Contact Us
Home / Post / Security / IRAP POAM and Risk Management

IRAP POAM and Risk Management

Gaurav Vikash 5th Jun 20268 min read
IRAP POAM and Risk Management

The plan of action and milestones (POAM) is the document that converts assessment findings into managed work. It records what the assessment identified, what the organisation has decided to do about each finding, who owns it, and by when. Building a credible POAM after authorisation and maintaining it through the life of the system is how an organisation demonstrates that the risk it asked the authorising officer to accept is being actively managed, not parked.

Stackform’s journey

Authorisation had been granted. The agency’s CISO had signed the authorisation letter and Stackform’s platform was live for government data processing. James Hartley’s (CISO at Stockform) instinct was to move on.

Cybernion’s advice was to treat authorisation as the start of the risk management cycle, not the end of it.

The assessment had produced findings. Some were remediated before submission. Several were not. The authorising officer had accepted the residual risk associated with those open items on the basis that Stackform’s POAM showed a credible path to resolution. That path now needed to be walked.

What the POAM is and what it is not

The IRAP Consumer Guide identifies the plan of action and milestones as a component of the authorisation package, to be included where findings remain open. Its purpose, as the Consumer Guide describes it, is to support the uplift of the system by detailing control recommendations as part of the organisation’s security program.

A POAM is not a spreadsheet of good intentions. It is the organisation’s formal commitment to the authorising officer on how it will address the gaps they accepted. The authorising officer took on accountability for the residual risk in part because they could see that commitment. If the POAM is not being worked, that accountability sits with no one in practice.

A POAM is also not static. It should be a living document, updated as remediation progresses, reviewed on a regular schedule, and used to inform the organisation’s view of its current risk exposure at any point in time.

IRAP POAM and Risk Management

What a well-formed POAM contains

A useful POAM contains the following for each open finding.

  1. Finding reference: The ISM control or CCM row the finding relates to, with enough description to identify it unambiguously without needing to cross-reference the full report.
  2. Finding description: A plain statement of what the gap is, drawn from the assessment report. Not a restatement of the ISM control, but a description of what was observed.
  3. Risk statement: The organisation’s own assessment of the likelihood and consequence of the finding being exploited or materialising, in the context of the system and its data. This is the risk rating the organisation applies, not the assessor.
  4. Mitigating controls: Any existing controls that reduce the likelihood or impact of the finding in the interim. These are what the organisation is relying on while the remediation is incomplete. They need to be real and verifiable, not aspirational.
  5. Remediation action: What the organisation will do to address the finding. Specific enough to be measurable. Not “improve access controls” but “implement privileged identity management with just-in-time access provisioning for all administrative roles.”
  6. Risk or Action Owner: The individual responsible for driving the remediation to completion. A team name is not an owner.
  7. Target completion date: A date the owner has committed to. Not a quarter. A date.
  8. Status: Current state of the remediation: not started, in progress, completed, or accepted as residual risk with documented rationale.
  9. Review date: The next scheduled review of this item. For open findings, monthly or quarterly depending on the severity of the risk.

Handling findings that will not be remediated

Not every finding in the POAM will be closed through remediation. Some findings reflect business or technical constraints that are not going to change within the system’s operational life. A legacy component that cannot be patched. A network design that cannot be changed without rebuilding the service. A physical security requirement that is not feasible in the current operating environment.

For these findings, the POAM documents the rationale for accepting the risk rather than remediating it, the mitigating controls in place, and the review date. Risk acceptance is a legitimate outcome. It needs to be explicit, owned, and reviewed periodically to confirm the rationale still holds.

For Stackform, one finding fell into this category. A specific control was not implemented due to a technical constraint in the SaaS architecture. The workaround was documented, the residual risk was described, and the item was marked as accepted with a six-month review date. The agency’s authorising officer had seen this in the POAM before granting authorisation.

Connecting the POAM to the CCM

The POAM draws its source material from the CCM. Every finding in the POAM should trace back to a specific row in the CCM. Keeping that linkage explicit means the POAM can be read alongside the CCM as a coherent picture of the system’s security posture and the work underway to improve it.

As remediations are completed, the CCM should be updated to reflect the new implementation status. This does not require a new assessment. It does require the organisation to maintain accurate records of what has changed and when, so the next assessment starts from a documented baseline rather than a reconstruction from memory.

The POAM as a risk management tool

The POAM is the most visible expression of how seriously an organisation treats the residual risks it has asked an authorising officer to accept. A POAM reviewed monthly, with current statuses, realistic dates, and documented decisions on accepted risks, tells a different story to the agency than a POAM last updated at the time of submission.

Consuming agencies will sometimes request an updated copy of the POAM as part of their own ongoing risk management. Being able to produce a current, well-maintained version on request is straightforward if the document has been kept alive. Reconstructing it under time pressure is not.

James treated the POAM as a standing agenda item in Stackform’s monthly security review. Each open finding was reviewed, status updated, and any change to the remediation path documented with a note. By the time the agency asked for an updated copy eight months after authorisation, the document was current and required no emergency work to prepare.

IRAP POAM and Risk Management

Frequently Asked Questions (FAQs)

What is a POAM in the IRAP context?

The plan of action and milestones is a document that records the open findings from an IRAP assessment, the remediation actions planned for each, who owns them, and the target completion dates. The IRAP Consumer Guide identifies it as a component of the authorisation package where findings remain open. It gives the authorising officer visibility of how the organisation intends to address the gaps it is asking them to accept.

Does every IRAP finding need to be in the POAM?

Every finding that was not fully remediated before the authorisation package was submitted should be in the POAM. Findings that are remediated during or before submission should be documented as closed with evidence. Findings that will not be remediated should be documented as accepted residual risks with a rationale and a review date.

Who owns the POAM?

The system owner or security lead is typically responsible for the POAM as a document. Individual findings should each have a named owner who is accountable for driving that specific remediation to completion. A finding owned by a team or a role without a named individual tends not to get done.

How often should the POAM be reviewed?

At minimum, quarterly. For open findings with near-term target dates or higher risk ratings, monthly review is more appropriate. The review should update status, confirm or revise target dates, and document any change to the remediation approach or risk acceptance rationale.

Can we close a finding in the POAM without a new IRAP assessment?

Yes. Remediating a finding and documenting the closure in the POAM does not require a new IRAP assessment. The organisation should maintain evidence that the remediation was completed, update the CCM to reflect the new implementation status, and record the closure in the POAM with a date and reference to the supporting evidence. The updated status will be verified if and when a new assessment occurs.

Read Next: Maintaining IRAP posture between assessments

Sources:

  1. ASD IRAP Consumer Guide, July 2025
  2. IRAP Common Assessment Framework, April 2025

The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.

Last updated: 05 June, 2026

Cybernion has helped multiple organisations with IRAP readiness and assessments.

Talk to us. We aren’t always chasing a transaction.