An IRAP assessment is an independent, evidence-based evaluation of a specific system’s security controls, conducted by an ASD-endorsed assessor against the current version of the Information Security Manual. It produces two documents: the IRAP Security Assessment Report and the Controls Matrix. It does not produce a certificate, an accreditation, or an authorisation to operate. The assessor evaluates what is implemented and reports on findings and recommendations. The decision to authorise the system rests with the system authoriser, not the assessor.
Stackform’s journey
Stackform had confirmed the obligation. An IRAP assessment was required before the platform could be used by the agency to process classified data. James’s next question to Cybernion was straightforward: what exactly are we getting ourselves into?
This question must be answered carefully, because misunderstanding what an IRAP assessment produces, and what it does not, leads to misaligned expectations, poorly prepared submissions, and authorisation packages that get returned.
What an IRAP assessment is
An IRAP assessment is an independent security assessment of a specific system, conducted by an ASD endorsed assessor, that evaluates whether the security controls implemented in the system are operating effectively against the intent of the relevant controls in the Information Security Manual. The ISM is published and updated by ASD every quarter.
The assessment is conducted for a specific system handling classified information, not for the organisation operating or managing it. Stackform as a company was not being assessed. The specific platform that would store and process the agency’s classified data was being assessed. Different systems within the same organisation handling classified information at different classification levels may each need their own separate assessment.
The main deliverables of an IRAP assessment are two documents. The first is the IRAP Security Assessment Report, or the IRAP Cloud Security Assessment Report for cloud services. This is intended to be read by authorising officers, system owners, and risk owners. The second is the Controls Matrix or Cloud Controls Matrix, which is intended to be read by technical personnel and system administrators responsible for integrating the assessed system into their organisation. Both documents are produced by the assessor and provided to the assessed entity on completion.
For TOP SECRET systems, only ASD conducts the assessment.
The ISM version used in the assessment
IRAP assessors must use the latest version of the ISM available at the time the assessment begins. If a new version is released during the assessment, the assessor and the organisation may agree to switch to it. An assessment must not fall more than one version behind the current ISM. If two ISM releases occur during the assessment, the assessor must switch to the latest version. ASD publishes the ISM quarterly, typically in March, June, September, and December.
What an IRAP assessment is not
- It is not a certification. There is no IRAP certificate issued at the end of the process. A system does not become IRAP certified. The assessment produces a point in time report against the latest version of the ISM. Some vendors use the phrase “IRAP certified” in their marketing. That phrase has no formal meaning under the framework and its use is not permitted under ASD’s brand and marketing guidelines.
- It is not an ongoing accreditation. The assessment reflects the state of the system at the time it was conducted. If the system changes materially afterward, the report may no longer accurately represent its security posture. Cloud service providers and managed service providers are required to undergo reassessment at least every 24 months.
- It does not guarantee authorisation to operate. A completed assessment does not mean the system has been approved to handle classified information. The system authoriser reviews the report, considers the residual risks, and makes that decision independently. Agencies have declined to authorise systems that have completed IRAP assessments.
- It is not a one size fits all exercise. The scope, depth, and applicable ISM controls vary depending on the classification of information the system handles and the nature of the system itself.
- IRAP assessors do not accredit, certify, endorse, or register systems on behalf of ASD, the assessed entity, or the consuming agency. They also do not provide a recommendation on whether a system should be authorised to operate. That decision sits with the system authoriser.
Who can conduct an IRAP assessment
IRAP assessors are cybersecurity professionals endorsed by ASD. To become an IRAP assessor, an individual must be an Australian citizen, hold at minimum a Negative Vetting Level 1 security clearance issued by the Australian Government Security Vetting Agency (AGSVA), hold recognised qualifications across two categories covering certifications such as CISSP, CISM, CISA, and CRISC, and have a minimum of five years of experience in information security roles using Australian security frameworks including the ISM and PSPF.
They must also complete ASD’s IRAP training course and pass all assessment components, with a minimum exam pass mark of 80 percent.
IRAP assessors are not employees or contractors of ASD. They are independent professionals who have met ASD’s endorsement requirements. ASD maintains a register of current IRAP assessors on cyber.gov.au.
The conflict of interest requirement
Before commencing an assessment, the IRAP assessor must submit a Conflict of Interest declaration to ASD at least seven business days before the assessment begins. An IRAP assessor cannot have contributed to the design, implementation, or documentation of the system being assessed. This includes drafting system documentation, conducting gap assessments, providing design recommendations, or having a material interest in the system. IRAP assessors who are permanent employees of an organisation cannot conduct IRAP assessments for that organisation regardless of their level of involvement in the design of the system.
If a conflict of interest arises during the assessment, the assessor must update their declaration immediately. In the case of a real conflict, the assessor must stop work until ASD has reviewed the declaration and any proposed mitigations.
How to correctly describe a completed assessment
ASD is explicit on the approved terminology for marketing a completed assessment. The correct framing is: “Organisation X has completed an IRAP assessment for System X against the Information Security Manual’s classification level controls.” Stating or implying that a system is IRAP certified, IRAP approved, or authorised by ASD or the Australian Government is not accurate and not permitted. The specific services or system assessed must also be clearly identified.
For Stackform, this clarity mattered from a commercial perspective as much as a compliance one. The platform’s marketing materials had referred to the upcoming assessment as a certification process. That language was corrected early. The next question was what classification level applied to the agency’s data, and what that would mean for how the assessment was scoped and what Stackform would need to have in place before it could begin.
We cover that in What does information classification mean for IRAP?.
Frequently Asked Questions (FAQs)
What does an IRAP assessment produce?
Two documents: the IRAP Security Assessment Report, intended for authorising officers and risk owners, and the Controls Matrix or Cloud Controls Matrix, intended for technical personnel responsible for integrating the assessed system. Both are produced by the assessor and provided to the assessed entity on completion.
Does completing an IRAP assessment mean our system is approved to handle government data?
No. A completed assessment gives the system authoriser the information needed to make an authorisation decision. Agencies have declined to authorise systems that have completed IRAP assessments. The assessment does not guarantee, imply, or substitute for authorisation.
Can our assessor recommend whether our system should be authorised?
No. IRAP assessors report on findings and make recommendations to improve security posture. They do not rate risks on behalf of the assessed entity or government agency, and they do not make a recommendation on whether the system should be authorised. That decision sits entirely with the system authoriser.
What version of the ISM applies to our assessment?
The latest version available at the time the assessment begins. If a new version is released mid-assessment, the assessor and organisation may agree to switch. If two ISM releases occur during the assessment, the assessor must switch to the latest version and conduct a delta assessment against it.
What disqualifies someone from acting as our IRAP assessor?
An assessor cannot have contributed to the design, implementation, or documentation of the system being assessed. This includes gap assessments, design recommendations, and drafting system documentation. Permanent employees of an organisation cannot assess that organisation’s own systems.
Corporate affiliations, material financial interests, and personal relationships that could influence the assessment must also be declared. If any conflict arises during the assessment, the assessor must update their declaration immediately and may need to stop work until ASD has reviewed it.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- IRAP Policy and Procedures, June 2026
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Last updated: 05 June, 2026
Cybernion has helped multiple organisations with IRAP readiness and assessments.
Talk to us. We aren’t always chasing a transaction.