expect to see.
3. Remediation plan with prioritised actions, effort estimates, and recommended sequencing before your assessment date.
4. Readiness summary confirming which controls are assessment-ready and which require further work, suitable for sharing with your assessment team or agency stakeholder.

Timeline

Typically 6 to 8 weeks depending on the size of your system boundary, the maturity of your existing documentation, and the availability of your technical team.

Pricing

Priced based on system complexity and documentation maturity. Contact us to discuss your scope and we will respond with a proposal within one business day.