Choosing an IRAP assessor starts with the ASD register of endorsed assessors on cyber.gov.au, but the register is a starting point, not a selection criterion. All registered assessors meet ASD’s minimum requirements. What varies is their technical depth, familiarity with your environment, independence from your system, and availability. Selecting the wrong assessor can affect the quality of the report, the credibility of the authorisation package, and the timeline of the entire engagement.
Stackform’s journey
With classification confirmed and the obligation clear, Stackform needed to engage an IRAP assessor. ASD does not recommend assessors to potential clients and neither should Cybernion, given that an assessor who had been involved in readiness work could not then conduct the assessment. The right assessor for Stackform would need to be identified through due diligence, not referral.
Start with the ASD register
ASD maintains a publicly available register of endorsed IRAP assessors on cyber.gov.au. An assessor not on the register is not endorsed and cannot conduct a valid IRAP assessment. This is the starting point, not the endpoint.
All assessors on the register have met ASD’s minimum endorsement requirements:
- Australian citizenship,
- a minimum Negative Vetting Level 1 security clearance,
- recognised qualifications across two certification categories,
- a minimum of five years of experience in information security roles using Australian security frameworks, and
- have completed the IRAP training course and passed all assessment components
What to look for beyond the register listing
Meeting those minimum requirements does not mean every assessor is equally suited to every system. Experience varies significantly across system types, environments, and classification levels.
- Relevant technical experience: An IRAP assessment requires the assessor to evaluate technical controls across infrastructure, networking, identity, cryptography, and cloud architecture depending on the system in scope. Ask for examples of assessments conducted on systems similar in technology stack, architecture, and classification level to yours. General security consulting experience is not a substitute for hands-on assessment experience in the relevant environment.
- Familiarity with the operating environment: Cloud and SaaS assessments have specific scoping considerations that differ from on-premises systems. Where an assessor does not have a sound technical understanding of a component or technology within the assessed system, they must be supported by a security assessment team with the relevant expertise. Understanding whether a proposed assessor has that depth directly, or will need to build a team around gaps, affects timeline and cost.
- Independence: An IRAP assessor cannot have contributed to the design or implementation of the system being assessed. This includes drafting system documentation, conducting a gap assessment, providing design recommendations, or holding a material interest in the system. Permanent employees of an organisation cannot assess that organisation’s own systems. Confirm independence before engaging. An assessor involved in readiness work on the same system cannot then assess it as an IRAP assessor.
- Availability and timeline alignment: IRAP assessors operate as independent professionals or within consulting firms. Confirm the assessor can commit to the assessment within the required timeframe and ask how they handle ISM version changes if a quarterly release occurs mid-engagement.
- Team composition for complex systems: Multiple IRAP assessors may work on a single assessment. Where that is the case, each assessor must submit their own Assessment Record and Conflict of Interest declaration to ASD at least seven business days before the assessment begins, and each must sign off on the final report. Understand who leads the assessment and who supports it, and confirm the relevant experience of each team member.
The conflict of interest declaration
Before commencing any assessment, the IRAP assessor must submit a Conflict of Interest declaration to ASD via the ACSC Partner Portal at least seven business days before the assessment begins. This applies regardless of whether a conflict exists or not. ASD reviews the declaration and any proposed mitigations. The assessment must not proceed if ASD determines those mitigations are insufficient.
If a conflict arises during the assessment, the assessor must update the declaration immediately. If a real conflict exists, the assessor must stop work until ASD has reviewed the updated declaration. Failure to declare is a breach of the IRAP Assessor Agreement and may result in revocation of endorsement.
Using a Request for Quote
ASD’s IRAP Consumer Guide includes an RFQ template in Appendix A for engaging an IRAP assessor. It covers scope of work, assessor requirements, timeline, security clearance requirements, and submission format. Adapting it to the specific system being assessed gives the engagement a structured foundation and makes it easier to compare responses across assessors.
What ASD will and will not do
ASD maintains the assessor register and governs the program. ASD will not recommend any specific IRAP assessor to potential clients and is not involved in commercial arrangements between assessors and their clients. Commercial disputes are outside the scope of the program. ASD’s role is quality assurance and program governance.
What this meant for Stackform
Stackform used the ASD register as the starting point, filtered for assessors with cloud and SaaS experience at OFFICIAL: Sensitive level, and issued a tailored RFQ based on the ASD template. The selected assessor had no prior involvement with Stackform’s systems, held the required clearance, and had assessed comparable SaaS platforms in the Australian Government market.
With an assessor engaged, the next step was defining precisely what the assessment would cover.
We cover that in How to define IRAP Assessment Boundary.
Frequently Asked Questions (FAQs)
Where do I find a list of IRAP assessors?
ASD maintains a register of endorsed IRAP assessors on cyber.gov.au. Only assessors on the register hold active ASD endorsement. An assessor not on the register cannot conduct a valid IRAP assessment.
Does it matter who we choose as IRAP assessor ?
Yes. All registered assessors meet ASD’s minimum requirements, but experience varies significantly. Technical depth, familiarity with your system type, and independence from your environment all affect the quality and credibility of the final report.
What disqualifies someone from being our IRAP assessor?
An assessor cannot have contributed to the design, implementation, or documentation of the system being assessed. This includes gap assessments, design recommendations, and drafting system documentation. Permanent employees of an organisation cannot assess that organisation’s own systems. Material financial interests and corporate affiliations must also be declared.
Do we need to run a formal procurement process to engage an assessor?
ASD’s Consumer Guide includes an RFQ template in Appendix A. Using it gives the engagement a structured foundation and makes comparing assessors straightforward.
What happens if our assessor has a conflict of interest mid-assessment?
The assessor must update their Conflict of Interest declaration immediately. If a real conflict exists, they must stop work until ASD has reviewed the updated declaration and determined whether the assessment can continue.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- IRAP Policy and Procedures, June 2026
- IRAP assessors list
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Last updated: 05 June, 2026
Cybernion has helped multiple organisations with IRAP readiness and assessments.
Talk to us. We aren’t always chasing a transaction.