AuditXYZ

Compliance Framework

Information Security Registered Assessors Program (IRAP)

IRAP is Australia's framework for assessing ICT systems handling government data. Learn how IRAP assessments work and what cloud providers need to serve Australian government clients.

$50,000–$300,0003–12 monthsAudit Required2023
Request a ConsultationSee process
Issuing BodyAustralian Signals Directorate (ASD)
First Published2012-01-01
Latest Version2023
Typical Cost$50,000–$300,000
Typical Timeline3–12 months
Audit RequiredYes
Audit FrequencyIRAP assessments are typically conducted every 24 months or when significant changes occur
Geographyaustralia

IRAP: Australian Government Security Assessment Guide

The Information Security Registered Assessors Program (IRAP) is the Australian Signals Directorate's framework for independently assessing ICT systems against Australian government security requirements. IRAP assessors evaluate whether systems meet the controls specified in the Australian Government Information Security Manual (ISM).

What IRAP Covers

IRAP assessments evaluate systems against the ISM, which contains hundreds of controls organized across governance, physical, personnel, and ICT security domains. The assessment determines whether a system is suitable for handling Australian government data at a specific classification level: OFFICIAL, OFFICIAL: Sensitive, PROTECTED, or above.

Key assessment areas include security governance and risk management, personnel security, physical security, communications security, ICT security (operating systems, databases, applications, networks), and gateway security for systems connecting to government networks.

Who Needs IRAP

IRAP assessment is required for any ICT system that processes, stores, or communicates Australian government data. This primarily affects cloud service providers, managed service providers, and technology companies seeking to serve Australian government agencies.

Major cloud providers (AWS, Azure, Google Cloud) have obtained IRAP assessments for their Australian regions. SaaS companies selling to Australian government agencies are increasingly expected to demonstrate IRAP assessment at the appropriate classification level.

The IRAP Assessment Process

  1. Scope definition — Determine the system boundary and target classification level
  2. Engage an IRAP assessor — Select an ASD-endorsed assessor from the published register
  3. Stage 1 assessment — Review of security documentation, policies, and architecture
  4. Remediation — Address gaps identified in Stage 1
  5. Stage 2 assessment — Technical testing and validation of control implementation
  6. Assessment report — Assessor produces a Security Assessment Report (SAR)
  7. ASD review — For cloud services, ASD reviews the report and may list the service on the Certified Cloud Services List (CCSL)

Cost Factors

Assessment costs depend heavily on the target classification level and system complexity. OFFICIAL-level assessments for straightforward systems may cost $50,000 to $100,000, while PROTECTED-level assessments for complex cloud platforms can exceed $300,000. The largest cost components are assessor fees, remediation of identified gaps, and the documentation effort required to produce compliant security documentation.

Relationship to Essential Eight

The Essential Eight maturity model is a subset of ISM controls that IRAP assessments frequently reference. Organizations targeting IRAP assessment should aim for Essential Eight Maturity Level 2 or 3 as a foundation before engaging an assessor.

Get the IRAP starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

essential-eightiso-27001nist-800-53nist-csf

Get matched with a IRAP auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

Essential Eight
Framework
The Essential Eight is Australia's prioritized cybersecurity mitigation strategies from ASD. Learn how to implement these eight controls across four maturity levels.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View
NIST 800-53
Framework
NIST SP 800-53 Rev 5 defines over 1,000 security and privacy controls for federal systems and organizations. Learn how to navigate control baselines and implement effectively.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View