An IRAP assessment runs on the documents you bring to it. The assessor works from your System Security Plan annex, the control matrix where one already exists, and your logical system diagrams to identify which Information Security Manual controls apply, then tests the evidence behind each one. Thin documents make a thin assessment.
Most teams treat the document set as paperwork to produce for the assessor. That is the wrong way round. The System Security Plan annex is the spine of the assessment, and the control matrix the assessor hands back is built from it. Get the annex right and the assessment is efficient. Get it wrong and every finding downstream inherits the error.
What documents does an IRAP assessment actually need?
A core set, prepared before the assessor starts. The System Security Plan and its annex, a Security Risk Management Plan, a continuous monitoring plan, an incident response plan, system design and network documentation, and your security policies and procedures. The IRAP Consumer Guide is clear on how the assessor uses them: the SSP annex, the control matrix if one exists, and the logical system diagrams are read together to identify the controls that apply to your system. Everything else is evidence that those controls operate. This article sits alongside IRAP readiness checklist and how to prepare for an IRAP assessment; the checklist tells you what to gather, this one tells you what each document is for.
What is the System Security Plan and its annex, and why does it carry the assessment?
The System Security Plan describes the system and how it is secured. The annex is where each applicable ISM control is listed against how you have implemented it. That is the document an assessor opens first. The control matrix they produce, covered in the report and control matrix, is a derivative of the SSP annex, not a separate creation. So the annex is doing two jobs at once: it scopes the assessment and it seeds the deliverable. When an annex claims a control is implemented and the evidence does not support it, the assessor records the gap, and the authorising officer reads it. The annex is not a form. It is the assessment.
Which supporting documents does the assessor expect to see?
Five, beyond the SSP and its annex. The Security Risk Management Plan records the risks, the treatments and the residual risk the organisation has accepted. The continuous monitoring plan sets out how you keep controls effective as the system changes. The incident response plan defines detection, response and recovery. System design and network diagrams show the architecture and mark the assessment boundary. Your security policies and procedures are the governance the technical controls sit under. The table below maps each one.
| Document | What it does | Who owns it |
|---|---|---|
| System Security Plan (SSP) | Describes the system and how it is secured | The system owner |
| SSP annex | Maps each applicable ISM control to how it is implemented | The system owner; the assessor scopes from it |
| Security Risk Management Plan (SRMP) | Records the security risks, the treatments and the residual risk | The system owner |
| Continuous monitoring plan | Sets how controls are kept effective as the system changes | The system owner |
| Incident response plan | Defines how you detect, respond to and recover from incidents | The system owner |
| System design and network diagrams | Show the architecture and mark the assessment boundary | The system owner |
| Security policies and procedures | The governance behind the technical controls | The organisation |
Where does the control matrix fit?
The control matrix is the assessor record of every applicable control and its implementation status. It is derived from your SSP annex, which means you provide the annex and the assessor produces the matrix and the report. An assessor does not write your annex for you. Doing so would put them on both sides of the work and compromise the independence that makes the assessment worth anything. If you want help building the annex before the assessment, that is IRAP readiness work, kept separate from the IRAP assessment itself.
How current do the documents have to be?
Current as at the assessment, and dated to the ISM version they were written against. The ISM is updated through the year, so a document set written eighteen months ago will not match the controls in force now. The classification the documents target is set by the owning government agency, not the provider, as information classification explains; the ISM control set is the same at OFFICIAL: Sensitive and PROTECTED, and the physical, personnel and network obligations are what change. Cloud providers carry a hard deadline: PSPF requirement 0109 expects an IRAP assessment within the previous 24 months against the latest ISM.
What happens when a document is missing or thin?
The assessor records it. There is no pass mark, so a gap does not fail you, but it does not disappear either. A missing continuous monitoring plan, an SSP annex that lists controls without evidence, an incident response plan no one has tested, each becomes a constraint or a control not implemented in the report that goes to the authorising officer. The cheapest version of an IRAP assessment is the one where the documents already reflect the system as built. For the wider picture of how these pieces fit, see what an IRAP assessment is and the complete IRAP guide.
Frequently asked questions
No. The assessor is independent and assesses your documentation. Writing it would compromise that independence and the value of the assessment. Readiness support before the assessment is a separate engagement.
No. The control matrix is the assessor record of each applicable control and its implementation status, derived from your SSP annex. You provide the annex; the assessor produces the matrix and the report.
The classification of the information the system handles, set by the owning government agency, not the provider. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED; the physical, personnel and network obligations differ.
Current as at the assessment, against the ISM version being assessed. Cloud providers must be reassessed within 24 months under PSPF requirement 0109.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources
- IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, 2025
- System Security Plan annex template, June 2025
- Information Security Manual, June 2026
- PSPF requirement 0109, current
Last updated: 21 June, 2026