| What is an IRAP assessment? | An IRAP assessment is an independent security review conducted by an ASD-accredited IRAP assessor. It evaluates a system against the ISM to support a Government entity’s decision to operate the system |
| Is IRAP a certification? | No. IRAP is not a certification or accreditation. It produces an independent report. The decision to accept risk and operate the system sits with the consuming Government entity |
| When is an IRAP assessment required? | When a system handles classified Australian Government data, or as part of Government procurement requirements |
| How often does IRAP need to be completed? | Typically every two years. Reassessment may be required earlier if there are material changes, determined by the system owner in consultation with stakeholders |
| What standards does IRAP assess against? | IRAP assessments are conducted against the Information Security Manual (ISM) published by the Australian Signals Directorate. OFFICIAL: Sensitive and PROTECTED classifications require the same ISM controls |
| If my cloud provider is IRAP assessed, do I still need one? | Yes. Providers like Microsoft, Amazon Web Services, and Google Cloud cover infrastructure only. Your configuration, application, and data controls must still be assessed |
| Does ISO 27001 or SOC 2 replace IRAP? | No. These certifications help accelerate readiness and provide reusable evidence, but ISM control requirements must still be assessed independently |
| What does an IRAP assessment involve? | Review of architecture and scope, validation of control design and implementation, evidence assessment, targeted technical verification, and delivery of a formal IRAP report highlighting strengths and gaps of the system with reference to the relevant ISM requirements |
| How long does an IRAP assessment take? | Typically 12 to 16 weeks for a moderately complex system. Timelines depend on evidence readiness, clarity of scope, and stakeholder responsiveness |
| What drives delays in IRAP assessments? | Poorly defined scope, unclear shared responsibility, incomplete documents or evidence, and late architectural changes |
| Who owns the risk in IRAP? | The consuming Government entity owns the risk and makes the final authorisation decision. The assessor provides independent assessment, not approval |
| How is responsibility split across parties? | Security responsibility is shared across the cloud provider, service provider, and consuming entity. Clear articulation of this model is critical |
| What happens after the IRAP assessment? | The report informs a risk-based decision by the Government agency’s Authorising Officer. Ongoing compliance requires continuous monitoring, change management, and periodic reassessment |
| Can IRAP be accelerated? | Yes. Clear system boundaries, defined data classification, mature controls, and readily available evidence significantly reduce timelines |
| What makes an IRAP assessment “high quality”? | Clear articulation of control effectiveness, defensible evidence, realistic risk statements, and a report that stands up to Government scrutiny without rework |
