Contact Us
Home / Post / Security / How to Choose an IRAP Assessor

How to Choose an IRAP Assessor

Gaurav Vikash 5th Jun 20267 min read
How to Choose an IRAP Assessor

Choosing an IRAP assessor starts with the ASD register of endorsed assessors, but the register is a starting point, not a selection criterion. All registered assessors meet ASD’s minimum bar. What varies is technical depth, familiarity with your environment, independence from your system, and availability.

Selecting the wrong assessor can affect the quality of the report, the credibility of the authorisation package, and the timeline of the entire engagement. An IRAP assessment is independent by design, so who runs it matters as much as how you prepare for it.

With classification confirmed and the obligation clear, a SaaS product company Stackform needed to engage an IRAP assessor. ASD does not recommend assessors to potential clients, and an assessor who had been involved in readiness work could not then conduct the assessment. The right assessor would have to be identified through due diligence, not referral.

Where do you start when choosing an IRAP assessor?

Start with the ASD register. ASD maintains a publicly available register of endorsed IRAP assessors on cyber.gov.au. An assessor not on the register is not endorsed and cannot conduct a valid IRAP assessment. This is the starting point, not the endpoint.

All assessors on the register have met ASD’s minimum endorsement requirements:

  1. Australian citizenship,
  2. a minimum Negative Vetting Level 1 security clearance,
  3. recognised qualifications across two certification categories,
  4. a minimum of five years of experience in information security roles using Australian security frameworks, and
  5. have completed the IRAP training course and passed all assessment components
IRAP Assessor Eligibility

What should you look for beyond the register listing?

Meeting those minimum requirements does not mean every assessor is equally suited to every system. Experience varies significantly across system types, environments, and classification levels.

  • Relevant technical experience. An IRAP assessment requires the assessor to evaluate technical controls across infrastructure, networking, identity, cryptography, and cloud architecture depending on the system in scope. Ask for examples of assessments conducted on systems similar in technology stack, architecture, and classification level to yours. General security consulting experience is not a substitute for hands-on assessment experience in the relevant environment.
  • Familiarity with the operating environment. Cloud and SaaS assessments have specific scoping considerations that differ from on-premises systems. Where an assessor does not have a sound technical understanding of a component or technology within the assessed system, they must be supported by a security assessment team with the relevant expertise. Understanding whether a proposed assessor has that depth directly, or will need to build a team around gaps, affects timeline and cost.
  • Independence. An IRAP assessor cannot have contributed to the design or implementation of the system being assessed. This includes drafting system documentation, conducting a gap assessment, providing design recommendations, or holding a material interest in the system. Permanent employees of an organisation cannot assess that organisation’s own systems. Confirm independence before engaging. An assessor involved in readiness work on the same system cannot then assess it as an IRAP assessor.
  • Availability and timeline alignment. IRAP assessors operate as independent professionals or within consulting firms. Confirm the assessor can commit to the assessment within the required timeframe and ask how they handle ISM version changes if a quarterly release occurs mid-engagement.
  • Team composition for complex systems. Multiple IRAP assessors may work on a single assessment. Where that is the case, each assessor must submit their own Assessment Record and Conflict of Interest declaration to ASD at least seven business days before the assessment begins, and each must sign off on the final report. Understand who leads the assessment and who supports it, and confirm the relevant experience of each team member.
What to checkWhat to confirm
Technical experienceHands-on assessments of systems with a similar stack, architecture and classification
Operating environmentDirect cloud and SaaS scoping depth, or a team that covers the gaps
IndependenceNo involvement in the system’s design, documentation, readiness or gap work
AvailabilityCommitment within your timeframe, and a clear approach to mid-engagement ISM changes
Team compositionWho leads and who supports, each with their own declaration and sign-off

What does the conflict of interest declaration involve?

Before commencing any assessment, the IRAP assessor must submit a Conflict of Interest declaration to ASD via the ACSC Partner Portal at least seven business days before the assessment begins. This applies regardless of whether a conflict exists or not. ASD reviews the declaration and any proposed mitigations. The assessment must not proceed if ASD determines those mitigations are insufficient.

If a conflict arises during the assessment, the assessor must update the declaration immediately. If a real conflict exists, the assessor must stop work until ASD has reviewed the updated declaration. Failure to declare is a breach of the IRAP Assessor Agreement and may result in revocation of endorsement.

IRAP Assessor Independence Requirement

Should you use a Request for Quote?

ASD’s IRAP Consumer Guide includes an RFQ template in Appendix A for engaging an IRAP assessor. It covers scope of work, assessor requirements, timeline, security clearance requirements, and submission format. Adapting it to the specific system being assessed gives the engagement a structured foundation and makes it easier to compare responses across assessors.

What will ASD do, and what will it not do?

ASD maintains the assessor register and governs the program. ASD will not recommend any specific IRAP assessor to potential clients and is not involved in commercial arrangements between assessors and their clients. Commercial disputes are outside the scope of the program. ASD’s role is quality assurance and program governance.

Stackform used the ASD register as the starting point, filtered for assessors with cloud and SaaS experience at OFFICIAL: Sensitive level, and issued a tailored RFQ based on the ASD template. The selected assessor had no prior involvement with Stackform’s systems, held the required clearance, and had assessed comparable SaaS platforms in the Australian Government market.

With an assessor engaged, the next step is defining precisely what the assessment will cover. We cover that in how to define the IRAP assessment boundary, and the full sequence in how the IRAP assessment process works. For the complete picture, see our complete guide to IRAP assessment, or talk to us about an independent IRAP assessment.

The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.

Frequently asked questions

Where do I find a list of IRAP assessors?

ASD maintains a register of endorsed IRAP assessors on cyber.gov.au. Only assessors on the register hold active ASD endorsement. An assessor not on the register cannot conduct a valid IRAP assessment.

Does it matter who we choose as our IRAP assessor?

Yes. All registered assessors meet ASD’s minimum requirements, but experience varies significantly. Technical depth, familiarity with your system type, and independence from your environment all affect the quality and credibility of the final report.

What disqualifies someone from being our IRAP assessor?

An assessor cannot have contributed to the design, implementation, or documentation of the system being assessed. This includes gap assessments, design recommendations, and drafting system documentation. Permanent employees of an organisation cannot assess that organisation’s own systems. Material financial interests and corporate affiliations must also be declared.

Do we need to run a formal procurement process to engage an assessor?

ASD’s Consumer Guide includes an RFQ template in Appendix A. Using it gives the engagement a structured foundation and makes comparing assessors straightforward.

What happens if our assessor has a conflict of interest mid-assessment?

The assessor must update their Conflict of Interest declaration immediately. If a real conflict exists, they must stop work until ASD has reviewed the updated declaration and determined whether the assessment can continue.

Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us. We aren’t always chasing a transaction.

Sources:

  1. ASD IRAP Consumer Guide, July 2025
  2. IRAP Common Assessment Framework, April 2025
  3. IRAP Policy and Procedures, June 2026
  4. ASD register of IRAP Assessors, 2026

Last updated: 21 June, 2026