An IRAP assessment is required when a system stores, processes, or transmits classified Australian Government information and the relevant agency requires the system to be assessed before it becomes operational. For cloud and SaaS providers, PSPF requirement 0109 makes this a standing obligation. This article explains how to confirm whether an IRAP assessment is required, when an IRAP assessor is mandatory, and and how long an assessment may take.
Stackform’s journey
Stackform had been building workflow automation software for six years. When a government agency shortlisted the platform for a significant contract, the obligations included a requirement that the vendor must have completed an IRAP assessment of the Stackform application against the ISM at OFFICIAL: Sensitive level within the last 24 months.
The first question James Hartley asked was whether that obligation actually applied to Stackform, or whether it was standard contract language that could be negotiated.
Two conditions that determine whether an IRAP assessment is required
An IRAP assessment is required only when both of the following two conditions are true.
- The system stores, processes, or transmits classified Australian Government information
- The agency that owns that classified data requires the system to be IRAP assessed before it becomes operational
What is “classified information”?
In Australia, only a government agency can classify information for the purposes of IRAP. The authoritative source for security classification is the PSPF, which defines four classification levels:
- OFFICIAL: Sensitive
- PROTECTED
- SECRET
- TOP SECRET
Non-government organisations may use their own internal data classification labels or Dissemination Limiting Markers (DLMs). These are not the same as PSPF classifications and do not determine whether an IRAP assessment is required. What matters is how the government agency that owns the data has classified it, not how the service provider labels it internally.
How to confirm whether a system must go through IRAP assessment
Start with the contract or procurement documentation. Check whether it references the Information Security Manual (ISM), the Protective Security Policy Framework (PSPF), or requires an IRAP assessment as a condition of operation. If a contract is still being negotiated or renewed, there may be an opportunity to confirm whether an assessment is a genuine requirement or a default inclusion in a template document.
Speak to the agency security contact directly. Confirming the distinction before committing to a significant piece of work is straightforward and worth doing.
For cloud service providers, the PSPF Secure Cloud Strategy requirement 0109 states that cloud service providers must have had an IRAP assessment within the previous 24 months against the latest ISM at the time of assessment, before government agencies can use their services to process or store government data.
For TOP SECRET systems, only ASD conducts the assessment.
When an IRAP assessor is mandatory versus when other options exist
Not every IRAP assessment requires an IRAP assessor. On-premises government systems at SECRET and below can be assessed by either an entity assessor or an IRAP assessor. An entity assessor is someone employed or contracted on an ongoing basis by the organisation to conduct security assessments of systems.
Entity assessors follow the procedures and processes defined by the organisation and are not bound by IRAP requirements such as independence and adherence to the IRAP assessment process. There are no mandatory experience or skills requirements to be an entity assessor. It is up to the individual organisation to appoint an entity assessor they deem suitable.
For outsourced IT systems, cloud services, and gateways up to SECRET, an IRAP assessor is mandatory. An entity assessor cannot fulfil that obligation.
For Stackform, operating as a SaaS provider handling government data, an IRAP assessor is the only option.
Understanding layered assessments
Stackform is hosted on a major hyperscale cloud provider (e.g., Azure, AWS, GCP). That provider had already completed its own IRAP assessment covering its infrastructure layer. A reasonable but inaccurate assumption is that the cloud infrastructure’s IRAP extends to the PaaS or SaaS layers above it.
IRAP assessments are layered. The cloud infrastructure provider’s assessment covers the infrastructure layer and its responsibilities. A SaaS application sitting on top of that infrastructure needs its own assessment covering the SaaS layer and the controls it is responsible for. Consumers leveraging that SaaS service may then need a third assessment covering their own configuration and use of the service. Each layer is assessed separately and each assessment references the layers beneath it.
Stackform’s assessment needed to cover the SaaS layer specifically, with reference to the cloud provider’s existing assessment for the infrastructure layer beneath it. The cloud provider’s report did not remove that obligation. It informed how Stackform’s assessment would be scoped.
Subcontractors
For organisations operating as subcontractors, check whether the prime contractor’s IRAP assessment already covers the systems in scope. Sometimes it does. Sometimes the prime contractor’s assessment explicitly excludes subcontractor systems. Confirm this in writing rather than relying on an assumption.
If the obligation does not apply
If the system does not handle government classified data and no agency has requested an assessment, an IRAP assessment is probably not required. Though ISO 27001 and SOC 2 certifications do not replace an IRAP report, the evidence base and control maturity that these other frameworks provide can significantly accelerate IRAP readiness if the obligation arises later.
Timing matters
An IRAP assessment for a moderately complex system typically takes 12 to 16 weeks from engagement to final report. That timeline assumes evidence is ready, scope is clear, and the right people are available throughout. Poorly defined scope, unclear shared responsibility, incomplete documents or evidence, and late architectural changes are the most common sources of delay.
Organisations that discover the requirement mid-procurement and begin preparation under deadline pressure routinely exceed that estimate. If a contract or tender includes an IRAP requirement, preparation should begin well before an assessor is engaged.
For Stackform, confirmation that an assessment was required came early enough to prepare properly. Cybernion conducted a thorough assessment and produced a report that helped Stackform’s consumers make informed decisions about operating it.
The next question was understanding what an IRAP assessment actually is, what it produces, and what it does not.
We cover that in What an IRAP assessment is, and what it is not.
Frequently Asked Questions (FAQs)
Do we need an IRAP assessment if we are not a government agency?
Yes, if the system stores, processes, or transmits classified Australian Government information on behalf of a government agency, the obligation applies regardless of whether the operating organisation is a government agency or a private company.
Does our cloud provider’s IRAP assessment cover us?
No. The cloud provider’s assessment covers the infrastructure layer only. A SaaS or cloud consumer must have its own assessment covering the controls it is responsible for configuring and managing.
Does ISO 27001 or SOC 2 replace an IRAP assessment?
No. These certifications do not replace an IRAP assessment. ISM controls must still be independently assessed. ISO 27001 and SOC 2 can accelerate readiness by providing reusable evidence and a mature control baseline.
How long does an IRAP assessment take?
Typically 12 to 16 weeks for a moderately complex system, assuming evidence is ready, scope is clearly defined, and the right people are available throughout the assessment.
How often does an IRAP assessment need to be renewed?
Cloud service providers and managed service providers are required to undergo reassessment at least every 24 months. Reassessment may also be required earlier if there are material changes to the assessed system.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- Australian Government Security Classification System and Requirement 0109, PSPF 2025
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Last updated: 05 June, 2026
Cybernion has helped multiple organisations with IRAP readiness and assessments.
Talk to us. We aren’t always chasing a transaction.