How long does an IRAP assessment take? There is no fixed length set by ASD. A moderately complex system usually runs 12 to 16 weeks once the readiness work is done, and longer where the boundary is wide or the controls need remediation. Classification, scope, documentation maturity and the state of your evidence drive the clock, not a published timetable.
Is there a standard IRAP assessment timeline?
No. ASD publishes stages, not weeks. The IRAP assessment process runs in four stages from the Common Assessment Framework, plan and prepare, define the assessment boundary, assess the controls against the Information Security Manual, and produce the report and control matrix. Not one of them carries a set duration, so anyone quoting a single official number is inventing it. What you can plan against is a working range. For a moderately complex system the assessment itself runs about 12 to 16 weeks on top of readiness, and that figure is indicative, not a rule. The spread between a fast assessment and a slow one is wide, and most of it sits inside your control rather than the assessor’s.
What drives how long an IRAP assessment takes?
Four things move the clock more than anything else, and a day rate is not one of them. The data classification sets the obligations. The boundary sets the volume of work. Your documentation decides whether the assessor starts on day one or waits. Remediation decides whether findings close quietly or stretch the calendar. The single biggest extender is evidence that does not exist yet. An assessor cannot assess a control you cannot show them, so the gap gets recorded as a constraint and the clock keeps running while you build it.
| What drives the time | Why it moves the clock |
|---|---|
| Data classification | The control set is the same at OFFICIAL: Sensitive and PROTECTED; SECRET adds physical, personnel and network obligations that take longer to evidence |
| Assessment boundary | A tight boundary keeps the control count down; a wide one inflates the work at every stage |
| Documentation maturity | A current System Security Plan, SSP annex and risk management plan let the assessor start; gaps stall the first stage |
| Remediation | Findings that have to be fixed mid assessment add weeks; heavy remediation can stretch the calendar well past the indicative range |
How long does each stage take?
ASD does not allocate weeks to each stage, so treat any split as indicative. Planning and scoping is quick when the paperwork is ready and slow when it is not. Defining the boundary is short but consequential, a tight boundary keeps everything downstream smaller. Assessing the controls against the ISM is the heart of the work and takes the largest share. Reporting and the control matrix come last. The middle of the assessment is where the time goes, which is why preparation pays back.
| Stage | What happens | Indicative share of the time |
|---|---|---|
| 1. Plan and prepare | Scoping, planning, confirming the classification and the documents | Short |
| 2. Define the boundary | Agree the systems, people and processes in scope | Short but decisive |
| 3. Assess against the ISM | Evidence review, testing and judgement, control by control | Largest |
| 4. Report and control matrix | The assessment report and the control matrix | Moderate |
How long does IRAP readiness take beforehand?
Readiness is separate work, and it is where most of the avoidable delay disappears. IRAP readiness typically runs about 6 to 8 weeks, indicative and scoped to the system, covering a gap analysis against the ISM for the target classification, boundary support, evidence preparation and remediation guidance. Preparing properly before the assessor arrives is the cheapest money you spend on IRAP. Skip it and you do not save time, you move the delay into the assessment, where it costs more and shows up as constraints in the report.
How often do you have to reassess?
An IRAP assessment is point in time. The system you assessed in March is not the system you run in December. Under PSPF requirement 0109, a cloud service provider must have had an IRAP assessment within the previous 24 months, against the latest ISM at the time of assessment. So the real timeline is a cycle, not a finish line. Plan the next assessment before the current one ages out. Maintaining posture between assessments keeps the reassessment short instead of starting from cold. For the full picture, the complete IRAP guide links every stage, and what an IRAP assessment costs sits alongside the timeline.
No. ASD publishes the assessment stages in the IRAP Common Assessment Framework, not a number of weeks. The length depends on the classification, the boundary, your documentation maturity and how much remediation is needed.
About 12 to 16 weeks for the assessment once readiness is done. That is an indicative figure, not a rule. A wide boundary or heavy remediation extends it.
Around 6 to 8 weeks for a typical system, covering a gap analysis against the ISM for the target classification, boundary support, evidence preparation and remediation guidance.
It is point in time. Under PSPF requirement 0109, a cloud service provider must have had an IRAP assessment within the previous 24 months, against the latest ISM at the time of assessment.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- IRAP Common Assessment Framework (Australian Signals Directorate), April 2025
- IRAP Policy and Procedures (Australian Signals Directorate), 2026
- Infosec Registered Assessors Program (IRAP) (Australian Signals Directorate), accessed June 2026
- Protective Security Policy Framework, requirement 0109 (Department of Home Affairs), accessed June 2026
- Information Security Manual (Australian Signals Directorate), June 2026
Last updated: 21 June, 2026