IRAP readiness is the work you do before the assessor arrives, and this checklist covers it: confirm the classification and boundary, write the system documentation, and map evidence to each applicable ISM control. There is no pass mark to chase. Readiness exists to close the gaps an assessor would otherwise record as findings against you.
What does IRAP readiness actually involve?
An IRAP assessment is an independent, point in time review of a system against the Information Security Manual, run by an ASD endorsed assessor. Readiness is everything you do to be ready for that review. It is not the assessment, and it is not a certification you can pass. The assessor checks each applicable ISM control, records its implementation status, and writes that into the report and control matrix the authorising officer reads. Anything you have not documented or cannot evidence becomes a gap in writing. Readiness is the cheapest money you spend on IRAP. The organisations that skip it do not fail. They extend the timeline and hand the assessor a longer list of constraints.
What goes on the IRAP readiness checklist?
Readiness breaks into six areas: classification and scope, documentation, control implementation, evidence, people and access, and a pre assessment review. Work them in that order. Each one depends on the one before it. The complete IRAP guide sets the wider context; the table below is the working list.
| Area | What to confirm before the assessor starts |
|---|---|
| Classification and scope | The classification of the data is set by the agency that owns it and confirmed in writing. The assessment boundary is drawn and agreed. |
| Documentation | System Security Plan and SSP annex, Security Risk Management Plan, continuous monitoring plan, incident response plan, system design documents and current security policies, all written and current. |
| Control implementation | Each applicable ISM control implemented, or a decision recorded where it is not, with the residual risk owned by a named person. |
| Evidence | One piece of dated, system specific evidence mapped to each control, not a policy that says the control should exist. |
| People and access | The system, security and platform owners available for interviews, with read access arranged for the assessor. |
| Pre assessment review | A dry run against the ISM that finds the gaps while you can still fix them, rather than the assessor finding them for you. |
Which documents do you need before an IRAP assessment?
The assessor works from your documentation first. Thin documents are the most common reason a timeline slips. The core set is the System Security Plan and its annex, the Security Risk Management Plan, a continuous monitoring plan, an incident response plan, system design and architecture documents, and the security policies that govern the system. The SSP annex matters most. The control matrix the assessor produces is a derivative of it, so if the annex is incomplete or out of date the assessor rebuilds it with you, and that is time on the clock. Write these as living documents that match what the system actually does, not aspirational policy. An assessor can tell the difference in the first interview. There is more on this in how to prepare for an IRAP assessment.
How do you scope the system and confirm the classification?
Two decisions set the size of the whole assessment: the classification you are assessing to, and where the boundary sits. Get them wrong and everything downstream inflates. The classification of the information is set by the agency that owns the data, not the provider, so confirm it in writing before scoping and do not assume PROTECTED because a customer mentioned it. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What changes are the physical security, personnel clearance and network obligations, and SECRET adds further requirements again. The assessment boundary is the set of systems, people, processes and technologies in scope. A tight boundary keeps the control count and the cost down. A broad one inflates both. Draw it deliberately, exclude what genuinely sits outside, and document the interfaces where data crosses it.
How do you gather evidence the assessor will accept?
A policy that says a control exists is not evidence the control works. For each applicable ISM control the assessor wants to see the control operating: a screenshot of the multi factor configuration, an export of patch status, a sample of access logs, a change record, a backup restoration test result. Map one clear artefact to each control before the assessment starts, dated and labelled. Where a control is not implemented, do not hide it. Record the decision and who owns the residual risk. Honest gaps are easier for an assessor to work with than evidence that does not match what the system does. The fastest assessments are the ones where the evidence is already mapped and the assessor spends the time confirming, not chasing.
How long does readiness take, and when should you start?
Allow six to eight weeks for readiness on a moderately complex system, and start it before you book the assessment, not after. There is no fixed duration published by ASD. The IRAP Common Assessment Framework defines the stages, not the weeks, and the real driver is how mature your documentation and evidence already are. Cybernion’s indicative figure is six to eight weeks of readiness ahead of an assessment that itself runs around 12 to 16 weeks for a moderately complex system. Treat both as indicative, not a quote. Start early enough that remediation has somewhere to land. If you are a cloud provider, build the cadence in. Under PSPF requirement 0109 your system must have been IRAP assessed within the previous 24 months against the latest ISM, so readiness is recurring work, not a one off.
Frequently asked questions
No. Readiness is the preparation you do beforehand: documentation, control implementation and evidence. The assessment is the independent review against the ISM by an ASD endorsed assessor. Readiness is not assessed and carries no pass mark.
No. Readiness can be done in house or with an advisor, and it does not have to be the firm that later assesses the system. An assessor must stay independent of the system they assess, so using the same firm for deep remediation and the assessment creates a conflict to manage.
The one the agency that owns the data sets, confirmed in writing. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED; the physical, personnel and network obligations differ, and SECRET adds more again.
Yes, if you maintain it. Cloud providers must be reassessed within 24 months under PSPF requirement 0109, so keeping documentation and evidence current between assessments turns the next readiness into an update, not a rebuild.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- Infosec Registered Assessors Program (IRAP), ASD, accessed June 2026
- Information Security Manual, ASD, June 2026
- IRAP Common Assessment Framework, ASD, April 2025
- Protective Security Policy Framework, requirements 0086 and 0109, accessed June 2026
Last updated: 21 June, 2026