Your cart is currently empty.
Blogs and Resources
Expert and objective analysis, insights on the industry trends, and unbiased views of our proficient experts. Uncover thought-provoking content authored by our team of seasoned specialists dedicated to keeping you informed and empowered
06/06/2026
Maintaining IRAP Posture between Assessments
An IRAP assessment is a point-in-time evaluation. The authorisation that follows it is not. The system continues to operate, the ISM continues to be updated, the system itself continues to change, and the threat environment does not pause while the organisation gets comfortable with its authorisation. Maintaining IRAP posture between...
05/06/2026
Preparing the IRAP Authorisation Package
The IRAP authorisation package is the suite of documents provided to the authorising officer so they can make a risk-based decision about whether to approve the system for operation. The IRAP assessment report is a central component but it is not the whole package. The authorising officer reviews the package,...
05/06/2026
IRAP POAM and Risk Management
The plan of action and milestones (POAM) is the document that converts assessment findings into managed work. It records what the assessment identified, what the organisation has decided to do about each finding, who owns it, and by when. Building a credible POAM after authorisation and maintaining it through the...
05/06/2026
Understanding IRAP Report and Cloud Controls Matrix
The IRAP report and Cloud Controls Matrix are the two documents produced at the end of every cloud system assessment. Together they give an authorising officer everything needed to make an informed risk-based decision about whether to authorise the system. Understanding what each document contains, who it is written for,...
05/06/2026
How the IRAP Assessment Process Works
The IRAP assessment process follows four stages defined in the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls, and produce the IRAP assessment report. The assessor leads each stage. The assessed organisation's role is to provide access, documentation, evidence, and personnel availability throughout. Understanding...
05/06/2026
How to Prepare for an IRAP Assessment
Preparing for an IRAP assessment is work the organisation does before the assessor arrives. It covers documentation, evidence, personnel availability, and access logistics. Organisations that arrive at an IRAP assessment without this groundwork in place extend the timeline and create gaps in evidence that the assessor must document as constraints....
05/06/2026
How to define IRAP Assessment Boundary
The assessment boundary for an IRAP assessment is the set of all system components, people, processes, and technologies to be evaluated as part of the assessment. It is defined by the IRAP assessor and agreed with the assessed entity's delegate authority before substantive assessment work begins. The boundary must cover...
05/06/2026
How to Choose an IRAP Assessor
Choosing an IRAP assessor starts with the ASD register of endorsed assessors on cyber.gov.au, but the register is a starting point, not a selection criterion. All registered assessors meet ASD's minimum requirements. What varies is their technical depth, familiarity with your environment, independence from your system, and availability. Selecting the...
05/06/2026
What does information classification mean for IRAP?
The classification of information a system will handle is determined by the government agency that owns it, not the service provider. The information classification must be confirmed before any scoping decision is made. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What differs are the physical...
05/06/2026
What an IRAP assessment is, and what it is not
An IRAP assessment is an independent, evidence-based evaluation of a specific system's security controls, conducted by an ASD-endorsed assessor against the current version of the Information Security Manual. It produces two documents: the IRAP Security Assessment Report and the Controls Matrix. It does not produce a certificate, an accreditation, or...
05/06/2026
Do we need an IRAP assessment?
An IRAP assessment is required when a system stores, processes, or transmits classified Australian Government information and the relevant agency requires the system to be assessed before it becomes operational. For cloud and SaaS providers, PSPF requirement 0109 makes this a standing obligation. This article explains how to confirm whether...
26/03/2026
IRAP Assessment FAQs
QuestionAnswerWhat is an IRAP assessment?An IRAP assessment is an independent security review conducted by an ASD-accredited IRAP assessor. It evaluates a system against the ISM to support a Government entity’s decision to operate the systemIs IRAP a certification?No. IRAP is not a certification or accreditation. It produces an independent report....
15/08/2025
Compromised by Design – The Hidden Risks of Wearable Tech
Some choices shape our future in ways we can’t immediately see. Wearable smart devices fall into that category. At first glance, they are insightful, motivational, convenient — and, in some cases, life-saving. Yet they are far more than gadgets strapped to our wrists or clipped to our clothes. They are...
26/03/2024
Cyber Security in Space – Securing the Stars, and Our Future
As the world becomes increasingly reliant on satellite technology for communication, navigation, and national security, the importance of space cybersecurity is also growing. The potential impact of a successful cyber-attack on these systems is vast, ranging from the disruption of communication networks to physical damage. This article explores the challenges...
25/02/2024
Identify and Implement The Right Cybersecurity Framework
The field of cybersecurity is constantly evolving, and the increasing number of frameworks and standards can be overwhelming for organisations seeking to secure their information assets. This article explores the similarities, uniqueness, applicability, implementation and maintenance process of various cybersecurity frameworks, including ISO 27001, ISO 27017, ISO 27018, SOC2, ISM,...