IRAP is the Infosec Registered Assessors Program, run by the Australian Signals Directorate. An IRAP assessor independently assesses a system against the Information Security Manual and reports its strengths and weaknesses. It is an assessment, not a certification, and the agency makes the final decision to authorise the system.
What is an IRAP assessment, and is it a certification?
An IRAP assessment is an independent, point in time review of a specific system against the Information Security Manual, carried out by an ASD endorsed assessor. It is not a certification. ASD stopped certifying systems in 2020, and there is no pass mark. The assessor records how each applicable ISM control is implemented and where the residual risks sit, and the consuming agency’s authorising officer makes the decision to operate the system under PSPF requirement 0086. A lot of people describe assessors as “ASD accredited”. They are endorsed. They assess and report, they do not approve, certify or authorise anything. For the full picture, read what an IRAP assessment is or the complete IRAP guide.
When do you need an IRAP assessment?
When outsourced IT or cloud services will store, process or communicate Australian Government information at OFFICIAL: Sensitive, PROTECTED or SECRET. PSPF Table 21 makes an IRAP assessment a precondition before an agency can put government data on the system. The trigger is the buyer and the classification of the data, not the size of your company. A startup selling a PROTECTED workload meets the same bar as a hyperscaler. If you are weighing this against a government deal, see whether you need IRAP to sell to government.
If your cloud provider is already IRAP assessed, do you still need one?
Yes. An IRAP assessment of Microsoft, Amazon Web Services or Google Cloud covers their infrastructure layer only. Under the shared responsibility model, your configuration, application logic and data handling sit above that line and are assessed separately. Inheriting a provider’s controls is not the same as having your own system assessed. This is where teams most often misjudge scope, and it is the gap an assessor looks for first.
How long does an IRAP assessment take, and what drives the timeline?
ASD publishes no fixed duration. The IRAP Common Assessment Framework defines the stages, not a number of weeks. As an indicative figure, Cybernion works to 12 to 16 weeks for a moderately complex system, with 6 to 8 weeks of readiness beforehand. Treat both as indicative. What actually moves the timeline is the classification, the assessment boundary, how mature your documentation is, and how much remediation surfaces along the way. Late architectural changes and unclear scope are the usual reasons an assessment runs long.
How often must IRAP be redone?
For cloud services, PSPF requirement 0109 expects an assessment within the previous 24 months, against the ISM current at the time of assessment. A report older than that is not automatically invalid, but the older it gets the less an agency can rely on it, so 24 months is the outer limit agencies work to, not a hard expiry. The clock runs from the assessment date, not from when an agency reads the report. Material change to the system triggers reassessment as well. Holding the line in between is its own work, covered in maintaining posture between assessments.
Does ISO 27001 or SOC 2 replace IRAP?
No. Neither substitutes for an IRAP assessment. ISO 27001 certifies a management system and SOC 2 reports on controls against the Trust Services Criteria. Both can give you reusable evidence and a head start on readiness, but the ISM controls still have to be assessed independently for Australian Government use. See IRAP vs ISO 27001 for where the two meet and where they do not.
IRAP assessment at a glance
| What it is | An independent, point in time assessment of a system against the ISM |
| Who runs the program | The Australian Signals Directorate (ASD) |
| Who assesses | An ASD endorsed IRAP assessor, independent of the system |
| Standard assessed against | The Information Security Manual (ISM) |
| Classifications | OFFICIAL: Sensitive, PROTECTED, SECRET |
| What you receive | The IRAP assessment report and the controls (cloud controls) matrix |
| Who decides | The consuming agency’s authorising officer (PSPF requirement 0086) |
| How current | Within 24 months for cloud (PSPF requirement 0109), plus on material change |
Frequently asked questions
Two documents: the IRAP assessment report, written for authorising officers and risk owners, and the controls matrix (the cloud controls matrix for cloud systems), written for the technical teams integrating the system. The matrix is a derivative of the System Security Plan annex.
Yes. The ISM control set is the same at both classifications. What changes between them is the physical security, personnel clearance and network obligations, not the control catalogue.
The consuming agency. Its authorising officer accepts the residual risk and makes the decision to operate. The assessor provides an independent assessment, not an approval.
Yes, through the parts within your control: a tight, well defined boundary, confirmed data classification, mature controls, and evidence ready before the assessor starts. Preparation is the cheapest money you spend on IRAP.
Poorly defined scope, unclear shared responsibility, incomplete documentation or evidence, and architectural changes made during the assessment.
No. TOP SECRET systems are handled inside accredited government environments and assessed by ASD assessors or their delegates, not through the normal commercial cloud IRAP route.
The report and matrix go to the agency’s authorising officer, who makes a risk based decision. Keeping that authorisation then depends on continuous monitoring, change management, and reassessment within 24 months.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- Cloud assessment and authorisation, ASD, 2024
- Protective Security Policy Framework (Table 21 and requirement 0109), 2024
- Information Security Manual, June 2026
Last updated: 21 June, 2026