Skip to main content

Compliance | IRAP Readiness

IRAP readiness,
done properly.

IRAP is where most Australian SaaS and cloud vendors meet the Information Security Manual for the first time, and it's where a lot of them stall. We prepare PROTECTED-bound systems for an ASD-endorsed IRAP Assessor, close the gaps before Stage 2, and stay alongside you through the authorising authority's decision to operate. We are not IRAP assessors. We are the team that gets you ready for one.

Book Free Consultation Start with a Lighthouse Assessment
What IRAP actually is

An independent review of a system against the ISM, not a certification.

The Information Security Registered Assessors Program (IRAP) is run by the Australian Signals Directorate through the ACSC. The ACSC endorses individual assessors, who then review a system against the Australian Government's Information Security Manual (ISM) at a target classification, most commonly OFFICIAL or PROTECTED.

An IRAP Assessor does not certify, accredit, or approve a system. They produce a Security Assessment Report and a Security Controls Matrix that document how the system meets, partially meets, or does not meet each applicable ISM control. That report is then handed to the system owner and the authorising authority, who decide whether to grant an Authority to Operate (ATO).

The most common misconception is that IRAP is the outcome. IRAP is an input to a risk decision. The ATO is the outcome. A clean-looking IRAP report that the agency's authorising authority rejects is still a failure.

Why it matters commercially

Without an IRAP report, you don't sell to Australian Government at PROTECTED.

Federal agencies, state governments, Defence primes, and an increasing number of critical infrastructure operators require a current IRAP report before they'll approve your SaaS or cloud service for PROTECTED workloads. In many cases, that requirement flows down to your prime contractors and partners too.

The commercial lock-out is real. SaaS vendors without a PROTECTED IRAP report are routinely disqualified at shortlist stage on Commonwealth and state tenders. Recent changes under the Cyber Security Act 2024 and the Hosting Certification Framework have tightened the posture further for cloud providers.

Talk to us about your IRAP plan
Our position

We don't do the assessment. We get you ready for it.

The ACSC endorses individuals as IRAP Assessors, not firms. Cliffside does not currently have endorsed assessors on our staff, and we won't pretend otherwise. Most consultancies that advertise IRAP services quietly subcontract the actual assessment anyway. We think that's worth saying out loud.

Where we add value is in the 90% of the programme that sits either side of the assessor's involvement: scoping the system, designing controls that meet ISM requirements, building the evidence base, remediating the gaps between Stage 1 and Stage 2, and helping the authorising authority say yes.

Our consultants have been certified ISO 27001 Lead Auditors since 2008, hold Essential Eight assessor credentials, and have delivered security programmes for Commonwealth and state government clients. The ISM builds on the same foundations, and most of our clients find that getting their ISO 27001 ISMS in shape first de-risks the IRAP assessment substantially.

When you're ready for the formal assessment, we help you select an ASD-endorsed assessor, brief them properly, and manage the engagement. If an assessor has recommended you already, we can slot in around their timeline.

What we do
  • IRAP readiness gap assessment against ISM controls
  • System scoping and classification targeting
  • Control design, uplift, and hardening
  • Evidence base construction
  • Pre-assessment dry run using ISM controls
  • Assessor shortlist, briefing, and engagement
  • Between-stages remediation
  • Residual risk narrative for the ATO authority
  • Ongoing ISM alignment and 24-month re-assessment prep
What we don't do
  • The formal IRAP assessment itself
  • Issue the Security Assessment Report
  • Grant your ATO (only the authorising authority can)

How an IRAP assessment runs

The five stages, from scoping to re-assessment.

The formal assessment is built around two reviews: design (Stage 1) and implementation (Stage 2). The work that surrounds them is where most engagements succeed or fail.

STAGE 01
Define the scope

Agree the system boundary, classification target (usually PROTECTED), and which ISM controls apply. Scope errors at this stage cost the most to fix later, because every in-scope component has to be assessed.

STAGE 02
Design assessment (Stage 1)

The IRAP Assessor reviews the system's design documentation, policies, and planned controls against the ISM. This is where architectural gaps surface. Findings are documented and you get time to remediate before the implementation review.

STAGE 03
Implementation assessment (Stage 2)

The assessor reviews the deployed system: configurations, operational controls, evidence, and logs. Controls that looked fine on paper at Stage 1 frequently fail here because the build drifted from the design.

STAGE 04
Security Assessment Report

The assessor produces the SAR and Security Controls Matrix. These are handed to the system owner, who presents them to the authorising authority for a risk-based decision to operate (ATO) at the target classification.

STAGE 05
Re-assessment cycle

PROTECTED IRAP reports are typically refreshed every 24 months, with delta re-assessments for material changes. Agencies increasingly ask for recent reports; an IRAP from 2022 carries less weight than one from 2025.

Who needs IRAP

If any of these describe you, IRAP is probably on your roadmap.

IRAP is triggered by who you sell to and what data you handle, not by your size. Startups and multinationals both end up in the same PROTECTED queue.

PERSONA 01
SaaS vendors selling to Australian Government

Any SaaS platform that will store, process, or transmit PROTECTED information on behalf of a Commonwealth or state agency. Includes CRM, ticketing, analytics, collaboration, and increasingly AI tooling as agencies move workloads into managed services.

Trigger: a government tender that lists "current PROTECTED IRAP report" as mandatory, or a prime contractor passing the requirement down.

PERSONA 02
Cloud and hosting providers targeting PROTECTED workloads

Infrastructure providers, managed service providers, and Australian regions of hyperscalers seeking placement on agencies' Certified Cloud Service Lists and alignment with the Hosting Certification Framework. The ISM bar is high and the evidence expectations are intense.

Trigger: pursuing Commonwealth hosting work, state government cloud panels, or Defence Industry Security Program engagement.

PERSONA 03
Defence industry and critical infrastructure suppliers

DISP members, critical infrastructure operators under the SOCI Act, and vendors in Defence supply chains where PROTECTED handling is expected. IRAP sits alongside DISP membership and SOCI obligations, and the three increasingly converge at assessment time.

Trigger: a DISP membership renewal, a SOCI risk management programme requirement, or a Defence prime requiring ISM-aligned evidence.

Common findings

Where IRAP assessments actually fail.

Across dozens of readiness engagements, the same findings appear again and again. Fixing them before an ASD-endorsed assessor arrives is far cheaper than fixing them between Stage 1 and Stage 2 with an invoice meter running.

01
Logging and monitoring gaps

ISM requires specific event classes to be logged, retained, and reviewed. Most SaaS vendors log application events but miss authentication, privileged activity, and security-relevant configuration changes, or cannot prove review. This is one of the most common non-compliant findings at Stage 2.

02
Cryptography that doesn't meet AACP

ISM references the ASD Approved Cryptographic Protocols and Algorithms. Default TLS configurations, KMS settings, and at-rest encryption choices often fall outside the approved set, particularly for legacy components. Fixing this in production retrospectively is painful.

03
Personnel security and citizenship controls

ISM requires personnel with access to PROTECTED systems to hold an Australian Government security clearance at the appropriate level. Offshore support staff, contractor access, and third-party engineers are where most vendors discover they have a problem.

04
Data sovereignty and hosting location

PROTECTED systems generally must be hosted on a Certified Cloud Service List provider in Australian regions. If your system or any dependency sits outside Australia, the ATO decision becomes much harder, regardless of how well the controls are implemented.

05
Evidence that does not exist yet

ISM controls are not satisfied by policy statements; they need evidence of operation. Change tickets, patching records, vulnerability scan outputs, incident drills, access reviews. Vendors routinely arrive at Stage 2 with controls in place but no evidence they've been operating. The assessor cannot accept 'trust us'.

06
Scope drift during the engagement

Six months into readiness, a new feature ships, a new integration goes live, or a region expands. Every uncontrolled change risks dragging new components into scope. Without a scoping and change governance discipline, assessments that looked 90% done suddenly aren't.

How Cliffside helps

Our IRAP-readiness engagements.

We structure engagements around your target assessment date and the authorising authority's expectations. Every phase has a deliverable; every deliverable has a purpose the assessor will recognise.

01
IRAP readiness gap assessment

A structured review of your system against the ISM controls that apply at your target classification. We produce a prioritised findings list, remediation roadmap, and honest assessment of how realistic your target date is. Typically two to four weeks. Included within a Lighthouse Assessment if IRAP is your stated goal.

02
ISM uplift and remediation

We work alongside your engineering and security teams to close the findings. Logging architecture, cryptography hardening, personnel processes, evidence collection, and change governance. We build the controls so they actually operate, not just so they look right on paper for the assessment.

03
Pre-assessment dry run

Before you engage an ASD-endorsed assessor, we run a dry-run assessment using the same ISM controls and evidence standards a real IRAP Assessor will apply. Most of our clients would rather fail the dry run with us than fail Stage 2 with an external assessor on the clock.

04
Assessor engagement and liaison

We help you shortlist, brief, and engage an ASD-endorsed IRAP Assessor. During the assessment, we act as the technical counterparty so your engineering team stays building, and we own remediation of any findings that emerge between Stage 1 and Stage 2.

05
ATO and authorising authority support

A Security Assessment Report is the input to the authorising authority's risk decision, not the decision itself. We help you translate assessor findings into a clear residual risk narrative, supporting documentation, and the Letter to the ATO Authority that makes acceptance more likely.

06
Ongoing ISM alignment

PROTECTED means continuous compliance, not a point-in-time event. We run internal audits, monitor control effectiveness, manage delta changes, and prepare you for 24-month re-assessments so your ATO stays current with minimal engineering disruption.

Frequently asked questions.

What is an IRAP assessment?
An IRAP (Information Security Registered Assessors Program) assessment is an independent security review of an ICT system against the Australian Government's Information Security Manual (ISM). It is conducted by an ASD-endorsed IRAP Assessor and produces a Security Assessment Report that system owners use to make a risk-based decision about operating the system at a given classification. IRAP does not issue certifications; the authorising authority accepts or rejects the residual risk.
Is Cliffside an ASD-endorsed IRAP Assessor?
No. The ACSC endorses individual assessors, not firms, and Cliffside does not currently hold endorsed assessors on staff. We deliberately position as an IRAP-readiness and pre-assessment partner: we prepare you for the assessment, remediate the gaps between Stage 1 and Stage 2, and maintain ISM alignment afterwards. When you're ready for the formal assessment, we help you select and engage an ASD-endorsed assessor.
How long does an IRAP assessment take?
The formal IRAP assessment itself typically runs 4 to 12 weeks depending on system complexity and scope. Realistic end-to-end timelines, from deciding you need IRAP to receiving a usable Security Assessment Report, are 6 to 12 months for most SaaS vendors. The assessment is usually the short part. Preparing for it, closing findings, and building the evidence base is where most of the time goes.
How much does an IRAP assessment cost in Australia?
Assessor fees for a PROTECTED-level IRAP assessment typically range from $80,000 to $250,000+ depending on system complexity, control scope, and the assessor firm engaged. That excludes readiness work, remediation, tooling, and internal effort, which often cost as much or more than the assessment itself. Budget the full programme, not just the assessor invoice.
Do we need IRAP if we already have ISO 27001?
They overlap but do not substitute. ISO 27001 certifies a management system. IRAP assesses a specific system against ISM controls for Australian government use. If your only goal is selling to Australian government at PROTECTED, ISO 27001 alone will not satisfy the authorising authority. If your goal is broader commercial trust, ISO 27001 is usually the starting point and significantly reduces the IRAP preparation workload.
What classifications does IRAP cover?
IRAP assessments cover systems handling OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET, and TOP SECRET information. The vast majority of commercial IRAP work is at PROTECTED, which is the level most Australian Government agencies require for their cloud and SaaS vendors. SECRET and TOP SECRET assessments are rare outside Defence and Intelligence community vendors.
What happens if the IRAP report shows non-compliance with ISM controls?
The IRAP Assessor documents every finding, including non-compliant and compensating controls. The system does not fail; it is the authorising authority's job to accept, reject, or require remediation of the residual risk. Most first-time assessments have dozens of findings. The goal of readiness work is to make sure the findings that remain are ones the authorising authority can reasonably accept.

Related services & insights

Deeper reading on this topic.

ISO 27001 Certification

The management-system foundation most IRAP-bound organisations benefit from building first. Significantly de-risks ISM alignment.

Explore →
Essential Eight

ASD's baseline mitigation strategies, embedded within the ISM and frequently assessed as part of IRAP readiness.

Explore →
Cybersecurity for Government

Our broader practice serving federal, state, and local government agencies and their supply chains.

Explore →
Virtual CISO

Fractional security leadership to run the IRAP programme end-to-end, including authorising authority engagement.

Explore →

Tell us honestly where you are.

Tell us your target classification, your commercial deadline, and what state your controls are in. We'll give you an honest read on timeline, cost, and whether you're ready to engage an ASD-endorsed assessor now or six months from now. No obligation.

Book Free ConsultationLighthouse Assessment

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation