Failing an IRAP assessment costs time, money, and potentially a government contract.
Organizations often walk into an assessment expecting a basic audit, only to be overwhelmed by the depth of scrutiny applied to their actual configuration, not just their policies.
As ASD-endorsed IRAP assessors, we see the same gaps repeatedly. The core issue is rarely a lack of security tooling; it is a disconnect between documented controls and technical reality. The organizations that succeed treat IRAP readiness as a continuous engineering effort, aligning architecture, configuration, and governance before the formal assessment begins.
Understanding the IRAP Assessment Process
The Infosec Registered Assessor Program (IRAP) evaluates a system against the Australian Government Information Security Manual (ISM). This is not a box-ticking exercise or a simple vulnerability scan. It is an extensive control-by-control evaluation.
An assessment is typically split into two stages:
- Stage 1: Documentation Review. The assessor inspects your System Security Plan (SSP), Statement of Applicability (SoA), and Security Risk Management Plan (SRMP). If these documents are outdated or generic, the assessment stops here.
- Stage 2: Technical Validation. The assessor examines the actual implementation. They will request screenshots, export configurations, and ask administrators to demonstrate controls in operation. This is where configuration drift becomes glaringly obvious.
The outcome is a Security Assessment Report (SAR) detailing findings and a maturity or compliance rating for each control.
Key Requirements for IRAP Readiness
Readiness requires specific evidence that controls are operational. We look for alignment across three pillars:
1. Documented Reality
Your SSP must accurately reflect the system as it operates today. If your architecture diagram is missing recent cloud integrations, the assessor will find it. Your SoA must address every relevant ISM control with specific implementation details—stating "we use encryption" is insufficient; you must specify algorithms, key lengths, and TLS versions.
2. Technical Baseline Configuration
The assessor validates that your tools are actually configured correctly. For example, if you claim Essential Eight Maturity Level Two, we will check if application control rulesets are tuned, and if critical patches are applied within the mandated 48 hours. Tools that report compliance without enforcing it are a common point of failure.
3. Operational Governance
Technical controls fail without governance. You must demonstrate that processes like incident response and backup restoration have been tested within the last 12 months. Centralized logging (ISM-0580) requires 18 months of retention and evidence that alerts are actively triaged.
Common Pitfalls to Avoid in IRAP Assessments
We frequently see organizations stumble on the same issues. Avoid these specific pitfalls:
- Configuration Drift: This is the most significant risk. What is documented in the SSP often does not match the live environment. Conduct a pre-assessment review to ensure alignment.
- Undefined Scope: For cloud or hybrid systems, ambiguous boundaries cause delays. You must explicitly define what is in scope and what falls under the cloud provider's shared responsibility.
- Missing Evidence: Claiming a control exists without providing verifiable artifacts (like log extracts or configuration exports) results in a finding.
- Expired Cryptography: Self-signed certificates or expired keys in production environments are immediate red flags. Cryptographic controls must meet ASD Approved Cryptographic Algorithms (AACA) standards.
How Tech Blaze Supports Your IRAP Journey
At Tech Blaze, we operate as practitioners. We do not just hand you a spreadsheet; we work with your engineering and compliance teams to close gaps before the formal assessment. Our IRAP readiness services provide a structured pathway to compliance.
We conduct a detailed gap analysis against the ISM, review your architecture and documentation, and validate your technical controls. If you have gaps in your Essential Eight maturity, we help you remediate them pragmatically, balancing security requirements with operational realities.
Next Steps to IRAP Compliance Success
Treat IRAP readiness as a continuous process rather than a point-in-time audit. Start by defining your scope and updating your SSP. Review your technical controls against the latest ISM requirements and gather evidence of operational effectiveness.
Do not wait until the assessor is onsite to discover your gaps.
Engage experts who understand both the standard and the underlying technology to ensure you are truly ready.