Frontrow Technology
← All insights & guides
Guide

Compliance

IRAP Assessments Explained: Process, Cost Drivers and Readiness for Selling to the Australian Government (2026)

An IRAP assessment tests a system against the Australian Government ISM via an ASD-endorsed assessor. No certificate, only a report. Checked July 2026.

Sam Williams · 19 July 2026 · 8 min read

An IRAP assessment is an independent evaluation of an ICT system against the Australian Government Information Security Manual (ISM), carried out by an assessor endorsed under the Australian Signals Directorate's Infosec Registered Assessors Program. It produces a report and controls matrix that government agencies use to decide whether to authorise the system. It is not a certification.

That last point matters from the first tender response. Agencies buying services that touch government data will ask whether a current IRAP assessment exists and at what classification level. This guide explains how the process works in 2026 and how a supplier running on Microsoft 365 gets ready.

What does an IRAP assessor actually do?

IRAP is the Infosec Registered Assessors Program, run by the Australian Signals Directorate. ASD endorses experienced security professionals who have passed its exams and hold detailed knowledge of the ISM. An endorsed assessor examines a defined system against the in-scope ISM controls and writes up what they found, including the risks that remain.

The nominated classification level shapes everything. Most commercial cloud and SaaS assessments are scoped at OFFICIAL: Sensitive or PROTECTED, where the bulk of federal agency data sits. Assessments at SECRET and above involve additional government arrangements and rarely apply to commercial suppliers.

"IRAP Assessors do not accredit, certify, endorse or register systems on behalf of ASD."
Australian Signals Directorate, cyber.gov.au

That sentence from ASD's own program page is the most misunderstood part of IRAP. The output of an assessment is a report, and the report approves nothing on its own. The authorising officer inside each consuming agency weighs the reported residual risks against their own threat picture and decides whether to grant an authority to operate.

Who needs an IRAP assessment?

IRAP sits in the path of any organisation that wants federal agencies as customers. The usual candidates:

  • SaaS providers whose service would store or process Australian Government data at OFFICIAL: Sensitive or above.
  • Managed service providers hosting, administering or monitoring systems on behalf of an agency.
  • Systems integrators delivering a platform an agency will operate, where the agency wants independent assurance before authorising it.
  • Government entities themselves, which engage IRAP assessors to review their own systems ahead of authorisation decisions.

For cloud services, ASD's cloud assessment and authorisation framework describes how agencies consume the result. The assessment phase produces a Cloud Security Assessment Report and a Cloud Controls Matrix. Each agency then performs its own risk assessment on those artefacts and issues its own authority to operate. One assessment can serve many agencies, but every agency authorises separately.

How does the IRAP assessment process work?

ASD's IRAP Common Assessment Framework structures an engagement in four stages.

  1. 1Plan and prepare. The assessor and the system owner agree the approach, the timing and the evidence that will be needed.
  2. 2Define the boundary. This is where scope is set: which components, data flows and supporting services sit inside the assessment, and at what classification level. A sloppy boundary is the most common cause of blown budgets.
  3. 3Assess the controls. The assessor tests the in-scope ISM controls, looking at how each one is implemented in practice rather than how the policy documents say it should be.
  4. 4Produce the report. The minimum deliverables are a Security Assessment Report written for authorising officers and risk owners, plus a Controls Matrix for the technical staff who will run and integrate the system.

ASD does not publish a standard timeline. Guides from assessment firms commonly quote eight to 24 weeks for the assessment itself, depending on complexity and documentation readiness. The preparation beforehand usually takes longer than the assessment does.

How much does an IRAP assessment cost?

There is no official price list. ASD sets no fees and keeps no rate card, and its consumer guidance recommends obtaining at least three quotes before engaging an assessor. Published figures vary so widely between firms that quoting a range here would mislead. What pushes the number up or down:

  • Classification level. PROTECTED brings materially more controls into scope than OFFICIAL: Sensitive.
  • Boundary size. Every component and integration inside the boundary adds controls to test.
  • Documentation maturity. Assessors charge for time, and missing or stale documents consume a lot of it.
  • Remediation. Gaps found mid-assessment either land in the report as risks or trigger rework and re-testing.
  • Architecture. A single-tenant service on one cloud platform assesses faster than a sprawling multi-platform estate.

In most engagements the assessor's fee is the smaller line item. The larger spend is the uplift beforehand: closing control gaps and building the evidence trail. That is the part a supplier controls, and tight scoping plus early preparation is the only reliable way to keep the total down.

Is Microsoft 365 IRAP assessed?

Yes. Microsoft published its latest round of IRAP assessments on 26 March 2026, covering Microsoft Azure, Microsoft 365 and Dynamics 365 for workloads up to and including the PROTECTED level. The assessments were carried out by Neon Cloud, an ASD-endorsed IRAP assessor, and the full reports sit in the Australia section of the Microsoft Service Trust Portal, where customers and agencies can download them.

This matters to any supplier building on Microsoft's cloud. Controls Microsoft has already had assessed, such as physical data centre security, hypervisor isolation and platform-level encryption, do not need re-proving by every product running on top. Your own assessment boundary shrinks to the layers you control: tenant configuration, identity, application code and data handling.

On Microsoft 365, those layers live mostly in four products. Identity and access policy sits in Microsoft Entra ID, device compliance in Microsoft Intune, information protection in Microsoft Purview and threat protection in Microsoft Defender. IRAP readiness on this stack is largely a configuration and evidence exercise, carried out on a platform whose own IRAP reports are already on the table.

How do the ISM, the PSPF and the Essential Eight fit together?

Three frameworks get conflated in tenders, and they do different jobs. The Protective Security Policy Framework is government policy: it tells entities what outcomes their protective security must achieve, and it points at the ISM as the control set for technology. The ISM is ASD's detailed catalogue of cyber security controls, the thing an IRAP assessor actually tests against. The Essential Eight is ASD's prioritised baseline of mitigation strategies, which the PSPF requires non-corporate Commonwealth entities to implement to Maturity Level 2.

The practical trap is treating Essential Eight maturity as proof of IRAP readiness. An Essential Eight assessment covers eight mitigation strategies. An IRAP assessment covers the far broader ISM catalogue, from personnel security through to system documentation. Strong Essential Eight maturity is a genuine head start, since its strategies map onto ISM controls, but it is a subset that skips whole domains.

Two things around IRAP are changing in 2026. In June 2026, ASD opened consultation on evolving the Essential Eight into a broader Essentials series, to be phased in over roughly two years while the Essential Eight remains supported. Separately, the Hosting Certification Framework, the Home Affairs scheme certifying data centre providers for government workloads, paused new registrations from 3 November 2025 while reforms are under way. Neither change alters how IRAP operates today.

What does IRAP readiness look like for a Microsoft 365 supplier?

A realistic path for a mid-size supplier that wants a PROTECTED-capable service without losing a year to false starts:

  1. 1Establish the baseline. Score Essential Eight maturity first, because it is fast and shows where the fundamentals stand. Then run an ISM gap assessment scoped to the intended boundary and classification level.
  2. 2Uplift the tenant. Phishing-resistant MFA and privileged access controls in Microsoft Entra ID, device hardening and compliance policies in Microsoft Intune, sensitivity labels and data loss prevention in Microsoft Purview, endpoint protection and attack surface reduction in Microsoft Defender.
  3. 3Write the system documentation. A system security plan, an incident response plan and the operational procedures the ISM expects, describing the system as it actually runs.
  4. 4Collect evidence continuously. Configuration exports, policy screenshots and audit logs gathered during the uplift save weeks once the assessor arrives.
  5. 5Engage an IRAP assessor. Go to market with a defensible boundary, documents that match reality and, as ASD suggests, at least three quotes.

Frontrow is a Microsoft partner, not an IRAP assessor, and the two roles should stay separate: the firm that built your controls should not be the one judging them. Frontrow works the readiness side, the ISM gap analysis and the tenant uplift across the four products above, so the assessor you engage finds a system with its evidence in order.

Try it

Start with your Essential Eight score

Before scoping an ISM gap assessment, find out where your baseline sits. Frontrow's Essential Eight self-assessment takes about five minutes and shows which maturity level your current Microsoft 365 controls support. It is the natural first step on an IRAP readiness path.

Score each of the 8 strategies

Where are you on the Essential Eight — honestly?

Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.

What's your target Maturity Level?

Maturity Level 2 — most orgs' pragmatic target

  • 01

    Application control

    Only approved applications can execute on workstations and servers.

  • 02

    Patch applications

    Internet-facing apps, browsers, Office, PDF readers patched promptly.

  • 03

    Microsoft Office macros

    Macros disabled unless from trusted locations and signed by a trusted publisher.

  • 04

    User application hardening

    Web browsers and productivity apps hardened against the most common attacks.

  • 05

    Restrict administrative privileges

    Admin accounts limited, separated and reviewed — the crown jewels of the tenant.

  • 06

    Patch operating systems

    Operating system patches applied on a schedule that matches the risk.

  • 07

    Multi-factor authentication

    MFA everywhere that matters — privileged accounts, remote access, important data.

  • 08

    Regular backups

    Backups of important data, configuration and software — and restores you have actually tested.

Common questions

Frequently asked

Is an IRAP assessment a certification?
No. ASD states that IRAP assessors do not accredit, certify, endorse or register systems on its behalf. The assessment produces a report and a controls matrix, and the authorising officer in each consuming agency decides whether to authorise the system on that evidence.
How long does an IRAP assessment take?
There is no official timeline. Guides published by assessment firms commonly quote eight to 24 weeks for the assessment itself, driven by boundary size and documentation readiness. The uplift work beforehand often takes longer than the assessment does.
How much does an IRAP assessment cost?
ASD publishes no fee schedule and assessments are commercial engagements, so prices vary with scope. The main drivers are the classification level and the size of the assessment boundary, plus how much remediation is needed first. ASD recommends obtaining at least three quotes.
Is Microsoft 365 IRAP assessed at PROTECTED?
Yes. Microsoft's 2026 IRAP assessments, published on 26 March 2026, cover Microsoft 365, Azure and Dynamics 365 for workloads up to and including PROTECTED. The reports are available from the Australia section of the Microsoft Service Trust Portal.
Does Essential Eight Maturity Level 2 make us IRAP-ready?
No. The Essential Eight covers eight mitigation strategies, while an IRAP assessment tests the much broader ISM control catalogue, including domains such as personnel security and system documentation. Maturity Level 2 is a strong foundation, but an ISM gap assessment will still surface work.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.