IRAP — Information Security Registered Assessors Program
Mandatory assessment for Australian Government data and systems
IRAP is the Australian Signals Directorate's program for assessing the security of systems that handle Australian Government data. Essential for technology providers seeking government contracts.
The Information Security Registered Assessors Program (IRAP) is managed by the Australian Signals Directorate (ASD). It authorises qualified assessors to evaluate whether ICT systems, services, and facilities meet the security requirements of the Australian Government Information Security Manual (ISM). An IRAP assessment provides the Australian Government with independent assurance that a vendor's systems adequately protect government data.
For technology companies seeking to sell cloud services, SaaS platforms, or managed services to Australian Government agencies, an IRAP assessment is frequently a non-negotiable procurement requirement. The assessment produces a Security Assessment Report (SAR) that agencies use to make Authorisation to Operate (ATO) decisions under the Protective Security Policy Framework (PSPF).
Who Needs It
Who Needs IRAP?
Cloud service providers seeking to offer services to Australian Government agencies
SaaS and technology vendors selling to federal, state, or territory government
Managed service providers handling government data or operating government systems
Critical infrastructure operators subject to the Security of Critical Infrastructure Act
Technology companies seeking inclusion on the Digital Marketplace or DTA approved panels
Organisations storing or processing PROTECTED or OFFICIAL: Sensitive government data
Key Requirements
What It Covers
ISM Control Assessment
Assessment of security controls against the Australian Government ISM, with controls mapped to the applicable data classification level (OFFICIAL, OFFICIAL: Sensitive, PROTECTED).
System Security Plan (SSP)
Comprehensive documentation of the system's security architecture, controls, risks, and residual risks — the primary document reviewed by the IRAP assessor.
Threat and Risk Assessment (TRA)
Formal assessment of threats, vulnerabilities, and risks to the system in the context of the government data it will handle.
Data Classification Alignment
System controls must align with the handling requirements for the highest classification of government data the system will process or store.
Incident Response Plan
Documented procedures for detecting, managing, and reporting security incidents affecting government data, including mandatory ASD notification requirements.
Security Assessment Report (SAR)
The IRAP assessor produces a SAR documenting assessment findings, control effectiveness, residual risks, and recommendations for the agency's ATO decision.
Business Value
Benefits of IRAP
Access the Australian Government market — IRAP assessment is required for most government cloud and SaaS procurement
Demonstrate security maturity aligned to Australia's highest government standards
Accelerate government sales cycles by having assessment documentation ready for agency due diligence
Build confidence with state and local government customers who reference ASD standards
Differentiate against competitors who haven't invested in government-grade security
Our Process
How We Help You Achieve It
Scoping
We define the assessment scope, target data classification, and system boundary in alignment with agency requirements.
ISM Gap Assessment
We assess your current controls against the ISM controls applicable to your target classification.
Documentation Development
We develop or review your System Security Plan, TRA, and supporting security documentation.
Remediation Support
We help you implement and evidence controls to address gaps identified in the pre-assessment phase.
IRAP Assessor Coordination
We work alongside your chosen ASD-authorised IRAP assessor, preparing responses and evidence packages.
SAR & ATO Support
We help you respond to SAR findings and support the agency's Authorisation to Operate process.
FAQ
Frequently Asked Questions
Ready to Start Your IRAP Journey?
Begin with a free cybersecurity gap assessment to understand where you stand, then let our experts guide you to certification.