Standardise
PricingSupportSign inGet started

IRAP Assessment Readiness

Learn about the Information Security Registered Assessors Program, who needs IRAP assessment, the ISM controls it covers, and how Standardise prepares you with a 27-item readiness checklist.

Overview

The Information Security Registered Assessors Program (IRAP) is managed by the Australian Signals Directorate (ASD) and provides a framework for assessing the security posture of ICT systems against Australian Government requirements. IRAP assessors are endorsed by ASD to independently evaluate whether an organisation's systems and controls meet the standards set out in the Information Security Manual (ISM), which is the Australian Government's primary cyber security framework.

An IRAP assessment is not a certification in itself but produces a security assessment report that government agencies use to make informed risk-based decisions about whether to authorise the use of a system for handling government data at a given classification level (OFFICIAL, OFFICIAL: Sensitive, or PROTECTED).

Who Needs IRAP Assessment?

IRAP assessment is relevant to any organisation that provides ICT services to Australian Government agencies or handles government data. Common scenarios include:

  • Cloud service providers seeking listing on the Certified Cloud Services List (CCSL) or the ASD Infosec Registered Services List
  • IT service providers hosting or managing systems that process, store, or transmit government data at OFFICIAL: Sensitive or PROTECTED classification
  • Government contractors and suppliers who handle government information as part of procurement contracts
  • Shared services and managed service providers used by government agencies for infrastructure, applications, or security operations

The Assessment Process

An IRAP assessment typically follows a structured multi-stage process:

  1. Scoping — Define the system boundary, data classification level, and applicable ISM controls. The scope determines which controls are in play and at what level they must be implemented.
  2. Gap analysis — A preliminary review identifies gaps between current controls and ISM requirements. This stage typically produces a remediation plan.
  3. Remediation — The organisation implements changes to address identified gaps before the formal assessment.
  4. Stage 1 assessment — The IRAP assessor reviews documentation, policies, procedures, and system architecture against ISM controls.
  5. Stage 2 assessment — The assessor conducts testing and validation to verify that controls are implemented and operating effectively.
  6. Security assessment report — The assessor produces a report with findings, residual risks, and a recommendation. The authorising agency uses this report to make an accreditation decision.

The Information Security Manual (ISM)

The ISM is maintained by ASD and defines hundreds of security controls across domains including governance, personnel security, physical security, ICT equipment and media, communications and IT infrastructure, access control, cryptography, cross-domain solutions, and security monitoring. Controls are categorised by classification level, and organisations must implement the controls relevant to their target classification.

The ISM is updated regularly (typically quarterly) to address emerging threats and evolving best practice. Organisations undergoing IRAP assessment must demonstrate compliance against the version of the ISM that is current at the time of assessment.

Relationship to ISO 27001

While the ISM and ISO 27001 are separate frameworks, there is significant overlap. An existing ISO 27001:2022 certified ISMS provides a strong foundation for IRAP assessment, as many ISM controls align with ISO 27001 Annex A controls. However, the ISM includes additional Australian Government-specific requirements (particularly around classification, cryptography, and personnel security) that go beyond ISO 27001. Organisations should treat ISO 27001 as a baseline and layer on ISM-specific controls where required.

How Standardise Helps

The AU Compliance Hub includes an IRAP Readiness tab with a 27-item checklist mapped to key ISM requirement categories. Standardise helps you prepare for IRAP assessment by providing:

  • A structured readiness checklist grouped by ISM category (governance, personnel security, physical security, communications, ICT security, access control, cryptography, and more)
  • Per-category progress bars showing the percentage of checklist items completed, so you can identify which areas need the most attention
  • Toggle-based item tracking — click any checklist item to mark it as completed, with the change recorded against your organisation and audit-logged
  • An overall readiness score across all 27 items, giving your organisation a clear picture of how prepared you are before engaging an IRAP assessor
  • Cross-references to your Statement of Applicability and ISO 27001 controls, highlighting where your existing ISMS work already satisfies ISM requirements

Related Articles

Australian Compliance
Essential Eight Maturity Model
Learn about the ACSC Essential Eight mitigation strategies, maturity levels 0-3, and how Standardise tracks your implementation progress per strategy.
ISMS Modules
Australian Compliance Hub
Track compliance with Australian Privacy Principles, Essential Eight maturity, Notifiable Data Breaches, and IRAP readiness — all in one place.
ISO 27001 Guide
The Certification Journey
Choosing a certification body, Stage 1 and Stage 2 audits, surveillance audits, recertification, and tips for success.
← Back to Help Center