IRAP Assessment Preparation

IRAP Assessment Readiness: Your Checklist for Australian Businesses

Tech Blaze Consulting | July 2026 | 9 min read

Failing an IRAP assessment rarely happens because a specific technical control breaks. It happens because a business brings in an assessor before they are actually ready. When you process government data, your security posture isn't judged on intent; it's judged on documented evidence and rigorous execution. As an endorsed IRAP assessor working with Defence SMEs and Australian critical infrastructure providers, I see the same preparation gaps stall engagements and force expensive remediations.

This guide cuts past the high-level advice. Here is exactly what an assessor looks for, the concrete documentation you need, and the operational reality your business must prove to pass your IRAP assessment.

Understanding IRAP: What It Is and Why It Matters

The Infosec Registered Assessor Program (IRAP) provides independent validation that an IT system meets the security requirements outlined in the Australian Government Information Security Manual (ISM). It is the mechanism by which government agencies determine if they can trust your system to handle their data.

For a commercial business, passing an IRAP assessment is the barrier to entry for government contracts. Without an assessment letter stating your system meets the requirements for OFFICIAL:Sensitive or PROTECTED data, procurement discussions stall. Achieving this milestone demonstrates genuine security maturity, giving you a competitive advantage when pursuing Essential Eight maturity or broader compliance objectives.

Key Phases of an IRAP Assessment

An IRAP assessment follows a structured methodology. Knowing this rhythm helps you prepare your internal team to respond efficiently.

  • Stage 1: Planning and Documentation Review. The assessor reviews your foundational documents, primarily the System Security Plan (SSP) and Statement of Applicability (SoA). If these are incomplete or vague, the assessment halts. We identify the system boundary and confirm scoping decisions.
  • Stage 2: Technical Assessment and Evidence Gathering. The assessor transitions from reading to verifying. We interview your engineers, inspect cloud configurations, pull event logs, and demand specific evidence proving controls operate as documented.
  • Reporting: Security Assessment Report (SAR). We document our findings against the ISM controls. The SAR details exactly where you meet requirements, where you fall short, and the residual risks the Authorising Officer must accept.

Essential Documentation and Evidence Required

Documentation often trips up otherwise mature technical teams. The ISM relies on formalised processes. If a control exists but isn't documented and approved by an authoritative figure, an assessor cannot pass it.

Your primary artifacts must be rigorous:

  • System Security Plan (SSP): This must describe the exact architecture running today. If you migrated to Azure three months ago but the SSP still details your old on-premises cluster, you fail this section.
  • Statement of Applicability (SoA): Do not use generic responses. When addressing ISM-1504 regarding MFA, you cannot write "We use MFA." You must write "Azure AD Conditional Access enforces MFA for all interactive logins using Microsoft Authenticator," and then provide the configuration export as evidence.
  • Incident Response Plan (IRP): A generic template downloaded from the internet fails. The IRP must outline who is called at 2 AM, the exact escalation path to the ASD or ACSC, and show evidence of a tabletop exercise run within the last twelve months.

Building an IRAP-Ready Security Posture

IRAP readiness requires translating policy into demonstrable technical controls. The assessor will scrutinize your operational reality. Focus heavily on these key areas:

  • Strict logical segregation: If you operate a shared environment, you must prove explicit logical segregation between government data and commercial workloads.
  • Active log triage: Your SIEM must not only ingest logs, but your security team must actively triage and investigate the generated alerts.
  • Prompt log retrieval: Assessors routinely ask operators to pull the logs for a specific administrative action that occurred last Tuesday. If you cannot produce those logs promptly, your monitoring controls will be marked as ineffective.

Key point: Implement controls tightly. Do not enforce MFA for 95% of users but leave a legacy service account exposed. Assessors hunt for the exceptions.

Common Pitfalls and How to Avoid Them

I routinely encounter the same errors across different organizations:

  • Configuration Drift: Writing perfect documentation and then changing the firewall rules two weeks later without updating the documentation. Implement strict change management and map every technical change to the SSP.
  • Fuzzy Boundaries: Failing to clearly define what systems are in scope. If your boundary isn't clear, the assessor assumes everything connected to the network is in scope, expanding your compliance burden massively. Define the boundary explicitly in your architectural diagrams.
  • Missing the "Continuous" in Continuous Monitoring: Treating compliance as a point-in-time snapshot. IRAP expects controls to operate year-round. Use automated compliance tooling where possible to prove historical adherence.

Leveraging Tech Blaze for IRAP Assessment and Readiness

Going into a formal assessment blind is high risk. Our IRAP readiness assessments simulate the exact scrutiny you will face during a formal engagement. We review your architecture, tear apart your SoA, and validate your technical controls against the ISM.

We identify the critical gaps and provide a prioritized remediation roadmap. By the time the formal assessment begins, your documentation is bulletproof, and your technical team knows exactly what evidence to present.

Post-Assessment Steps and Continuous Compliance

Receiving the SAR is not the end of the process. You must formalize a Plan of Action and Milestones (POA&M) to address any outstanding findings. The Authorising Officer will rely on this plan when accepting residual risk.

Maintain momentum after the assessment. Embed the ISM controls into your standard operating procedures. When you automate evidence collection and integrate security impact assessments into your DevOps pipeline, the next assessment shifts from a massive project to routine operational reporting.

Take Action Before You Engage an Assessor

Do not wait until the formal assessment begins to find out your documentation has gaps or your controls are misconfigured. Use the readiness checklist below to conduct an honest internal review of your current state. If you find areas where you cannot immediately produce evidence, focus your engineering efforts there first.

The Readiness Checklist

Review these requirements before engaging an assessor. If you cannot confidently answer "yes" and provide immediate evidence for these items, you need further preparation.

Documentation Foundation

Technical Execution

Governance Oversight

Secure Your Next Government Contract

Don't risk failing your formal IRAP assessment due to simple preparation errors. Engage our experts for a rigorous readiness review and ensure you meet the standards the first time.

Contact Tech Blaze