IRAP Assessments Explained: Security for Government-Facing Work

An IRAP assessment is an independent security evaluation of a system against the Australian Government’s Information Security Manual. It does not certify or pass a system. It produces a report that a government entity uses to make its own risk-based decision about whether to let your product handle its data.

That distinction trips up a lot of Melbourne SMEs chasing their first government contract. They hear “you need IRAP” and assume it works like an ISO certificate you hang on the wall. It doesn’t. If you’re selling cloud, SaaS or managed services into a Commonwealth or state agency, understanding what IRAP actually is — and what it isn’t — saves you a lot of wasted money and a few uncomfortable conversations with a procurement officer.

What IRAP actually is

IRAP stands for the Infosec Registered Assessors Program. It’s run by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). ASD endorses a pool of independent assessors — IRAP assessors — who are trained and authorised to evaluate the security of ICT systems against Commonwealth requirements.

The benchmark those assessors measure against is the ASD Information Security Manual (ISM). The ISM is a large, regularly updated document of security controls covering everything from cryptography and access control to physical security and personnel vetting. When an IRAP assessor reviews your system, they’re checking how it implements the relevant ISM controls for the classification of data it will handle.

The critical thing to grasp: an IRAP assessor produces a security assessment report. They document what controls are in place, what’s missing, what the residual risks are, and how well the system aligns to the ISM. They do not issue an “IRAP certified” stamp. There is no pass mark. The assessor’s job is to give a clear, evidence-based picture of the system’s security posture so that someone else can make a decision.

The classification levels you’ll hear about

Australian Government data is classified by the damage its compromise would cause. For most SMEs selling into government, three levels matter:

• OFFICIAL — routine government information, the bulk of day-to-day public sector data. Low sensitivity.
• OFFICIAL:Sensitive — information that needs limited dissemination because its compromise could cause limited damage (personal information, commercially sensitive material, some law enforcement data).
• PROTECTED — information whose compromise could cause damage to the national interest, organisations or individuals. This is the first of the security-classified tiers and the threshold where IRAP work gets serious.

Above PROTECTED sit SECRET and TOP SECRET, but if your business is operating at those levels you’re not reading a blog post to work out what to do next. For the overwhelming majority of Melbourne SMEs, the conversation is about OFFICIAL, OFFICIAL:Sensitive or PROTECTED. The higher the classification, the more ISM controls apply and the more rigorous the assessment.

Assessment, not certification — why it matters

This is the single most misunderstood part of the whole process, so it’s worth being blunt about it.

IRAP gives the agency an assessment. The agency itself — specifically its authorising officer — then makes the authorisation decision: do we accept the residual risk of using this system for our data, or don’t we? That decision is theirs, based on their risk appetite, their other controls, and the criticality of the data involved.

Two agencies can read the same IRAP report and reach different decisions. One might authorise your platform for OFFICIAL:Sensitive data; another might decline pending remediation of a control you didn’t think mattered. The report is the input. The risk-based authorisation is the output, and it doesn’t belong to you or your assessor.

So when a salesperson tells you their product is “IRAP certified”, they’re using shorthand that doesn’t really exist. What they usually mean is that the product has been through an IRAP assessment at a particular classification level. Whether that’s enough for your target agency is a separate question.

The gap between “we use a PROTECTED cloud” and “our system is assessed”

Here’s where we see Melbourne businesses come unstuck. A construction-tech firm in Cremorne we work with had built a project management SaaS product on Microsoft Azure. They’d seen that Azure has Australian regions assessed at PROTECTED, and they went to a government tender assuming that covered them. It didn’t.

Running on a PROTECTED-assessed cloud platform means the underlying infrastructure has been assessed. It says nothing about your application sitting on top of it — your code, your access controls, your data flows, your administrative practices, your logging, your backup arrangements. The cloud provider’s assessment covers their layer of the stack. Yours is still unassessed.

This is the shared responsibility model, and IRAP follows it precisely. Microsoft, AWS and others publish their IRAP assessment reports for their platforms. That’s genuinely useful — it means the infrastructure layer is a known quantity and you inherit a set of controls. But the agency buying your SaaS wants to know that the whole system, including your part of it, meets the ISM at the required classification. Inheriting controls from your provider is the start of the work, not the end of it.

A useful way to frame it internally: the cloud provider’s IRAP report answers “is this platform secure enough to build on?” Your IRAP report answers “is the thing we built actually secure?” You need the second one to win the contract.

When does a Melbourne SME actually need IRAP?

You need to engage with IRAP when you’re selling a system that will store, process or transmit government data — typically a cloud or SaaS product, but also managed services where your staff touch the agency’s information. The trigger is usually written into the tender or contract: the agency requires an IRAP assessment at OFFICIAL:Sensitive or PROTECTED before they’ll let your system handle their data.

You probably don’t need it if:

• You’re selling a one-off product or hardware with no ongoing access to government data.
• The agency is consuming your service entirely within their own assessed environment.
• You’re a sub-supplier and the prime contractor carries the assessment obligation (check this carefully — sometimes it flows down to you).

For a lot of SMEs, the honest answer is “not yet, but soon”. If government is on your roadmap, building to the ISM early is far cheaper than retrofitting later. Much of the groundwork — proper identity and access management, hardened Microsoft 365, comprehensive logging, documented backup and recovery — overlaps heavily with the Essential Eight and with general security maturity you should be pursuing regardless. We cover the foundations in our guide on getting Essential Eight aligned in 90 days, and a lot of that work is directly reusable as IRAP evidence.

How the process works

An IRAP assessment isn’t a single audit you book and pass. It runs in stages.

1. Scoping. You define the system boundary — exactly what’s being assessed — and the target classification. Get this wrong and you’ll either over-spend assessing things that don’t need it, or under-scope and fail to cover what the agency cares about.
2. Documentation and control implementation. You build the security documentation set: a System Security Plan, risk assessment, incident response plan, and so on. Crucially, you actually implement the ISM controls. This is where most of the cost and calendar time lives.
3. Stage 1 assessment. The IRAP assessor reviews your design and documentation against the ISM and identifies gaps before you’ve gone too far.
4. Stage 2 assessment. The assessor tests and verifies that controls are genuinely implemented and effective — not just written down. They produce the security assessment report.
5. Authorisation. You hand the report to the agency. Their authorising officer makes the risk-based decision and, if satisfied, grants authority to operate for the relevant data.

It doesn’t end there. Authorisations are time-bound and the ISM changes. You’ll need to maintain your controls, monitor continuously, and re-assess periodically. IRAP is an ongoing commitment, not a one-time hurdle.

Be honest about the cost and effort

This is not a cheap or quick exercise, and anyone telling you otherwise hasn’t done one. The assessor’s fee alone for a PROTECTED assessment of a non-trivial system commonly runs well into five figures and can reach into six. But the assessor’s invoice is the small part.

The real cost is the remediation and documentation work to get your system ISM-ready before the assessor arrives. For most SMEs that’s months of engineering and governance effort: implementing controls, writing the security plan, building the logging and monitoring, hardening identity, formalising change management. If you go into the assessment unprepared, you’ll pay the assessor to tell you what you already should have known, then pay again for the re-assessment after you fix it.

Where TechAssist fits

We’re a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We’re not an IRAP assessor — and you should be wary of anyone who both prepares your system and assesses it, because that’s a conflict of interest the ISM frowns on. What we do is the readiness work: getting your environment to the standard where an independent IRAP assessment goes smoothly rather than turning into an expensive list of findings.

That means hardening your Microsoft 365 tenant, implementing the access controls and logging the ISM expects, building the backup and recovery posture, and documenting it all so the assessor has evidence rather than promises. Because we run fixed monthly managed IT with Australian engineers, the same team that maintains your environment is the team that prepares it for assessment — there’s no offshore handoff and no hourly meter running while you scope the work.

Frequently asked questions

Is there such a thing as “IRAP certification”?

No. IRAP produces a security assessment report against the ISM. The government entity makes the authorisation decision. “IRAP certified” is common shorthand, but technically there’s no certificate — there’s an assessment and an agency’s risk-based authority to operate.

Does running on Azure or AWS PROTECTED regions cover my SaaS?

No. The cloud provider’s IRAP assessment covers their infrastructure. Your application, configuration, access controls and processes sitting on top still need their own assessment. You inherit some controls, but the system you built is your responsibility under the shared responsibility model.

How long does an IRAP assessment take?

The assessment activity itself can be weeks, but realistic preparation — implementing ISM controls and producing the documentation — typically runs several months for an SME doing it properly the first time. The clock is dominated by readiness work, not the assessor’s review.

Do small businesses ever really need this?

Yes, if you’re selling cloud, SaaS or services that touch government data at OFFICIAL:Sensitive or PROTECTED. The requirement is usually in the tender. If government is on your roadmap, building to the ISM and the Essential Eight early makes the eventual assessment dramatically cheaper.

Can an MSP do the IRAP assessment for us?

Only an ASD-endorsed IRAP assessor can perform the assessment, and they should be independent from whoever prepared your system. An MSP like us does the readiness and remediation; a separate IRAP assessor does the evaluation. Keeping those roles separate protects the integrity of the report.

If government work is on your horizon and you’re not sure how far your current environment is from ISM expectations, get in touch. We’ll give you an honest read on the gap before you spend a cent on an assessor.