Pillar Guide IRAP Updated 2026

The Complete Guide to IRAP Assessments in Australia (2026)

Pratyush Sood, ASD-endorsed IRAP Assessor | Updated May 2026 | 18 min read

In a hurry?

Quick answers below — the full guide unpacks each one.

What is IRAP?
An independent security assessment of an ICT system against the Australian Government Information Security Manual (ISM), conducted by an ASD-endorsed assessor.
Who needs one?
Any vendor selling SaaS, PaaS, IaaS, managed services, or integrations to the Australian Government, especially at OFFICIAL or above.
How long does it take?
Typically 8–24 weeks, depending on classification level and documentation maturity.
How much does it cost?
$40K–$70K for simple OFFICIAL, $120K–$250K+ for PROTECTED, more for SECRET.
Is it the same as ISO 27001 or SOC 2?
No. They are complementary but not substitutes.
Where do I start?
Book a free 15-minute IRAP readiness call.
Book a free 15-minute readiness call

For technology vendors chasing Australian Government work, the words "current IRAP assessment" appear somewhere between page 11 and 14 of nearly every procurement document. By the time they are read, the timeline has usually already become a problem.

A SaaS rollout promised in eight weeks runs into an assessment that takes ten to fourteen. An incumbent assessor goes quiet. A competitor lists on the ASD Certified Cloud Services List, and prospects begin to ask why the vendor does not.

This guide explains what an IRAP assessment actually involves — scope, process, cost, timeline — and the avoidable mistakes Tech Blaze sees vendors make every week. Read it before scoping an engagement. It will save somewhere between a fortnight and three months.

1. The IRAP content hub

This page is the IRAP cluster pillar. The map below shows where every supporting article fits — read in any order, though most procurement leads work top-to-bottom.

IRAP Pillar Page (this guide) Preparing for Your First IRAP Assessment (checklist) Cloud IRAP vs Pentest (when to use each) Essential Eight ML3 (what 'good' looks like) E8 + CIRMP (control mapping) SOCI Act CIRMP (2026 deadlines) DISP Membership (L1 vs L2) Coming: ISM, PSPF pillars
Topic Where it lives Best for
What IRAP is, who needs it, the full process This page Vendors orienting from zero
Tactical preparation checklist Preparing for Your First IRAP Assessment Teams ~3 months from kickoff
When IRAP is the right tool (vs. pentest) Cloud IRAP vs Pentest Cloud providers comparing paths
Essential Eight Maturity Level 3 deep dive What 'Good' Looks Like at ML3 Agencies and vendors targeting ML3
E8 + CIRMP control mapping Essential Eight & CIRMP Mapping Critical infrastructure operators
SOCI Act + CIRMP deadlines for 2026 SOCI Act CIRMP 2026 Responsible entities
Defence supply chain entry DISP Membership: Level 1 vs 2 Defence prime/sub contractors

Aggregate cluster search demand sits at roughly 1,500–2,500 queries per month across Australia. The tactical checklist is the highest-conversion supporting page; the cloud-vs-pentest piece settles a question that comes up on roughly every second discovery call.

2. What is an IRAP assessment?

The Information Security Registered Assessors Program (IRAP) is the framework the Australian Signals Directorate (ASD) uses to evaluate the security of ICT systems against the Australian Government Information Security Manual (ISM) — the prescriptive cybersecurity control set for federal systems.

An IRAP assessment is an independent technical and procedural review conducted by an ASD-endorsed assessor. The assessor examines the architecture, policies, technical controls, and operational evidence of a system against the ISM controls applicable to its target classification level.

The output is the IRAP Assessment Report — the document the sponsoring agency uses to decide whether to grant the system an Authority to Operate (ATO) or formal accreditation.

ASD governs the framework IRAP Assessor conducts the assessment Vendor System subject of the assessment Sponsoring Agency grants Authority to Operate endorses + lists examines delivers report authorises (ATO)

Key point: IRAP assessors do not grant accreditation. They provide independent evidence. The sponsoring agency makes the authorisation decision.

Why IRAP exists

The Australian Government processes very large volumes of sensitive data — citizen records, defence-supplier information, intelligence material, national security records. IRAP exists so each agency does not have to build its own assessment capability from scratch. Without it, every department would either over-invest in in-house assessors or under-invest and accept invisible risk. Neither scales.

What "ASD-endorsed" actually means

To be ASD-endorsed, an assessor must be an Australian citizen, hold an appropriate security clearance, complete ASD's training and competency requirements, and remain on the public IRAP assessor register. The register is public — any procurement team can verify any assessor in 30 seconds. If an assessor is not on the register, the assessment is not an IRAP assessment.

3. Who needs an IRAP assessment?

An IRAP assessment is mandatory or near-mandatory for any organisation in the following categories:

  • Cloud service providers (CSPs) seeking listing on the ASD Certified Cloud Services List (CCSL) or under the Cloud Assessment and Authorisation framework
  • Software vendors selling SaaS, PaaS, or IaaS to Commonwealth, state, or territory agencies
  • Systems integrators deploying solutions into government environments
  • Managed service providers (MSPs) operating or co-managing government infrastructure
  • Telecommunications providers delivering carriage services to government entities
  • Any organisation storing, processing, or transmitting government data classified at OFFICIAL, PROTECTED, or above

Even where the contract does not explicitly require IRAP, most agency procurement teams now expect to see a current IRAP report during due diligence. Bringing one to the table — rather than committing to deliver one inside the contract window — is a measurable competitive advantage. Tech Blaze sees vendors win deals on this routinely.

State and territory government

While IRAP is a Commonwealth framework, most state and territory governments recognise IRAP reports in their own procurement. An assessment against ISM controls is broadly accepted across jurisdictions, which makes it the most portable security credential in Australia. NSW Cyber Security Policy, the Victorian Protective Data Security Standards, and the Queensland IS18 Information Security Policy all leverage ISM controls in some form.

When an IRAP assessment is not needed

IRAP is not required for vendors selling exclusively to private-sector enterprise clients, or to non-Australian governments. The common substitutes — SOC 2 Type II and ISO 27001 — are both useful for those audiences, but neither is sufficient for Australian Government work. The full comparison appears in section 8.

4. The IRAP assessment process, stage by stage

After dozens of engagements, the process is predictable. The diagram below shows the five stages. Detail follows.

Stage 1 Scoping 1–2 weeks Stage 2 Documentation 2–4 weeks Stage 3 Technical assessment 2–4 weeks Stage 4 Reporting 2–3 weeks Stage 5 Remediation variable

Stage 1: Scoping and engagement (1–2 weeks)

The most important phase, and the one most often rushed. The assessor and the vendor define:

  • System boundary — exactly which components, networks, data flows, and third-party integrations are in scope
  • Classification level — OFFICIAL, PROTECTED, or SECRET (this determines which ISM controls apply)
  • Assessment type — initial, reassessment, or delta
  • Documentation requirements — what artefacts the vendor needs to prepare
  • Inherited controls — what comes from the underlying cloud platform versus what must be demonstrated by the system owner

A tight scope saves everyone money. Loose scope is the single biggest reason assessments blow out their budget. One healthtech vendor lost six weeks because their "system" quietly included a corporate identity provider that had never been in scope. Mapping every dependency in the first week prevents this class of failure.

Stage 2: Documentation review (2–4 weeks)

The assessor reviews security documentation against the applicable ISM controls. The artefacts that matter most:

  • System Security Plan (SSP) — the central artefact
  • Security Risk Management Plan (SRMP)
  • Standard Operating Procedures (SOPs) for patching, incident response, access management, change management
  • Incident Response Plan (IRP) and evidence of exercising it
  • Business continuity and disaster recovery plans
  • Network and data flow diagrams that match the live environment
  • Asset register
  • Previous assessment reports, where applicable

This phase typically surfaces 60–70% of all findings. Most vendors significantly underestimate the documentation lift. For organisations that have never written an SSP, six to eight weeks before the assessor starts is a realistic preparation window.

Stage 3: Technical assessment (2–4 weeks)

Hands-on validation that technical controls match documentation. Activities include:

  • Configuration reviews (operating systems, databases, network devices, cloud services)
  • Vulnerability scanning and analysis
  • Identity and access management reviews
  • Encryption implementation review (data at rest, in transit, in use)
  • Logging and monitoring validation
  • Gateway and boundary protection review
  • MFA verification on every privileged path

For vendors uncertain how this differs from a penetration test, Cloud IRAP vs Pentest explains the distinction. Short version: pentests find exploitable vulnerabilities; IRAP assesses whether the entire control set is in place and operating.

Stage 4: Reporting (2–3 weeks)

The assessor compiles findings into the formal IRAP Assessment Report:

  • Executive summary with overall risk posture
  • Detailed control-by-control assessment against applicable ISM controls
  • Findings classified by severity (Critical, High, Medium, Low)
  • Remediation recommendations with practical guidance
  • Residual risk statement

Stage 5: Remediation support (variable)

Not technically part of the assessment, but Tech Blaze includes it in every engagement. The vendor addresses findings, provides evidence of remediation, and the assessor verifies. Most systems iterate two or three times before the report stands clean for sign-off. This is normal — what is not normal is paying twice for the same finding because no one tracked the closure evidence.

5. IRAP scope and classification levels

The ISM defines classification levels, and the level a system targets determines the breadth and depth of controls that apply.

OFFICIAL 200–300 ISM controls · Most cloud/SaaS · Baseline PROTECTED 400–500+ controls · AU sovereignty · Most serious gov vendors SECRET+ National security · TEMPEST · Limited assessor pool

OFFICIAL

  • Baseline classification for most government information
  • Typically 200–300 applicable ISM controls
  • Most common level for commercial cloud services and SaaS
  • Suitable for non-sensitive but still-protected information

PROTECTED

  • For information where compromise could cause damage to national security, government operations, or individuals
  • 400–500+ applicable controls
  • Enhanced encryption (frequently ASD-approved cryptographic solutions)
  • Stricter personnel security requirements
  • Mandatory Australian data sovereignty
  • Where most serious government vendors target

SECRET and above

  • For information where compromise could cause serious or exceptionally grave damage to national security
  • Highly restricted scope; involves additional ASD engagement
  • Requires assessors with appropriate higher-level clearance
  • Physical security, TEMPEST, and emanation security in scope
  • Limited pool of qualified assessors in Australia

Practical advice: Do not over-scope. If a system handles only OFFICIAL data, do not assess at PROTECTED because it sounds more impressive. The marginal controls add cost and timeline without commercial return.

6. How to prepare for an IRAP assessment

Preparation is the single biggest determinant of whether an assessment runs smoothly. The longer tactical version of this checklist — with evidence formats and tooling guidance — lives at Preparing for Your First IRAP Assessment.

Documentation (start 3–6 months out)

  • Draft or update the System Security Plan — the most critical artefact
  • Create accurate network and data flow diagrams (matching the live environment, not last year's architecture)
  • Document the security risk register with current treatments
  • Prepare SOPs for patching, incident response, access management, change management
  • Compile a complete asset register

Technical readiness

  • Run an internal vulnerability assessment and remediate Critical and High findings
  • Verify MFA on every administrative and privileged account
  • Confirm encryption standards meet ISM (TLS 1.2 minimum, 1.3 preferred; AES-256 at rest)
  • Review logging and monitoring — centralised, retained, actively triaged
  • Validate backup and recovery with a recent test restore (with documentation)

Organisational readiness

  • Assign a dedicated project lead to coordinate the assessment
  • Make sure key personnel are available for interviews and walkthroughs
  • Brief dev and ops teams so they are not surprised
  • Run a tabletop incident response exercise within the last 12 months — and keep the artefacts

Quick reference: preparation effort by maturity

Starting maturity Documentation effort Technical effort Total runway
ISO 27001 certified, mature ops 4–6 weeks 2–3 weeks ~10 weeks
Some security documentation, ad-hoc ops 8–12 weeks 4–6 weeks ~16 weeks
Greenfield / no formal program 16–24 weeks 8–12 weeks ~6 months

Thinking about IRAP and not sure where to start?

Free 15-minute readiness call. Bring an architecture diagram, the target classification, and the timeline. Tech Blaze will tell you what is realistic, where the engagement is most likely to struggle, and what the cost should be.

Book the call

7. Common IRAP failures and how to avoid them

The same patterns repeat across vendors, sectors, and classification levels. The list below covers the failures that delay the highest number of assessments.

1

Documentation that describes a system from two releases ago

The problem: SSPs treated as box-ticking exercises. The diagram and the live network have not matched in eighteen months.

The fix: Treat the SSP as a living document. Update it on every significant architectural change. Documentation that does not match the live environment gets flagged — and that creates additional work for everyone.

2

Scope creep from shared services

The problem: A platform leans on a corporate identity provider, a shared SIEM, and a third-party payment gateway. None were named in the original scope.

The fix: Map every dependency during scoping. If a shared service is in scope, the vendor either assesses it, obtains an existing assessment for it, or documents it explicitly as an inherited control with accepted residual risk.

3

Logging and monitoring on paper only

The problem: Logs are collected, but no one watches them. Or critical systems are not logging at all.

The fix: Implement centralised log management before the assessment. The vendor must demonstrate that alerts are triaged and acted upon, not just collected.

4

Privileged access that has not seen MFA

The problem: Shared admin accounts. No MFA on privileged paths. Standing privileges that survived two staff departures.

The fix: Just-in-time privileged access, MFA on every privileged account, auditable session records. Non-negotiable at PROTECTED and above.

5

Personnel security treated as paperwork

The problem: Staff with access to government data have not been appropriately vetted.

The fix: Build clearance sponsorship into hiring. AGSVA timelines are not fast — start early. Personnel without appropriate clearance cannot access systems above their authorised level.

6

No evidence of operational practice

The problem: A beautifully written incident response plan that has never been tested. A patching policy that says 48 hours for criticals, with no evidence the cadence has been met.

The fix: Document everything. Patch deployments, IR exercises, access reviews, change approvals. Evidence converts a policy into a demonstrable control. Without evidence, the assessor is being asked to take the vendor's word for it — and the ISM does not take the vendor's word for it.

8. IRAP vs SOC 2 vs ISO 27001

This is one of the most common questions during discovery. Short answer: yes, IRAP is still required for Australian Government work, and existing certifications are not wasted.

IRAP ISM controls AU sovereignty Classification SOC 2 Trust Services Type I / II CPA-led ISO 27001 Annex A controls 3-year certificate Risk register Access control Encryption
Dimension IRAP SOC 2 ISO 27001
Framework Australian Government ISM AICPA Trust Services Criteria ISO/IEC 27001:2022
Primary audience Australian Government agencies Commercial clients (global) Commercial clients (global)
Control style ISM (prescriptive, technical) Trust Services Criteria (principle-based) Annex A controls (risk-based)
Output IRAP Assessment Report SOC 2 Type I or Type II Report Certificate from accredited body
Required for AU Gov? Yes (for classified systems) No No (often referenced)
Assessor ASD-endorsed IRAP assessor Licensed CPA firm Accredited certification body
Validity Typically 24 months 12 months (Type II) 3 years (with annual surveillance)
AU data sovereignty Required at PROTECTED+ Not addressed Not addressed

Practical overlap: ISO 27001 typically gets an organisation 40–50% of the documentation and evidence ready for IRAP. SOC 2 Type II provides useful operational evidence but less structural overlap. Neither substitutes for IRAP — the ISM has prescriptive Australian Government controls that neither addresses.

Tech Blaze maps existing certifications to applicable ISM controls before the assessment starts. The vendor does not pay twice for the same evidence.

9. IRAP cost and timeline (real numbers)

Most vendors skip to this section. Transparency wins, so the numbers below reflect actual market rates as of 2026.

Typical costs (2026)

Scope Classification Estimated cost (ex-GST) Typical timeline
Small SaaS (single service, simple architecture) OFFICIAL $40,000 – $70,000 6–10 weeks
Mid-size cloud platform (multi-service, integrations) OFFICIAL $70,000 – $120,000 10–14 weeks
Enterprise platform / managed service PROTECTED $120,000 – $250,000 14–24 weeks
Complex multi-tenant, multi-region platform PROTECTED $200,000 – $400,000+ 20–30+ weeks
SECRET-level systems SECRET By arrangement 6–12+ months
Reassessment / Delta Any 40–60% of initial 4–12 weeks

What drives cost

  • Number of in-scope ISM controls — controls scale with classification level
  • System complexity — multi-cloud, hybrid, multi-tenant architectures take longer to assess
  • Documentation maturity — poor documentation translates directly into longer gap analysis cycles
  • Third-party dependencies — every external integration adds scope
  • Remediation cycles — each round of finding-validation adds time

How to reduce cost

  1. Invest in documentation before the assessment. Highest-ROI activity, full stop.
  2. Run an internal gap assessment against the ISM before engaging an assessor.
  3. Minimise scope. Assess what is needed, at the level that is needed.
  4. Fix known issues first. Do not pay an IRAP assessor to find problems the internal team already knows about.
  5. Choose an assessor who offers structured remediation support. Reduces back-and-forth.

A Canberra-based SaaS that Tech Blaze recently assessed cut their assessment time by roughly 40% just by spending six weeks on documentation before the assessor started. The same vendor had previously been quoted by another assessor at double Tech Blaze's fee on the same scope — because the other assessor scoped on assumption rather than evidence. Documentation is leverage.

10. How to choose an IRAP assessor

Not all IRAP assessors are the same. The filter below covers the criteria that matter most.

Category Filter
Must-have ASD-endorsed (verify on register), appropriate clearance, classification-level experience, clear scoping methodology
Should-have Industry-specific context, structured remediation support, responsive communication, local presence
Red flag Fixed price before scope is understood, can't explain ISM in plain language, no experience at target level, no questions about existing certifications

Must-haves

  • ASD endorsement — verify on the ASD IRAP assessor list. Non-negotiable.
  • Appropriate clearance level — for PROTECTED+ systems, the assessor needs a corresponding clearance.
  • Relevant experience — ask for assessments at the target classification level and in the target technology stack (cloud, on-prem, hybrid).
  • Clear scoping methodology — an assessor who cannot articulate scoping upfront will surprise the vendor with variations later.

Should-haves

  • Industry context — health, defence, finance, and critical infrastructure each have nuances; experienced assessors interpret ISM controls more practically.
  • Remediation support — the report is half the value; practical guidance on closure is where the ROI sits.
  • Communication style — vendor and assessor will work closely for months. Pick someone responsive.
  • Local presence — for Canberra agencies and departments, time-zone alignment (and frequently same-city presence) materially improves efficiency.

Red flags

  • A fixed price quoted before scope is understood — usually a sign of corner-cutting or future variations.
  • Inability to explain ISM control families in plain language.
  • No experience at the target classification level.
  • No questions about existing certifications during scoping.

11. Frequently asked questions

How long does an IRAP assessment take?

A typical IRAP assessment takes 8 to 24 weeks, depending on classification, system complexity, and documentation readiness. A simple OFFICIAL assessment for a well-prepared organisation can run as fast as 6 weeks. PROTECTED-level assessments for complex platforms commonly run 6 months including remediation cycles.

How much does an IRAP assessment cost in Australia?

In 2026, IRAP assessment costs typically range from $40,000 for a straightforward OFFICIAL assessment to $250,000+ for a complex PROTECTED assessment. Primary cost drivers are the number of in-scope ISM controls, system complexity, and documentation maturity. Reassessments are typically 40–60% of the initial fee.

Is IRAP mandatory for selling to the Australian Government?

For systems storing, processing, or transmitting government data classified at OFFICIAL or above, an IRAP assessment is effectively mandatory. There is no single legislative requirement, but the Protective Security Policy Framework (PSPF) and individual agency policies require independent assurance — and IRAP is the accepted mechanism for ICT systems.

What is the difference between IRAP and the Essential Eight?

The Essential Eight is a baseline set of eight mitigation strategies recommended by ASD against common threats. IRAP assesses systems against the full ISM control set, which includes the Essential Eight but extends well beyond it. Think of the Essential Eight as a minimum hygiene standard, and IRAP as a complete evaluation of security posture.

Can an overseas assessor be used?

No. IRAP assessors must be ASD-endorsed, which requires Australian citizenship, appropriate security clearances, and ongoing professional development through ASD. The assessment must be conducted by an individual currently on the ASD IRAP assessor register.

How often does reassessment happen?

Most IRAP assessments are valid for 24 months, though the sponsoring agency's specific requirements govern. Significant system changes — major architectural shifts, new data flows, classification-level changes — can trigger an earlier reassessment requirement. A delta assessment at the 12-month mark is a common way to handle material changes before they compound.

What happens if a system fails the IRAP assessment?

Systems do not pass or fail in a binary sense. The assessment report documents findings with severity ratings and remediation recommendations. The sponsoring agency then makes a risk-based decision about authorisation. In practice, almost every system has findings — what matters is a credible plan to close them. Critical findings will need to be resolved before authorisation in nearly every case.

Is IRAP needed for OFFICIAL: Sensitive data?

OFFICIAL: Sensitive is a dissemination-limiting marker (DLM) on OFFICIAL information. While the base classification is still OFFICIAL, agencies handling OFFICIAL: Sensitive data routinely require an IRAP assessment to provide assurance. The 2026 trend is firmly toward requiring IRAP for OFFICIAL: Sensitive systems — confirm with the sponsoring agency.

Is IRAP the same as a penetration test?

No. A penetration test attempts to exploit vulnerabilities to determine impact. An IRAP assessment evaluates the full set of applicable ISM controls — only some of which a pentest can validate. Pentests often form an input to an IRAP assessment but never substitute for one.

Does IRAP cover SOCI Act / CIRMP obligations?

Partially. CIRMP obligations under the SOCI Act draw heavily on the ISM and Essential Eight, so an IRAP assessment provides strong evidence for many of the controls — but CIRMP has additional governance requirements not in scope for a standard IRAP.

Pratyush Sood

ASD-endorsed IRAP Assessor

Canberra, ACT

About the author

Pratyush Sood is the founder of Tech Blaze Consulting Pty Ltd, based in Canberra, ACT. He is an ASD-endorsed IRAP assessor with over 20 years of experience in IT and cybersecurity. Tech Blaze provides IRAP assessments, Essential Eight assessments, ISM compliance consulting, and vCISO services to Australian Government agencies, defence-supply-chain vendors, and critical infrastructure operators.

When you engage Tech Blaze, you work directly with the assessor — no account managers, no junior analysts, no handoffs.

Learn more about Tech Blaze Back to all articles

Ready to start an IRAP assessment?

Whether the engagement is a startup preparing for a first government contract or an established vendor heading into reassessment, Tech Blaze can navigate the process efficiently and avoid the common pitfalls.

Book the readiness call Contact Tech Blaze

This article is general guidance only and does not constitute formal security advice. Organisations should engage a qualified IRAP assessor for advice specific to their system and classification requirements.