IRAP is an Australian Signals Directorate (ASD) initiative developed to provide high-quality security assessment services to the Australian Government and Industry. IRAP assessors must provide substantial evidence, hold specific industry certifications, and pass an IRAP examination to attain ASD endorsement.

An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. Once a system is assessed, an IRAP Assessment Report is developed and delivered to the client. This independent report enables the organisation to make informed risk-based decisions about the system’s suitability for security needs and risk appetite.

Our IRAP assessors have an extensive background in Australian Government, Industry and Defence cybersecurity. All assessors hold an NV2 security clearance with the ability to obtain a PV.

Our assessors come from a wide variety of backgrounds. As a result, we can place the most suitable assessor on that system type, saving both time and money while still providing the highest quality outcomes.

PSPF Policy 11 – Robust ICT Systems provides advice on whether your organisation requires an IRAP assessment. All gateways, Managed Service Providers and cloud services that process, store, or communicate Australian Government information (excluding Top Secret) require an ASD-endorsed IRAP assessor assessment.

IRAP assessors may independently assess any ICT system classified as Secret and below. Advice on reassessment timelines can be found in the Australian Cyber Security Centre (ACSC) Information Security Manual.

The timeline for an assessment is dependent upon the scope of work and the availability of evidence. ACSC advises that organisations should allow at least three months for an assessment. However, we can provide a comprehensive IRAP questionnaire to ensure quotations are accurate and estimated timelines are correct.

The cost of an assessment is largely based on the scope and ability to obtain and assess the implementation of security controls. Before beginning an IRAP assessment, we recommend that the organisation contact us to seek advice on what can be done to assist the IRAP assessor in expediting the evidence collection. This will usually relate to having a well-defined scope and audit plan.

It is recommended that an IRAP assessment take place immediately after the integration phase, as the effectiveness of implemented controls must be assessed. However, the engagement of an IRAP assessor should begin as early as the definition and design phases.

IRAP assessors may also provide advice during design. Still, it is important to note that this may impede their independence, and an additional IRAP assessor may need to be engaged to complete the assessment.

While the Information Security Manual and Protective Security Policy Framework are the foundation of an IRAP assessment, any security framework can be applied and assessed by the IRAP assessor.

Our IRAP assessors are extremely experienced in working with and translating the controls and requirements from other frameworks such as NIST, JSIG, ISO27001 and COBIT.

An IRAP assessment does not certify a system or give an organisation an “authority to operate”. It is an independent assessment that provides a high confidence level and enables the organisation’s risk owner to make informed decisions.

The Information Security Manual is not a compliance framework. A risk-based approach should be made to the selection of Information Security Manual controls. Our assessors will evaluate the application of each control. However, if the specific ACSC advice has not been implemented, compensating controls and the organisation’s risk management program will be assessed to ensure that risk acceptance has been properly considered.

Generally, a reassessment will only include changes since the previous assessment. This may include new or amended Information Security Manual controls, changes in system architecture, or areas identified as high risk. It is important that organisations make past audits available to the assessor and work with them to develop an assessment scope.

In some instances, the use of an IRAP assessment can be used to support the certification and accreditation activity within Government bodies. We have a history of coordinating with Certification Authorities within the Government to produce IRAP
assessment reports that will be used to develop and expedite certification reports.

Yes. However, the independence of the assessor must be maintained. This may mean engaging with an additional IRAP assessor to provide the IRAP assessment itself.