How to Become an IRAP Assessor in Australia

Becoming an IRAP assessor is an ASD endorsement, not a certification you buy. You need Australian citizenship, at least five years of technical ICT experience including two years in information security against the ISM, one qualification each from ASD’s Category A and Category B, the IRAP new starter course and exam, and a minimum NV1 security clearance.

The hard part is not the exam. Most people who ask how to become an IRAP assessor are screened out well before they sit it, by two gates ASD sets at the front: Australian citizenship and a security clearance. The technical knowledge can be taught in a week. The eligibility cannot.

What does ASD actually endorse?

An IRAP assessor is an ICT professional endorsed by the Australian Signals Directorate to assess a system against the Information Security Manual and report what they find. The endorsement is personal. It attaches to you, not your employer, and it does not make you a certifier. An IRAP assessor does not accredit, certify or approve anything; the assessor writes a report and a control matrix, and the consuming agency decides whether to authorise the system. That is the same distinction that separates an IRAP assessment from a certification, and it is worth being clear on before you sign up for the path.

Who is eligible to become an IRAP assessor?

Two thresholds decide eligibility before any training. You must demonstrate Australian citizenship, and you must show a minimum of five years of technical ICT experience, including at least two years of information security experience on systems built to the ISM and its supporting publications. The second part is where applicants misjudge the bar. Two years of generic security work is not two years assessing or building systems against the ISM and the Protective Security Policy Framework. ASD wants people who already read the manual for a living, not people who are about to start.

What qualifications do you need?

You need evidence of relevant ICT and auditing qualifications: one from ASD’s Category A and one from Category B. Category A covers ICT security qualifications; Category B covers audit and assessment qualifications. One from each, not one or the other. The exact lists are maintained by ASD and change over time, so confirm them against the current program page before you rely on a particular certificate. The commonly held qualifications look like this.

Holding both is the qualification gate. It also explains why many assessors come from a GRC or audit background rather than pure engineering. The audit half of Category B is the part technical specialists most often lack.

What does the IRAP training and exam involve?

Once you meet the eligibility and qualification requirements, you complete an IRAP new starter training course through an ASD approved provider and sit the ASD new starter examination. The course runs over five days and covers IRAP methodology and ISM fundamentals. One timing point matters now. As at late 2025, ASD’s IRAP course and exam are being updated and new enrolments are not being taken while that work is underway. If you are planning the path today, treat the training step as paused and watch the ASD program page for the restart rather than assume a provider can enrol you.

What happens after you pass the exam?

Passing the exam does not put you on the register. After ASD confirms you have met the requirements, you must attain a minimum NV1 security clearance, which ASD will sponsor if you do not already hold one, and submit a confidentiality deed. The clearance is the slow step. An NV1 is not granted in a fortnight, and it is the single biggest reason the path from passing the exam to being endorsed runs in months rather than weeks. Meet those, plus the professional and integrity standards ASD sets, and you are added to the list of registered IRAP assessors.

How do IRAP assessors keep their endorsement?

Endorsement is not permanent. You keep your prerequisite ICT and auditing qualifications current, and each year you demonstrate contemporary ISM and IRAP knowledge in one of two ways: by submitting an IRAP assessment report covering assessments you have completed in the previous 36 months, or by sitting the IRAP examination again. Before every assessment you submit a conflict of interest declaration to ASD, which is how the program enforces the independence an assessor must keep from the system they assess. You also attend ASD endorsed workshops and forums and contribute to the IRAP community. Stop doing the work and the endorsement lapses. For the wider picture of where the role sits, the complete guide to IRAP assessment maps it out.

Frequently asked questions

Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us if you are scoping an IRAP assessment or readiness.

Sources:

1. Who are ASD IRAP Assessors, cyber.gov.au, 17 November 2025
2. How to become an IRAP Assessor, cyber.gov.au, 15 August 2024
3. IRAP Policy and Procedures, Australian Signals Directorate, 2026
4. Infosec Registered Assessors Program (IRAP), cyber.gov.au, 2026

Last updated: 21 June, 2026