Contact Us
Home / Post / IRAP / IRAP Assessment: The Complete Australian Guide

IRAP Assessment: The Complete Australian Guide

Gaurav Vikash 21st Jun 20267 min read

IRAP, the Infosec Registered Assessors Program, is run by the Australian Signals Directorate. An IRAP assessor independently assesses a specific system against the Information Security Manual and reports its strengths, weaknesses and residual risks. It is an assessment, not a certification, and the agency that consumes the system makes the decision to authorise it.

This guide answers the questions providers and agencies ask about IRAP, in the order they usually come up: whether you need an assessment, what it produces, what it costs and how long it takes, how it sits alongside ISO 27001, and what happens from scoping through to the authorisation decision and beyond. Each section gives you the short answer and links to the detailed article where there is more to say.

Do you need an IRAP assessment?

You need one when two things are true at once: your system stores, processes or transmits classified Australian Government information, and the agency that owns that information requires the system to be assessed before it goes live. One without the other is not enough. For cloud and SaaS providers the bar is firmer, because PSPF requirement 0109 expects an IRAP assessment within the previous 24 months before an agency uses the service. The trigger is the buyer and the data, not the size of your company, so a small SaaS vendor handling PROTECTED data carries the same obligation as a hyperscaler. The full decision path, including layered assessments and subcontractor cases, is in Do you need IRAP to sell to government.

Source: ASD IRAP Consumer Guide, July 2025; PSPF requirement 0109.

What an IRAP assessment is, and what it is not

It is an independent, point in time assessment of one system against the ISM, carried out by an ASD endorsed assessor. It produces two documents, the assessment report and the control matrix. It is not a certification, there is no pass mark, and a clean assessment does not by itself approve anything. The authorising officer in the consuming agency reads the report, weighs the residual risks, and decides whether to authorise the system to operate. The detail is in What an IRAP assessment is, and what it is not.

What classification level applies?

The agency that owns the data sets its classification, not the provider, and it has to be confirmed before any scoping decision is made. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What changes are the physical security, personnel clearance and network obligations, which grow at PROTECTED and add to the evidence the assessor reviews. Getting this wrong is expensive, because the classification drives both the scope and the cost. More is in What information classification means for IRAP.

How much does it cost?

As a rough budgeting guide, an IRAP assessment usually falls into these ranges:

  1. A simple OFFICIAL: Sensitive or PROTECTED system: $30,000 to $40,000
  2. A moderately complex OFFICIAL: Sensitive or PROTECTED system: $40,000 to $60,000
  3. A highly complex OFFICIAL: Sensitive or PROTECTED system: $60,000 to $100,000 or more
  4. A SECRET system: roughly $10,000 to $20,000 above the equivalent range above, depending on complexity

Four factors determine the $ figure: the information classification, the systems in scope, how mature the relevant documentation and processes are, and the level of support available during the assessment. Treat these as indicative only; the accurate figure always comes from a scoped quote.

The drivers are broken down in IRAP assessment cost.

How long does it take, and how often?

A moderately complex assessment usually runs 12 to 16 weeks from engagement to final report, assuming evidence is ready, scope is clear and the right people are available throughout. Poorly defined scope, unclear shared responsibility and late architectural changes are the usual causes of delay. The authorisation that follows is not permanent. Cloud providers reassess within 24 months under PSPF requirement 0109, and any material change to the system can trigger an earlier review.

IRAP or ISO 27001?

They are complementary, not interchangeable. ISO 27001 certifies your information security management system and is recognised internationally; IRAP assesses one specific system against the ISM for Australian Government use. There is meaningful overlap, often put at around 60 to 70 per cent at the control intent level, so a mature ISO 27001 program is genuine preparation for IRAP. What you cannot do is substitute the certificate for the assessment. The comparison, and what evidence you can reuse, is in IRAP vs ISO 27001.

Choosing an assessor, and the independence rule

Start with the ASD register of endorsed assessors, but treat it as a starting point, not a selection criterion. Every registered assessor meets ASD’s minimum bar; what varies is technical depth, familiarity with your environment, independence and availability. Independence is not optional. An IRAP assessor cannot have contributed to the design, build or documentation of the system they assess, and they lodge a conflict of interest declaration with ASD at least seven business days before the assessment begins. How to choose well is in How to choose an IRAP assessor.

Defining the assessment boundary

The boundary is the set of systems, people, processes and technologies that will be assessed. The assessor defines it and agrees it with you before substantive work begins. A tight, well defined boundary keeps the control count and the cost down; a broad one inflates both, which is why the boundary is the single biggest lever you control. See How to define the IRAP assessment boundary.

Preparing for the assessment

Preparation is the work you do before the assessor arrives: current documentation, gathered evidence, and the right people available. Expect to have a System Security Plan and SSP annex, a Security Risk Management Plan, a continuous monitoring plan and an incident response plan in place. Organisations that arrive without this groundwork stretch the timeline and create evidence gaps the assessor has to record as constraints. A readiness review finds and closes ISM gaps before the assessment clock starts. See How to prepare for an IRAP assessment.

The four stage process

The assessment runs in four stages from the IRAP Common Assessment Framework: plan and prepare, define the boundary, assess the controls against the ISM, and produce the report. The assessor leads each stage; your job is access, documentation, evidence and people. The stage by stage detail is in How the IRAP assessment process works.

The report and the control matrix

You receive two documents. The assessment report sets out the system’s strengths, weaknesses and residual risks for the authorising officer. The control matrix, a derivative of the System Security Plan annex, records the implementation status of each applicable ISM control with the justification. Together they give the agency what it needs to make a risk based decision. See Understanding the IRAP report and the control matrix.

The authorisation package, and who decides

The authorisation package is the set of documents the authorising officer uses to decide whether to approve the system to operate. The assessment report is central to it, but it is not the whole package. The officer weighs the residual risks against the organisation’s risk appetite, and can decline to authorise a system that has completed an assessment. See Preparing the IRAP authorisation package.

After the assessment: managing risk and holding posture

Findings become a plan of action and milestones, which records what was found, what you have decided to do about each item, who owns it and by when. The assessment is point in time; the system, the ISM and the threat environment keep moving. Holding your posture between assessments, rather than treating authorisation as a finish line, is what makes the next 24 month cycle an update instead of a rebuild. See IRAP POAM and risk management and Maintaining IRAP posture between assessments.

Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us. We aren’t always chasing a transaction.

Sources:

  1. ASD IRAP Consumer Guide, July 2025
  2. IRAP Common Assessment Framework, April 2025
  3. Information Security Manual, June 2026
  4. Protective Security Policy Framework, including requirement 0109

Last updated: 21 June, 2026