An entity assessor is an organisation’s own assessor checking its internal systems against the Information Security Manual. An IRAP assessor is independently endorsed by ASD and is required for outsourced IT and cloud services that hold Australian Government data. The ISM permits own assessors up to SECRET; outsourced services need an IRAP assessor.
Not every assessment against the Information Security Manual needs an IRAP assessor. That surprises people. The ISM lets an organisation’s own assessors assess the systems it runs itself, up to SECRET. The IRAP requirement is narrower than the industry shorthand suggests, and knowing where the line sits saves money and time.
Can an organisation assess its own systems against the ISM?
Yes, for most classifications. ASD’s guidance on using the Information Security Manual states that for non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET systems, a security assessment may be undertaken by an organisation’s own assessors or by an IRAP assessor. Only TOP SECRET assessments are reserved for ASD assessors or their delegates. An agency or business assessing a system it runs itself can use suitably skilled internal staff against the ISM. The control set is the same. What an entity assessor lacks is ASD endorsement and the independence an outsourced arrangement demands. That gap is the whole point of the distinction. What an IRAP assessment is sets out the assessment itself.
When do you need an IRAP assessor instead?
When the system is outsourced. Under the Protective Security Policy Framework, outsourced IT and cloud services that store, process or communicate Australian Government information at OFFICIAL: Sensitive, PROTECTED or SECRET must be IRAP assessed before an agency uses them (PSPF Table 21), and cloud providers must have been assessed within the previous 24 months against the latest ISM (PSPF requirement 0109). The reason is structural. The agency consuming the service does not control it and cannot send its own staff to grade it, so an independent, ASD endorsed assessor fills that role. Run the system in house and your own assessors can do the work. Sell it to government as a service and the IRAP requirement applies. Information classification decides which level you are assessing to.
What makes an IRAP assessor different from an entity assessor?
Three things: endorsement, independence and clearance. An IRAP assessor is an ICT professional endorsed by ASD, holding a minimum NV1 security clearance, with at least five years of technical ICT experience and two years in information security on ISM based systems. They must be independent of the system they assess and submit a conflict of interest declaration to ASD before each assessment. An entity assessor carries none of those obligations to ASD; they are competent internal staff. Both assess against the same ISM. Only one carries the endorsement an agency relies on when the system is someone else’s. How to choose an IRAP assessor goes further on what to look for.
| Entity (internal) assessor | IRAP assessor | |
|---|---|---|
| ASD endorsement | No | Yes, endorsed by ASD |
| Typically assesses | The organisation’s own systems | Outsourced IT and cloud services; also permitted on internal systems |
| Independence | Internal to the organisation | Independent of the system; conflict of interest declaration to ASD before each assessment |
| Security clearance | Set by the organisation | Minimum NV1 |
| Classification ceiling | Up to SECRET (own systems) | Up to SECRET (TOP SECRET is ASD only) |
| Standard assessed against | The ISM | The ISM |
| Deliverable | Internal assessment record | IRAP assessment report and control matrix |
Why does independence matter for outsourced services?
Because a provider cannot credibly assess itself. An IRAP assessment exists so the agency buying a cloud or SaaS service gets an independent view of how that system meets the ISM, not the vendor’s own marking of its own homework. That is why ASD requires IRAP assessors to be independent of the system they assess and to lodge a conflict of interest declaration before each engagement. An entity assessor reviewing the organisation’s own internal system has no such requirement, and none is needed, because the organisation is assessing and carrying its own risk. Independence is not paperwork. It is what makes the report worth anything to a third party.
Who decides whether the system can operate?
The authorising officer, every time. Neither an entity assessor nor an IRAP assessor approves a system. IRAP is an assessment, not a certification, and there is no pass mark. The assessor reports strengths, weaknesses and residual risks; the consuming agency’s authorising officer weighs those against its risk appetite and decides whether to authorise the system to operate under PSPF requirement 0086. That holds whether the assessment was done internally or by an IRAP assessor. The assessment informs the decision. It does not make it. The complete IRAP guide covers the full lifecycle.
Frequently asked questions
No. For non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET systems the ISM permits an organisation’s own assessors or an IRAP assessor. An IRAP assessor is required for outsourced IT and cloud services holding government data under the PSPF, and TOP SECRET assessments are undertaken by ASD.
If it is your own internal system, your own assessors may assess it against the ISM. If you provide it to government as an outsourced or cloud service, it must be assessed by an independent IRAP assessor under PSPF Table 21 and reassessed within 24 months under requirement 0109.
There is no ASD set clearance for an entity assessor; the organisation sets its own requirements. An IRAP assessor must hold a minimum NV1 clearance, which ASD will sponsor if necessary.
No. Both assess against the same Information Security Manual. The difference is ASD endorsement, independence and the formal IRAP report and control matrix, not the controls themselves.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Using the Information Security Manual, cyber.gov.au, 2026
- Cloud assessment and authorisation, cyber.gov.au, 2024
- Who are ASD’s IRAP Assessors, cyber.gov.au, 17 November 2025
- How to become an IRAP Assessor, cyber.gov.au, 15 August 2024
- Protective Security Policy Framework, protectivesecurity.gov.au, 2024
Last updated: 21 June, 2026