An IRAP assessment cost is driven by the data classification, the assessment boundary and the number of in scope ISM controls, your documentation maturity, system complexity, and the remediation you need before you are ready. The assessor fee is rarely the largest line. Readiness and remediation usually cost more.
The price is the first question most cloud and SaaS providers ask, and most pages answer it with a shrug. This article sits inside the complete IRAP guide. Here is a realistic view of what sets the figure, and the internal costs that rarely appear in a quote but always land in your budget. If you are not yet certain an assessment applies to you, start with whether you need IRAP.
What does an IRAP assessment actually cost?
There is no published price. ASD sets no fee and no rate card, and assessors scope each engagement on its own facts, so any single number you see online is someone else’s average, not your quote. Anchor on the wrong thing and the budget breaks. The assessor fee is only one of four cost centres: the readiness work before the assessment, the assessment itself, the remediation of whatever the assessor finds, and the reassessment that lands roughly every two years. For most systems the readiness and remediation cost more than the assessment. A provider with current documentation and closed gaps pays for a clean assessment. A provider who treats the assessor’s first visit as the start of the work pays for the assessment twice. The number that matters is the total across all four, not the day rate.
What drives the price of an IRAP assessment?
Five things move the total, and the day rate is not the strongest of them. The data classification sets the control baseline. The assessment boundary sets how many systems and ISM controls are in scope. Your documentation maturity decides how much the assessor has to chase. System complexity decides how long evidence takes to gather and test. Remediation, the work to close gaps, is the line that surprises budgets most, because it depends on what the assessment finds. One point catches providers out: a higher classification label does not automatically mean a higher price. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What changes are the physical, personnel and network obligations. SECRET adds further controls. A tight boundary at PROTECTED can cost less than a sprawling one at OFFICIAL: Sensitive.
| Cost driver | What pushes it up | What keeps it down |
|---|---|---|
| Classification | PROTECTED or SECRET, with added physical, personnel and network controls | OFFICIAL: Sensitive, the same ISM control set as PROTECTED |
| Boundary and in scope controls | A broad boundary pulling in more systems, integrations and controls | A tight boundary agreed before work begins |
| Documentation maturity | Missing or out of date SSP, SSP annex, SRMP and policies | Current documents the assessor can read on day one |
| System complexity | Many components, environments and shared services | A contained architecture with clear data flows |
| Remediation | Gaps found late and fixed under assessment time pressure | Gaps closed during readiness, before the assessor arrives |
Why is the assessor fee only part of the cost?
Because the assessor assesses. They do not write your System Security Plan, gather your evidence, or fix your gaps, and independence rules mean they should not. That work is yours, and it is where most of the money goes. Readiness alone runs about six to eight weeks for a moderately complex system, an indicative Cybernion figure, and it pulls in your engineers, your security lead and often a writer to bring the SSP, the SSP annex, the security risk management plan and the supporting policies up to date. Then there is people’s time during the assessment, the cost of any tooling or logging the ISM controls require, and remediation if the assessor records gaps. The assessment itself, indicatively twelve to sixteen weeks, sits in the middle of that. Budget the assessor fee, then assume the surrounding work is the larger half.
How can you reduce the IRAP assessment cost?
Scope tight, prepare early, and fix gaps before the assessor arrives. A narrow, well defined boundary is the single biggest lever, because every system you pull in adds controls to test and evidence to produce. Get the documentation current first: an assessor who can read an accurate SSP annex and control matrix on day one spends less time chasing and more time assessing. Run a readiness review, close the obvious gaps, and you avoid paying assessment rates for findings you could have fixed cheaply in advance. Here is what an assessor quietly notes when they arrive: the providers who treat readiness as optional are the ones who end up paying for two assessments. Preparation is the cheapest money you spend on IRAP. Spend it before the clock starts, not after.
Is the IRAP assessment cost a one off or ongoing?
Ongoing. An IRAP assessment is point in time, against a defined boundary, on the day it is done. Cloud service providers must have been assessed within the previous 24 months under PSPF requirement 0109, so a reassessment lands roughly every two years. A material change to the system, a new component, a new integration, a shift in how data is handled, can force one sooner. The ISM also updates through the year, so the bar you are measured against moves. Treat IRAP as a recurring line, not a one off project. If you also sell to commercial buyers, weigh IRAP against ISO 27001, which certifies a management system rather than a single system. Cybernion scopes and conducts independent IRAP assessments personally, so the cost conversation starts with a defined boundary, not a guess.
Frequently asked questions
No. An IRAP assessment is point in time. Cloud service providers must be reassessed within 24 months under PSPF requirement 0109, and a material change can trigger one sooner. Budget for the assessment, the readiness before it, and reassessment roughly every two years.
Not the way most expect. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED; what changes are the physical, personnel and network obligations. SECRET adds further controls. The boundary and your readiness usually move the total more than the classification label.
No. An IRAP assessor assesses and reports against the ISM. They do not fix your gaps, and independence rules mean they should not. Remediation is your cost, and it is often the largest one when gaps are found late.
Often yes, once the boundary and classification are set. A fixed price needs a defined scope, which is why scoping and a readiness review come first. Without them, any number is a guess.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ASD, Infosec Registered Assessors Program (IRAP), 2026
- ASD, Using the Information Security Manual, June 2026
- ASD, Cloud assessment and authorisation, 2024
- Protective Security Policy Framework, requirement 0109, 2024
Last updated: 21 June, 2026