IRAP Assessments
Independent security assessments against the Information Security Manual and Protective Security Policy Framework. Rigorous evaluation by an endorsed IRAP Assessor with deep hands-on cybersecurity and enterprise architecture expertise.
What Is IRAP?
The Information Security Registered Assessors Program (IRAP) is an initiative administered by the Australian Government's national cybersecurity authority. IRAP provides the framework through which independent assessors evaluate an organisation's security posture against the requirements of the Information Security Manual (ISM) and, where applicable, the Protective Security Policy Framework (PSPF).
A Brief History
IRAP was established to address a growing need within the Australian Government for independent, qualified professionals who could assess the security of ICT systems and services. Before IRAP, security assessments were conducted in an ad hoc manner with varying levels of rigour and inconsistent standards.
The program was formalised to ensure assessors met a consistent standard of competency, held appropriate security clearances, and followed a structured methodology aligned with the ISM. Today, IRAP assessments are a critical prerequisite for any organisation wishing to provide ICT services to Australian Government entities.
The Administering Authority
The Australian Government's cybersecurity authority maintains the IRAP program, including:
- Endorsing IRAP Assessors who meet stringent criteria for qualifications, experience, and clearance
- Publishing the ISM — the primary security standard updated regularly
- Maintaining the Cloud Assessment and Authorisation Framework for cloud service assessments
- Providing supplementary guidance on cloud security, gateway security, and specific technology domains
The Information Security Manual (ISM)
The ISM is the Australian Government's comprehensive cybersecurity framework. It comprises hundreds of security controls organised across critical domains. Each control is mapped to a security tier and a control type (must, should, recommended). IRAP assessments evaluate an organisation's implementation of the applicable controls for its target tier.
Governance
Security policies, roles, responsibilities, and risk management
Physical Security
Facility controls and media handling
Personnel Security
Clearances, awareness training, and acceptable use
ICT Security
System hardening, access control, cryptography, network security
Software Security
Application development and deployment controls
Email & Web Security
Content filtering, SPF, DKIM, DMARC
Networking
Segmentation, firewalls, intrusion detection
Cryptography
Approved algorithms and key management
Cloud Security
Cloud-specific controls for IaaS, PaaS, and SaaS
The Protective Security Policy Framework (PSPF)
The PSPF sets out the government's protective security requirements, encompassing governance, personnel security, physical security, and information security more broadly. IRAP assessments frequently need to consider PSPF requirements — particularly policies relating to sensitive information and robust ICT systems. Understanding how the ISM and PSPF intersect is critical to a successful assessment outcome.
Assessment Tiers: Standard and Comprehensive
IRAP assessments are conducted against two primary security tiers. The tier determines the scope, rigour, and duration of the assessment.
Standard Assessment
Applies to information where compromise could cause limited damage to individuals, organisations, or government. This is the baseline for most government business information.
- Core ISM controls applicable to government systems
- Basic access control and authentication mechanisms
- Network security and boundary protections
- Logging and monitoring capabilities
- Incident response readiness
- Data sovereignty requirements (Australian hosting)
- Personnel security for privileged users
Comprehensive Assessment
Applies to information where compromise could cause damage to the national interest. This represents a significantly higher bar than Standard.
- Everything required for Standard, plus...
- Enhanced cryptographic controls and approved algorithms
- Stringent multi-factor and privileged access management
- Advanced network segmentation and zero-trust considerations
- Comprehensive SIEM with extended retention requirements
- Australian data sovereignty with cleared personnel
- Facility security meeting government physical requirements
- Supply chain risk and foreign influence assessments
| Aspect | Standard | Comprehensive |
|---|---|---|
| Cryptography | Commercial-grade TLS/AES | Approved algorithms only |
| Personnel Clearances | Baseline for privileged users | Baseline+ for all operational staff |
| Data Sovereignty | Australian hosting required | Australian hosting + Australian-only personnel |
| Physical Security | Standard commercial data centre | Government-accredited facilities |
| Assessment Duration | 4-8 weeks typical | 8-16 weeks typical |
| ISM Controls Assessed | ~300-400 controls | ~500-600+ controls |
| Ongoing Compliance | Annual review recommended | Annual reassessment expected |
Who Needs an IRAP Assessment?
IRAP assessments are relevant to a wide range of organisations operating in the Australian Government ecosystem.
Cloud Service Providers
If you provide cloud infrastructure, platform, or software services to Australian Government customers, an IRAP assessment is essential. Major cloud providers have all undergone IRAP assessments for their Australian regions.
SaaS & Managed Service Providers
Software-as-a-Service vendors and managed service providers handling government data must demonstrate ISM compliance. An IRAP assessment provides the independent assurance government customers require.
Defence Industry
Organisations within the Australian defence supply chain, particularly those subject to the Defence Industry Security Program (DISP), frequently require IRAP assessments to validate handling of sensitive information.
Government Agencies
Government entities undergo IRAP assessments to validate internal systems, particularly those hosting sensitive citizen data, national security information, or critical infrastructure control systems.
Critical Infrastructure
Under the Security of Critical Infrastructure Act (SOCI Act), operators of critical infrastructure assets may use IRAP assessments to demonstrate compliance with government security expectations.
Competitive Advantage
Even where not strictly required, an IRAP assessment demonstrates a commitment to security that differentiates your organisation in government procurement. Assessment reports carry significant weight in tender evaluations.
Our Six-Phase Assessment Methodology
A structured approach that ensures thoroughness, transparency, and minimal disruption to your operations.
Scoping and Engagement
Every IRAP assessment begins with a detailed scoping exercise. We work with your team to define the assessment boundary, identify the target security tier, understand your architecture, review existing documentation, identify stakeholders, and agree on timeline and logistics.
Deliverable: Scoping document and assessment plan
Documentation Review
A comprehensive review of your security documentation against ISM requirements. We identify gaps, inconsistencies, and areas where documentation does not adequately address ISM controls. A detailed gap analysis enables your team to begin remediation in parallel.
Deliverable: Documentation gap analysis report
Technical Assessment
Hands-on evaluation of your environment including configuration review, vulnerability assessment, access control testing, cryptographic assessment, network security testing, logging and monitoring review, and cloud-specific testing where applicable.
Deliverable: Technical assessment findings (preliminary)
Interviews and Process Validation
Security is not purely technical. We conduct structured interviews with key personnel to validate that policies and procedures are understood and followed in practice. This phase often reveals gaps between documented procedures and actual practice.
Deliverable: Interview findings and process maturity observations
Analysis and Reporting
All findings are consolidated into a comprehensive IRAP Assessment Report structured in accordance with program reporting requirements. The report is written to be actionable, with specific, practical remediation steps.
Deliverable: Draft IRAP Assessment Report
Finalisation and Handover
We present findings to your stakeholders, address questions, and finalise the report. This phase includes guidance on the pathway to formal authorisation and recommendations for ongoing compliance monitoring.
Deliverable: Final IRAP Assessment Report and supporting artefacts
Timeline Expectations
Assessment timelines vary depending on scope, security tier, and organisational readiness.
| Scenario | Typical Duration |
|---|---|
| Standard assessment — well-prepared organisation | 4-6 weeks |
| Standard assessment — some remediation needed | 6-10 weeks |
| Comprehensive assessment — well-prepared organisation | 8-12 weeks |
| Comprehensive assessment — significant gaps | 12-16+ weeks |
| Re-assessment (annual) | 3-6 weeks |
Organisational Readiness
Mature documentation and well-configured environments move faster.
Scope Complexity
Multi-cloud, hybrid, or multi-site environments require more time.
Remediation Requirements
Significant gaps identified early require time for remediation.
Stakeholder Availability
Interview scheduling and governance approvals can add calendar time.
Documentation Requirements
Organisations undergoing an IRAP assessment should prepare the following documentation. If your documentation is incomplete or outdated, Tech Blaze can provide pre-assessment advisory services to help you develop or update the required artefacts.
System Security Plan (SSP)
The cornerstone document describing your system's security controls, architecture, and risk profile
Security Risk Management Plan
Risk register and treatment plans for identified risks
Incident Response Plan
Procedures for detecting, responding to, and recovering from security incidents
Network & Data Flow Diagrams
Current, accurate, and sufficiently detailed architecture diagrams
Standard Operating Procedures
SOPs for patching, access management, change control, backup and recovery
Previous Assessment Reports
Any prior IRAP assessments, penetration tests, or audit reports
Vendor Documentation
Shared responsibility matrices, service agreements, compliance certifications
Post-Assessment: Authorisation and Ongoing Compliance
Pathway to Authorisation
An IRAP assessment report is a critical input to the security authorisation process. The report, combined with a completed SSP and risk acceptance by the Authorising Officer, enables the system to be formally authorised to operate at the assessed security tier.
An IRAP assessment alone does not constitute authorisation. The assessment provides an independent, evidence-based evaluation that informs the authorisation decision.
Ongoing Compliance
Security is not a point-in-time exercise. After your IRAP assessment, maintaining compliance requires:
- Continuous monitoring and vulnerability scanning
- Regular patching aligned with ISM and Essential Eight
- Annual reassessment or when significant changes occur
- Security impact assessments for system changes
- Incident reporting obligations under the ISM and PSPF
Tech Blaze offers ongoing compliance advisory services to help you maintain your security posture between formal assessments.
Discuss Compliance AdvisoryWhy Choose Tech Blaze Consulting?
Endorsed IRAP Assessor
Holding current security clearances and meeting all program requirements for conducting assessments at both tiers.
Deep Expertise
Extensive experience spanning government, defence, critical infrastructure, and enterprise environments.
Industry Certifications
CISA, CISM, Azure Security Architect, TOGAF, SABSA — bringing a multidisciplinary perspective to every assessment.
Direct Engagement Model
You work directly with the assessor from day one. No hand-offs, no junior consultants, no communication gaps.
Boutique Approach
We limit concurrent engagements to ensure every client receives thorough, focused attention.
Practical Recommendations
Our findings are actionable. We don't just identify problems — we help you understand how to fix them.
Canberra-Based
Located in the heart of Australia's government and defence community, with deep understanding of the local ecosystem.
Frequently Asked Questions
What is the difference between an IRAP assessment and a penetration test?
An IRAP assessment is a comprehensive evaluation of your security posture against the ISM's full control set, including governance, documentation, processes, and technical controls. A penetration test focuses specifically on identifying exploitable vulnerabilities through simulated attacks. An IRAP assessment may include elements of technical testing, but it is fundamentally broader in scope. Many organisations undergo both.
How long does an IRAP assessment take?
Typical timelines range from 4-6 weeks for a straightforward Standard assessment to 12-16 weeks for a complex Comprehensive assessment. Duration depends on scope, organisational readiness, and the target security tier.
How much does an IRAP assessment cost?
Costs vary significantly based on scope, security tier, and complexity. Tech Blaze provides fixed-price quotations after the initial scoping exercise, giving you complete cost certainty before the assessment begins.
Do we need to be fully compliant before starting?
No. Many organisations engage an IRAP assessor knowing they have gaps. The assessment identifies those gaps with specificity and provides a roadmap for remediation. However, better-prepared organisations achieve a cleaner result more quickly. We recommend a pre-assessment readiness review if you are uncertain about your compliance maturity.
How often do we need to be reassessed?
Systems are expected to be reassessed at least annually, or whenever significant changes occur to the system, its environment, or the threat landscape. Significant changes include major architectural modifications, new service integrations, or changes to the information being processed.
Can Tech Blaze help with remediation?
Yes. In addition to IRAP assessment services, Tech Blaze provides advisory and remediation support. This can include documentation development, security architecture advice, and implementation guidance. IRAP program independence requirements mean that remediation work and subsequent reassessment maintain appropriate separation.
What security clearance does the assessor hold?
Tech Blaze's IRAP Assessor holds current Australian Government security clearances at the level required to conduct Comprehensive assessments. Clearance details are available on request under appropriate conditions.
Ready to Begin Your IRAP Assessment?
Whether you're preparing for your first IRAP assessment or seeking reassessment for an existing system, Tech Blaze Consulting provides the expertise and rigour you need. Our direct engagement model means you work with the assessor from day one — no intermediaries, no surprises.