| Question | Answer |
|---|---|
| What is an IRAP assessment? | An IRAP assessment is an independent security review conducted by an ASD-accredited IRAP assessor. It evaluates a system against the ISM to support a Government entity’s decision to operate the system |
| Is IRAP a certification? | No. IRAP is not a certification or accreditation. It produces an independent report. The decision to accept risk and operate the system sits with the consuming Government entity |
| When is an IRAP assessment required? | When a system handles classified Australian Government data, or as part of Government procurement requirements |
| How often does IRAP need to be completed? | Typically every two years. Reassessment may be required earlier if there are material changes, determined by the system owner in consultation with stakeholders |
| What standards does IRAP assess against? | IRAP assessments are conducted against the Information Security Manual (ISM) published by the Australian Signals Directorate. OFFICIAL: Sensitive and PROTECTED classifications require the same ISM controls |
| If my cloud provider is IRAP assessed, do I still need one? | Yes. Providers like Microsoft, Amazon Web Services, and Google Cloud cover infrastructure only. Your configuration, application, and data controls must still be assessed |
| Does ISO 27001 or SOC 2 replace IRAP? | No. These certifications help accelerate readiness and provide reusable evidence, but ISM control requirements must still be assessed independently |
| What does an IRAP assessment involve? | Review of architecture and scope, validation of control design and implementation, evidence assessment, targeted technical verification, and delivery of a formal IRAP report highlighting strengths and gaps of the system with reference to the relevant ISM requirements |
| How long does an IRAP assessment take? | Typically 12 to 16 weeks for a moderately complex system. Timelines depend on evidence readiness, clarity of scope, and stakeholder responsiveness |
| What drives delays in IRAP assessments? | Poorly defined scope, unclear shared responsibility, incomplete documents or evidence, and late architectural changes |
| Who owns the risk in IRAP? | The consuming Government entity owns the risk and makes the final authorisation decision. The assessor provides independent assessment, not approval |
| How is responsibility split across parties? | Security responsibility is shared across the cloud provider, service provider, and consuming entity. Clear articulation of this model is critical |
| What happens after the IRAP assessment? | The report informs a risk-based decision by the Government agency’s Authorising Officer. Ongoing compliance requires continuous monitoring, change management, and periodic reassessment |
| Can IRAP be accelerated? | Yes. Clear system boundaries, defined data classification, mature controls, and readily available evidence significantly reduce timelines |
| What makes an IRAP assessment “high quality”? | Clear articulation of control effectiveness, defensible evidence, realistic risk statements, and a report that stands up to Government scrutiny without rework |
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- Australian Government Security Classification System and Requirement 0109, PSPF 2025
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Last updated: 05 June, 2026
Cybernion has helped multiple organisations with IRAP readiness and assessments.
Talk to us. We aren’t always chasing a transaction.