How to Prepare for an IRAP Assessment

What is IRAP?

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative that allows qualified assessors to evaluate an organisation’s security posture against the Australian Government Information Security Manual (ISM). IRAP assessment is required for organisations seeking to store, process, or transmit government data classified at OFFICIAL, OFFICIAL: Sensitive, PROTECTED, or above.

An IRAP assessment is not a certification — it’s an independent evaluation that government agencies use to make informed risk decisions about engaging a service provider.

Who needs an IRAP assessment?

• Cloud service providers — If you want to be listed on the ASD’s Certified Cloud Services List (CCSL) or the Infosec Registered Assessors Program Cloud Services List.
• Government contractors — If you handle government data above OFFICIAL classification.
• SaaS vendors — Selling to Commonwealth, state, or territory government agencies increasingly requires IRAP assessment or equivalent.
• Defence industry — Organisations in the defence supply chain often need IRAP assessment to meet DISP (Defence Industry Security Program) requirements.

The ISM control framework

The Information Security Manual (ISM) is the ASD’s comprehensive framework for protecting government information. It contains over 800 controls organised into categories including:

• Cyber security roles and responsibilities
• Cyber security incidents and reporting
• System hardening and configuration
• Access control and authentication
• Network security and segmentation
• Cryptography and key management
• Gateway security and web filtering
• Data transfers and media management
• Email security and web content filtering
• Physical security controls

Not all ISM controls apply to every organisation. The applicable controls depend on the classification of data being handled and the type of system being assessed.

The assessment process

1. Scope definition — Define the system boundary, data classification levels, and which ISM controls are applicable. Document the system architecture, data flows, and integration points.
2. Gap analysis — Assess current security controls against the applicable ISM requirements. Identify gaps and create a remediation plan.
3. Remediation — Implement missing controls, update documentation, and collect evidence. This is typically the longest phase.
4. Engage an IRAP assessor — IRAP assessors are ASD-endorsed security professionals. Engage one early — they can provide pre-assessment guidance.
5. Stage 1 assessment — The assessor reviews documentation, policies, and procedures. They identify any remaining gaps.
6. Stage 2 assessment — The assessor tests controls, reviews evidence, interviews staff, and evaluates the effectiveness of your security implementation.
7. Security Assessment Report — The assessor produces a report documenting findings, residual risks, and a recommendation. This report is provided to government agencies to support their risk decision.

Mapping IRAP to ISO 27001

ISO 27001 provides an excellent foundation for IRAP assessment. Many ISM controls have direct equivalents in Annex A:

• Access control (ISM) → A.5.15, A.8.2, A.8.3 (access control policies, privileged access)
• System hardening (ISM) → A.8.9 (configuration management), A.8.19 (software installation)
• Incident management (ISM) → A.5.24–28 (incident management, response, learning)
• Cryptography (ISM) → A.8.24 (use of cryptography)
• Personnel security (ISM) → A.6.1–6 (screening, terms, awareness, disciplinary)

If you already have ISO 27001 certification, an IRAP assessment builds on that foundation. You’ll need to address ISM-specific controls (particularly around system hardening and government classification handling) but won’t start from scratch.

Costs and timeline

• Assessment fees— $50,000–$200,000+ depending on scope, classification level, and system complexity.
• Timeline— 3–12 months from gap analysis to completed assessment, depending on readiness.
• Ongoing— Reassessment typically every 1–2 years, or when significant changes occur.

How Standardise helps

Standardise includes an IRAP readiness module with 27 checklist items mapped to ISM control categories. Track your preparation status, document evidence against each requirement, and use the Essential Eight module to demonstrate compliance with ASD’s baseline strategies. Your ISO 27001 SoA and risk register serve as foundational evidence for the IRAP assessment.