Preparing for an IRAP assessment is work the organisation does before the assessor arrives. It covers documentation, evidence, personnel availability, and access logistics. Organisations that arrive at an IRAP assessment without this groundwork in place extend the timeline and create gaps in evidence that the assessor must document as constraints. The ASD IRAP Consumer Guide includes a baseline preparation checklist. This article works through what that preparation involves in practice.
Stackform’s journey
The assessment boundary was agreed. Stackform had a clear picture of what the assessor would evaluate. What James had not yet done was look at whether Stackform was actually ready for someone to start assessing it.
The quality of evidence available at the start of an assessment is one of the biggest variables in how smoothly it runs. An assessor who arrives and cannot access documentation, cannot get system accounts provisioned, or cannot get the right people on a call, will document those constraints in the report. That documentation does not help the authorising officer form a positive view of the organisation’s security posture.
Preparing for an IRAP assessment properly is the organisation’s responsibility, not the assessor’s.
Documentation
The primary document the assessor will use to understand the system is the System Security Plan and Annex, referred to as the SSP-A. This document describes the system, its components, its data flows, and how security controls have been implemented. If the SSP-A does not exist or has not been kept current, it needs to be written or updated before assessment begins. An assessor cannot assess what is not documented.
Beyond the SSP-A, the ASD preparation checklist identifies a set of documents that should be ready before the assessment starts. These documents do not need to be perfect. They need to be accurate, approved by the relevant authority, and reflective of what is actually implemented. An assessor can only assess what is implemented, not what is planned or in progress.
- Risk management documents, including any existing risk register or risk treatment plan for the system
- Design and architectural documents, including logical and physical diagrams of the system environment
- Incident response plans and playbooks relevant to the system
- Organisational security policies and standard operating procedures covering the system
- Configuration and build documents, including hardening guidelines applied to the system
- Business continuity and disaster recovery plans
- Any previous security assessment reports or penetration test results
- Service provider security contract extracts where third parties are involved in delivering or maintaining the system
Evidence
Documentation describes what should be in place. Evidence demonstrates that it is. Preparing for an IRAP assessment means beginning to collect that evidence before the assessor asks for it.
Useful evidence to have ready includes screenshots of system configurations and cryptographic settings, vulnerability scan results, patching history, log samples, backup and restoration test records, and records of access control reviews. Where controls are demonstrated through automated mechanisms, the assessor will want to see configuration exports or tool outputs, not just policy documents that describe the intent.
Evidence gathered only in the days before an assessment, or created specifically for it, is lower quality than evidence that reflects ongoing operational practice. Assessors are trained to identify the difference. Historical evidence, such as months of patching records rather than a single current snapshot, gives the assessor a much stronger basis for rating a control effective.
People and Access
The assessor will need to speak with people, not just read documents. System administrators, security personnel, and system owners should be scheduled and available during the assessment period. Interviews are a core part of the evidence gathering process. If key personnel are unavailable, controls that depend on demonstrating human processes cannot be fully assessed.
Access logistics are equally important. The assessor will need system access appropriate to the assessment scope, facility access if on-premises components are involved, and clearance verification where required. Sorting these ahead of time avoids delays at the start of the assessment that compress the available time for actual assessment work.
Timelines and Milestones
Assessment timelines should be agreed with the assessor before work begins. The key variables are the start date, expected end date, and any milestones tied to the organisation’s own authorisation deadlines. If there is an ISM quarterly release expected during the assessment window, discuss how that will be handled with the assessor before the engagement starts.
Assessment length varies depending on system complexity, scope size, the availability of evidence, and the assessor’s familiarity with the environment. Organisations that arrive well prepared consistently complete assessments faster than those that do not.
What Stackform did
James spent the three weeks before the assessment start date working through the preparation checklist with Cybernion. The SSP-A was reviewed and updated to reflect configuration changes made since the document was last touched. Architectural diagrams were redrawn to match the agreed boundary. Patching records were pulled from the patch management platform. System administrators were briefed on the assessment timeline and asked to hold availability during the assessment window.
When the assessor arrived, they had access to a documentation package that matched the system as it was actually built. The assessment started on the agreed date without any provisioning delays.
Preparation does not guarantee a clean assessment report. But it gives the assessor the best possible starting point, and it gives the organisation the best chance of the report reflecting its actual security posture rather than the gaps in its evidence collection.
Next: How the IRAP Assessment Process Works
Frequently Asked Questions (FAQs)
When should we start preparing for an IRAP assessment?
As early as possible once the assessor is engaged and the boundary is agreed. Documentation gaps and evidence shortfalls take time to address. Starting preparation in the weeks before the assessor arrives rather than the days makes a material difference to how the assessment runs.
What is the most important document to have ready?
The SSP-A. The assessor uses it to understand the system, its components, and how controls are implemented. If it does not exist or is out of date, it needs to be written or updated before the assessment starts.
Does our evidence need to be perfect before the assessment begins?
No, but it needs to be accurate and reflective of what is actually implemented. Historical evidence is more valuable than evidence created specifically for the assessment. Assessors are trained to distinguish between ongoing operational records and documentation produced for the occasion.
What happens if we cannot get key personnel available during the assessment?
Controls that depend on demonstrating human processes cannot be fully assessed without the relevant people. The assessor will document any gaps in evidence availability as constraints in the report. Those constraints form part of what the authorising officer reviews.
Does being well prepared affect the assessment outcome?
Preparation affects the quality of evidence available to the assessor, which affects the confidence with which controls can be rated. It does not change what is actually implemented. An organisation with good controls and poor preparation may receive a weaker report than its security posture warrants.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Last updated: 05 June, 2026
Cybernion has helped multiple organisations with IRAP readiness and assessments.
Talk to us. We aren’t always chasing a transaction.