If your organisation plans to supply services to the Australian Government – particularly cloud services – you may require an IRAP assessment.
The Information Security Registered Assessors Program (IRAP) is administered by the Australian Signals Directorate (ASD). It provides a formal framework for assessing whether an organisation’s systems and controls meet the requirements of the Australian Government Information Security Manual (ISM).
This guide explains:
- What IRAP is
- Who requires an IRAP assessment
- The assessment process
- Typical costs and timelines
- How to prepare successfully
What Is IRAP?
IRAP (Information Security Registered Assessors Program) is a framework that enables organisations to be assessed by an ASD-endorsed IRAP Assessor against the requirements of the Information Security Manual (ISM).
The ISM outlines mandatory and recommended security controls for Australian Government systems and suppliers.
An IRAP assessment:
- Evaluates your cyber security controls
- Reviews governance, risk, and compliance documentation
- Assesses technical and operational safeguards
- Produces a formal IRAP assessment report
Importantly, IRAP is not a certification. It is an independent security assessment that supports a government agency’s decision to authorise your system.
Who Needs an IRAP Assessment?
You may require IRAP if you are:
- A cloud service provider seeking to host government data
- A SaaS company supplying solutions to federal agencies
- An ICT provider managing government information
- A contractor handling PROTECTED or OFFICIAL: Sensitive data
IRAP is commonly required when:
- Applying for government procurement panels
- Seeking inclusion on the Digital Marketplace
- Hosting data within Australian Government environments
- Supporting Defence or critical infrastructure programmes
What Does an IRAP Assessment Cover?
An IRAP assessment evaluates alignment with the ISM controls, including:
Governance
- Security policies and procedures
- Risk management frameworks
- Incident response planning
- Third-party risk management
Technical Controls
- Network segmentation
- Encryption at rest and in transit
- Identity and access management
- Logging and monitoring
Operational Controls
- Patch management
- Vulnerability management
- Change control processes
- Personnel security
Assessments are conducted against a security classification level, such as:
- OFFICIAL
- PROTECTED
The required level depends on the sensitivity of information handled.
The IRAP Assessment Process
A structured IRAP engagement typically follows five phases:
1. Scoping
Define system boundaries, data classification, hosting environment, and ISM applicability.
2. Gap Analysis (Optional but Recommended)
Identify control deficiencies before the formal assessment.
3. Evidence Collection
Provide documentation, system configurations, architectural diagrams, and policies.
4. Assessment
An ASD-endorsed IRAP Assessor evaluates controls against ISM requirements.
5. Reporting
A detailed IRAP Assessment Report is produced for submission to the relevant government agency.
How Long Does an IRAP Assessment Take?
Timeframes vary based on complexity, but generally:
- Small environments: 4-8 weeks
- Complex cloud or hybrid environments: 8-16 weeks
Preparation time is often the largest factor affecting duration.
How Much Does an IRAP Assessment Cost in Australia?
Costs depend on:
- Scope and system complexity
- Hosting architecture (cloud vs on-premises)
- Classification level (OFFICIAL vs PROTECTED)
- Organisational maturity
A readiness assessment can reduce overall costs by preventing rework.
IRAP vs ISO 27001: What’s the Difference?
| IRAP | ISO 27001 |
|---|---|
| Australian Government framework | International standard |
| Based on ASD ISM controls | Based on Annex A controls |
| Assessment supports authorisation | Formal certification issued |
| Required for government supply | Recognised globally |
Many organisations pursue ISO 27001 first, then align to ISM for IRAP readiness.
Common IRAP Challenges
Organisations frequently struggle with:
- Incomplete system documentation
- Insufficient logging and monitoring
- Weak identity and access management
- Poor third-party risk oversight
- Lack of formalised governance controls
Engaging experienced IRAP consultants early reduces remediation time.
How to Prepare for an IRAP Assessment
To improve your likelihood of success:
- Conduct an ISM gap assessment
- Implement formal governance frameworks
- Harden cloud configurations
- Strengthen access controls
- Develop incident response testing procedures
- Ensure executive oversight of cyber security risk
Preparation significantly reduces delays and unexpected remediation costs.
Why Work with an Experienced IRAP Advisory Team?
IRAP assessments require technical rigour, documentation discipline, and strong governance alignment.
An experienced advisory partner can:
- Map ISM controls to your environment
- Conduct pre-assessment readiness reviews
- Support remediation programmes
- Liaise with IRAP Assessors
- Prepare executive reporting
This reduces risk, accelerates timelines, and improves assessment outcomes.
IRAP Assessment Services in Australia
If your organisation is planning to supply services to the Australian Government, early preparation is critical.
Professional IRAP assessment services help you:
- Accelerate government procurement
- Reduce compliance risk
- Strengthen your security posture
- Demonstrate trust and credibility
Book a confidential IRAP readiness consultation to understand your gap position and next steps.