IRAP assessment for Australian organisations — what it is, when you need it, and how to prepare

The Information Security Registered Assessors Program — IRAP — is the Australian Signals Directorate's assessment regime for systems that handle Australian government information or that need to demonstrate alignment with the Information Security Manual at a level credible to a government, defence or critical infrastructure customer. It is a real assessment with a defined scope, executed by an ASD-endorsed assessor against the controls in the ISM, with a defined output that buyers in those segments accept as evidence.

Frontrow advises Australian organisations on IRAP positioning regularly — usually triggered by a procurement opportunity in government, a critical infrastructure customer asking the question, or a finance and insurance client requiring it as part of an upstream supply chain. The view below is the working version of what gets explained at the first conversation.

What IRAP assesses

An IRAP assessment is conducted against the ASD Information Security Manual (the ISM) and produces an assessment report describing the system in scope, the controls implemented, the controls partially implemented, the residual risk, and the assessor's recommendation. The assessment can be at PROTECTED, SECRET or TOP SECRET classification level, with PROTECTED the most common in commercial-into-government contexts. The assessor is registered with the ASD and the assessment follows the ASD's IRAP methodology.

It is important to be clear about what IRAP is not. IRAP is not a certification — there is no IRAP certificate. The output is an assessment report that the receiving authority (the customer's security team, or in some cases the ASD on behalf of the customer) reads and uses to inform an accreditation or authorisation decision. The receiving authority decides whether to accept the system. The assessor describes what is true.

Who needs an IRAP assessment

• Vendors selling cloud or managed services into Australian Federal or state government where the procurement specifies IRAP-assessed cloud or PROTECTED-level handling.
• Critical infrastructure operators (energy, water, financial services, telecommunications, health) where the regulator or the customer's security framework requires an IRAP-assessed underlying platform.
• Defence supply chain participants where the prime is requiring downstream alignment with the ISM.
• Cloud service providers and SaaS vendors who want to be listed on Microsoft's, AWS's or Google's IRAP-assessed service catalogue, where the cloud platform's IRAP assessment provides the underpinning the SaaS layer extends.
• Australian organisations whose own customers are in any of the categories above and who need to demonstrate alignment with the ISM as part of their own contractual posture.

What an IRAP assessment costs and how long it takes

Honest answer is that the cost depends heavily on the scope and the readiness of the system in question. For a focused PROTECTED-level assessment of a defined SaaS or service component built on an already-IRAP-assessed Microsoft Azure or Microsoft 365 base, the assessment itself usually runs $80,000 to $200,000 for the assessor's time, with the project taking three to six months end to end. For a broader scope with more controls in play and remediation work alongside the assessment, the number scales accordingly.

The work that goes into preparing for the assessment is usually the larger investment. Frontrow has worked with Australian organisations where the readiness program against the ISM controls runs 9 to 18 months before the assessor walks in. The two pieces compound — getting the controls in place, and producing the documentation and evidence the assessor needs to assess them.

How a Microsoft 365 tenant prepares

The good news for Australian organisations on Microsoft 365 is that the underlying Microsoft Azure and Microsoft 365 platforms already hold IRAP assessments at PROTECTED, and Microsoft maintains a published list of IRAP-assessed services. The tenant's IRAP work is therefore against the controls the tenant configures and operates on top of that platform — identity, data classification, logging, key management, monitoring, incident response, personnel security, change management — rather than the platform itself.

Practical preparation for an Australian organisation starts with mapping the system in scope to the relevant ISM controls, identifying which controls are inherited from the Microsoft platform, which are configured by the organisation, and which are operated by the organisation. The Essential Eight at Maturity Level 2 covers a meaningful subset of the ISM cyber controls and is the most efficient cyber baseline to land first. Microsoft Purview audit at the higher retention tier, Conditional Access policies, Privileged Identity Management, Microsoft Defender XDR or Sentinel for monitoring, and a documented restore from backup all map to specific ISM controls.

What the assessor will ask for

• The system architecture document covering data flows, components, integration points, the boundary of what is being assessed.
• The Statement of Applicability against the ISM controls — for each control, whether it applies, how it is implemented, and the evidence reference.
• The risk assessment and risk treatment plan, with executive sign-off.
• The configuration evidence — exported policies, conditional access definitions, audit log configuration, data retention policy.
• The operational evidence — sample audit logs, sample restore test reports, sample incident response activations, the maintenance and change records.
• The personnel security evidence — clearances where relevant, induction records, acceptable use policy attestations.
• The third-party assessment evidence — sub-processor IRAP assessments, ISO 27001 certifications, SOC 2 reports for components used.

What Frontrow does in an IRAP-readiness engagement

Frontrow scopes the assessment against the realistic system boundary, runs the gap analysis against the ISM controls in play, sequences the remediation work in the order it returns the most assessor-readiness per dollar, lands the documentation and evidence pack the assessor will need, and runs a pre-assessment dry run before the assessor walks in. The assessment itself is then a confirmation exercise, not a discovery one.

Frontrow advises Australian organisations on IRAP scoping, readiness and the ISM mapping work. Phone 1300 012 466 or book a chat through the contact page.