Contact Us
Home / Post / Security / How the IRAP Assessment Process Works

How the IRAP Assessment Process Works

Gaurav Vikash 5th Jun 20268 min read
How the IRAP Assessment Process Works

The IRAP assessment process follows four stages defined in the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls, and produce the IRAP assessment report. The assessor leads each stage. The assessed organisation’s role is to provide access, documentation, evidence, and personnel availability throughout. Understanding what happens in each stage helps organisations engage productively with the process rather than react to it.

Stackform’s journey

Stackform’s preparation was done. The assessor had the documentation package, system access was provisioned, and the agreed boundary was in writing. James Hartley’s question at the start of the first working session was simple: what actually happens now?

The IRAP assessment process has four stages. Each has a defined purpose and produces inputs for the next. What the assessor does at each stage, and what the organisation needs to contribute, is not ambiguous.

How the IRAP Assessment Process Works

Stage 1: Plan and prepare

Before any assessment work begins, the assessor completes planning activities that shape how the assessment will run. This includes submitting the Assessment Record and Conflict of Interest declaration to ASD via the ACSC Partner Portal at least seven business days before the assessment starts.

During planning, the assessor works with the organisation to confirm assessment timelines, milestones, and access requirements. They identify the frameworks and policies applicable to the system, including the ISM, PSPF, and any other relevant guidance such as the Hosting Certification Framework. They determine what assessment methods will be used, how evidence will be collected and protected, and whether any managed service providers need to be brought into the process.

The assessor may produce an assessment plan document to formalise this and share it with the organisation. Where a security assessment team is involved, team composition and responsibilities are established at this stage.

For Stackform, Stage 1 confirmed the agreed boundary in writing, established a weekly check-in cadence, and identified the system administrators and security personnel who would be available for interviews during Stage 3.

Stage 2: Define the assessment boundary

The assessor defines the assessment boundary in agreement with the organisation’s delegate. This was covered in depth in a prior article. Within the assessment process itself, Stage 2 is where the boundary is formally documented and validated before control assessment begins. The assessor reviews system architecture, identifies the components in scope, maps the shared responsibility model with any third-party providers, and confirms that the boundary is complete and appropriate.

Inclusions and exclusions are both documented at this stage. The assessor will continue to review and validate the boundary as the assessment progresses if new information emerges.

Stage 3: Assess the controls

This is the substantive work of the assessment. The assessor collects and reviews evidence to determine whether each applicable ISM control is operating effectively within the boundary. It is the longest stage and the one that places the most demands on the organisation’s time.

The assessor uses three methods to gather evidence.

  1. Examine involves reviewing documents, configurations, system designs, policies, and procedures. This is where the SSP-A, architectural diagrams, and configuration exports are used directly.
  2. Interview involves discussions with individuals across the organisation, including system owners, system administrators, security operations personnel, and end users. Interviews are used to understand how controls operate in practice and to locate additional evidence.
  3. Test involves exercising controls under defined conditions to compare actual behaviour against expected behaviour. This might include attempting to access a system with an account that should be blocked, testing backup restoration, or verifying that a cryptographic configuration enforces the expected protocol.

For each control, the assessor assigns one of seven standardised implementation statuses.

  1. Effective: the control is meeting the intent of the ISM control objective.
  2. Ineffective: the control is not adequately meeting the intent of the ISM control objective.
  3. Alternate control: the control objective is being met through a different control than the one specified.
  4. Not assessed: the control has not yet been assessed.
  5. Not applicable: the control does not apply to the system or environment.
  6. No visibility: the assessor could not obtain adequate visibility of the control’s implementation. From a risk perspective, authorising officers may treat this outcome as equivalent to ineffective.
  7. Not implemented: the organisation has not implemented the control, generally due to a business or technical constraint. The assessor documents the reason.
How the IRAP Assessment Process Works

Every outcome, including not applicable and not implemented, must be accompanied by a written justification. The assessor does not rate risks. They describe what they found and what impact a weakness or gap may have. The risk rating and the authorisation decision sit with the system authoriser.

The assessor only assesses what is implemented at the time of the assessment. Programs of work underway may be noted in the report but are not assessed.

For Stackform, Stage 3 ran across three weeks. The assessor examined the SSP-A and configuration documentation in the first week, conducted interviews with system administrators and the security lead in the second, and completed technical testing and log review in the third. Two controls rated no visibility because the evidence available was a policy document that restated the control rather than demonstrated it. James was informed of this during the assessment, not as a surprise in the final report.

Stage 4: Produce the IRAP assessment report

Once control assessment is complete, the assessor produces the Security Assessment Report and the Controls Matrix. The report documents the assessment boundary, an overview of the system and environments assessed, the system’s security strengths and weaknesses, any limitations that affected evidence gathering or testing, and the outcomes of each control assessment with justification and supporting evidence.

The report also includes recommendations. Assessors provide descriptive recommendations that explain the issue and its implications, giving the organisation enough context to determine how to address it. Assessors do not prescribe specific solutions or dictate how a recommendation must be implemented.

The assessor does not recommend whether the system should be authorised. That assessment is for the authorising officer.

Before the report is finalised, it is reviewed internally by the assessor and by the organisation’s stakeholders. The final report and controls matrix are provided to the assessed entity and a copy is submitted to ASD.

For Stackform, the draft report was shared with James two weeks after Stage 3 concluded. He reviewed it with Cybernion to understand the findings before it was finalised. The report became the foundation for the authorisation package.

Two deliverables of an IRAP assessment

Next: Understanding IRAP Report and Cloud Controls Matrix.

Frequently Asked Questions (FAQs)

How long does an IRAP assessment take?

It varies depending on system complexity, scope size, evidence availability, and the assessor’s familiarity with the environment. Thorough preparation before the assessment starts is the most effective way to reduce the overall timeline.

What are the seven IRAP implementation outcomes?

Effective, Ineffective, Alternate Control, Not Assessed, Not Applicable, No Visibility, and Not Implemented. Every outcome must include a written justification from the assessor. Not Implemented is distinct from Ineffective: Not Implemented means the control has not been put in place, usually for a documented business or technical reason.

Does the assessor tell us which findings are highest priority?

The assessor describes the potential impact of each weakness or gap but does not rate risks on behalf of the organisation or the consuming agency. Key vulnerabilities should be identified clearly in the report so the authorising officer and the organisation can prioritise them, but the risk rating itself is the organisation’s responsibility.

Can we fix issues found during the assessment before the report is finalised?

The assessor assesses what is implemented at the time of assessment. Remediations completed after the assessment period may be noted as programs of work underway but cannot be assessed as implemented unless the assessor has time and evidence to verify the change within the assessment timeframe. This should be discussed with the assessor if a finding is identified early in the process.

Who receives the final IRAP assessment report?

The assessed entity receives the report and controls matrix. The assessor also submits a copy to ASD as part of the quality assurance process. The assessed entity then uses the report as the basis for the authorisation package submitted to the system authoriser.

Sources:

  1. ASD IRAP Consumer Guide, July 2025
  2. IRAP Common Assessment Framework, April 2025

The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.

Last updated: 05 June, 2026

Cybernion has helped multiple organisations with IRAP readiness and assessments.

Talk to us. We aren’t always chasing a transaction.