IRAP Assessments

Independent assessments against the Australian Government Information Security Manual. Conducted by ASD Endorsed IRAP assessors.

What is an IRAP assessment?

An Information Security Registered Assessors Program (IRAP) assessment is an independent security review of an information system against the requirements of the Australian Government Information Security Manual (ISM). It is conducted by an assessor endorsed by the Australian Signals Directorate (ASD).

Government agencies use IRAP assessments to support their decision to authorise a system or cloud service. Cloud service providers seeking to handle government information at OFFICIAL or PROTECTED classification levels typically need an IRAP assessment before agencies will engage them.

An IRAP assessment is not a certification or accreditation. It produces an independent report that the consuming agency uses to make an informed risk acceptance decision.

Who needs an IRAP assessment?

1. Commonwealth and state agencies are required to assess systems handling Australian Government information. IRAP assessments are often required before an agency can authorise a new system or a significant change to an existing one.
2. Technology companies handling government data at OFFICIAL:Sensitive or PROTECTED or SECRET levels are typically required to have an IRAP assessment before an agency will grant access. This includes SaaS platforms, infrastructure providers, and managed service providers seeking government contracts.

Who conducts the assessment?

Gaurav Vikash is an ASD Endorsed IRAP Assessor, one of a limited number of independent assessors on the ASD register. All assessments are conducted personally by Gaurav, not delegated to junior staff.

How does the assessment work?

1. Phase 1: Scoping and planning. Agreement on system boundary, classification level, assessment methodology, and evidence requirements.
2. Phase 2: Evidence collection. Review of architecture documentation, security controls, policies, and configuration evidence against ISM requirements.
3. Phase 3: Assessment and testing. Verification of controls through documentation review, interviews, and where applicable, technical testing.
4. Phase 4: Reporting. Delivery of the IRAP assessment report including findings, risk ratings, and recommendations. Findings briefing with your team.
5. Phase 5: Agency submission support. Assistance preparing the assessment package for submission to the authorising agency or for inclusion in a cloud services panel application.

What you receive

1. Cloud Security Controls Matrix (CSCM): A structured matrix mapping the relevant ISM requirements to the deployed security controls. The matrix will indicate implementation status and reference supporting evidence reviewed during the assessment. This document is designed to support you in making informed decisions, and as a reference for future IRAP assessments.
2. IRAP Assessment Report: A formal assessment report in accordance with the Australian Signals Directorate (ASD) IRAP requirements, documenting:
   1. The solution’s authorisation boundary
   2. Relevant ISM controls assessed
   3. Implementation status of each assessed control
   4. Findings and observations
   5. Recommendations for risk treatment or security strengthening

Timeline

Typically 12 to 16 weeks for a moderately complex system. Timelines depend on evidence readiness, clarity of scope, and stakeholder availability.

How often does IRAP need to be completed?

Typically every two years. Reassessment may be required earlier if there are material changes to the system, determined by the system owner in consultation with the authorising agency.

If my cloud provider is IRAP assessed, do I still need one?

Yes. Providers such as Microsoft Azure, Amazon Web Services, and Google Cloud cover their infrastructure only. Your configuration, application logic, and data handling controls must still be assessed separately.

Pricing

IRAP assessments are priced based on system complexity, classification level, and evidence readiness. Contact us to discuss your scope and we will respond with a proposal within one business day.