No. There is no such thing as an IRAP certification. IRAP is an assessment, not a certification. An ASD endorsed IRAP assessor reviews a system against the Information Security Manual and reports its strengths, weaknesses and residual risks. There is no pass mark and no certificate. The consuming agency’s authorising officer decides whether to operate the system.
Is IRAP a certification?
No. This is the most common misunderstanding in the Australian government cloud market. There is no IRAP certificate, no pass mark, and no body that stamps a system as IRAP certified. An IRAP assessment is an independent, point in time review of a specific system against the controls in the Information Security Manual. The assessor records how each applicable control is implemented and what risk remains. That record is the product. Calling it a certification implies a binary pass that does not exist.
What does an IRAP assessor actually produce?
Two documents. The assessor produces an IRAP assessment report and a control matrix, the matrix being a derivative of the System Security Plan annex. Together they set out the system’s strengths, weaknesses and residual risks, and the implementation status of each applicable ISM control. An IRAP assessor does not accredit, certify, endorse or approve the system. They assess it and hand the evidence to the people who decide. For the detail, see what an IRAP assessment is and the report and control matrix.
If it is not a certification, who approves the system?
The authorising officer inside the consuming agency. Under the Protective Security Policy Framework, requirement 0086, the authorising officer weighs the residual risks in the IRAP report against the agency’s risk appetite and makes a risk based decision to operate. The assessor informs that decision. They do not make it. This is the line providers get wrong most often: an assessment in hand is not approval to process government data. Agencies have declined to operate systems that completed an IRAP assessment, because the residual risk was theirs to accept and they chose not to. See the authorisation package and whether you need IRAP at all.
Why does the IRAP certified label persist?
Because ASD once did certify. Until 2020 the program issued a form of certification, and the habit outlived the practice. ASD ceased certifying and moved to the current model, where the assessor reports and the agency authorises. Vendors and tender writers still reach for IRAP certified because it sounds definitive. The term has been wrong for years. An assessor who offers to certify your system is describing something that no longer exists.
What should you ask for instead?
Ask for the assessment, the classification, and the date. The useful question is not are you IRAP certified, but has this system had an IRAP assessment, at what classification, and when. Currency matters. Under PSPF requirement 0109, a cloud service provider must have had an IRAP assessment within the previous 24 months against the latest ISM at the time of assessment. Ask to see the assessment report and the control matrix, check the classification matches your data, and check the date. A current report at the right classification is worth far more than the word certified. Start with the complete IRAP guide or talk to an IRAP assessment provider.
Certification versus IRAP assessment at a glance
| Aspect | A certification | An IRAP assessment |
|---|---|---|
| Outcome | A certificate and a pass result | A report and a control matrix, no pass mark |
| Who decides | The certifying body | The agency’s authorising officer (PSPF 0086) |
| What it covers | Conformance to a standard | A specific system against the ISM at a set classification |
| Validity | A fixed certificate term | Point in time, reassess within 24 months for cloud providers (PSPF 0109) |
| The assessor’s role | Grants or withholds the certificate | Reports strengths, weaknesses and residual risks, does not approve |
Frequently asked questions
No. There is no IRAP certificate or pass mark. A company can have a system that has completed an IRAP assessment against the ISM at a given classification. IRAP certified is industry shorthand that the program itself does not support.
Yes. Until 2020 ASD operated a certification model. It ceased that practice and moved to the current model, where an IRAP assessor reports and the consuming agency’s authorising officer decides whether to operate the system.
The authorising officer within the consuming government agency, under PSPF requirement 0086. They weigh the residual risks in the IRAP report against the agency’s risk appetite. The assessor informs that decision but does not make it.
For cloud service providers, PSPF requirement 0109 expects an IRAP assessment within the previous 24 months against the latest ISM at the time of assessment. Ask for the assessment date and the classification, not a certificate.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- Infosec Registered Assessors Program (IRAP), ASD, accessed June 2026
- Information Security Manual, ASD, June 2026
- IRAP Common Assessment Framework, ASD, April 2025
- Protective Security Policy Framework, requirements 0086 and 0109, accessed June 2026
Last updated: 21 June, 2026