QuestionAnswerWhat is an IRAP assessment?An IRAP assessment is an independent security review conducted by an ASD-accredited IRAP assessor. It evaluates a system against the ISM to support a Government entity’s decision to operate the systemIs IRAP a certification?No. IRAP is not a certification or accreditation. It produces an independent report. The decision to accept risk…
An IRAP assessment is required when a system stores, processes, or transmits classified Australian Government information and the relevant agency requires the system to be assessed before it becomes operational. For cloud and SaaS providers, PSPF requirement 0109 makes this a standing obligation. This article explains how to confirm whether an IRAP assessment is required,…
An IRAP assessment is an independent, evidence-based evaluation of a specific system's security controls, conducted by an ASD-endorsed assessor against the current version of the Information Security Manual. It produces two documents: the IRAP Security Assessment Report and the Controls Matrix. It does not produce a certificate, an accreditation, or an authorisation to operate. The…
The classification of information a system will handle is determined by the government agency that owns it, not the service provider. The information classification must be confirmed before any scoping decision is made. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What differs are the physical security, personnel clearance, and network…
Choosing an IRAP assessor starts with the ASD register of endorsed assessors on cyber.gov.au, but the register is a starting point, not a selection criterion. All registered assessors meet ASD's minimum requirements. What varies is their technical depth, familiarity with your environment, independence from your system, and availability. Selecting the wrong assessor can affect the…
The assessment boundary for an IRAP assessment is the set of all system components, people, processes, and technologies to be evaluated as part of the assessment. It is defined by the IRAP assessor and agreed with the assessed entity's delegate authority before substantive assessment work begins. The boundary must cover every applicable environment, document what…
Preparing for an IRAP assessment is work the organisation does before the assessor arrives. It covers documentation, evidence, personnel availability, and access logistics. Organisations that arrive at an IRAP assessment without this groundwork in place extend the timeline and create gaps in evidence that the assessor must document as constraints. The ASD IRAP Consumer Guide…
The IRAP assessment process follows four stages defined in the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls, and produce the IRAP assessment report. The assessor leads each stage. The assessed organisation's role is to provide access, documentation, evidence, and personnel availability throughout. Understanding what happens in each stage…
The IRAP report and Cloud Controls Matrix are the two documents produced at the end of every cloud system assessment. Together they give an authorising officer everything needed to make an informed risk-based decision about whether to authorise the system. Understanding what each document contains, who it is written for, and how to read the…
The IRAP authorisation package is the suite of documents provided to the authorising officer so they can make a risk-based decision about whether to approve the system for operation. The IRAP assessment report is a central component but it is not the whole package. The authorising officer reviews the package, weighs the residual risks against…
The plan of action and milestones (POAM) is the document that converts assessment findings into managed work. It records what the assessment identified, what the organisation has decided to do about each finding, who owns it, and by when. Building a credible POAM after authorisation and maintaining it through the life of the system is…
An IRAP assessment is a point-in-time evaluation. The authorisation that follows it is not. The system continues to operate, the ISM continues to be updated, the system itself continues to change, and the threat environment does not pause while the organisation gets comfortable with its authorisation. Maintaining IRAP posture between assessments means treating the period…
We provide a large range of security services.
Reach out to us for a no obligation confidential conversation.
Please do not share any sensitive information in this form.
"*" indicates required fields
By clicking Submit, you agree to our Terms and Conditions and Privacy Policy.
