Home > Services > IRAP Assessment

IRAP

IRAP assessment for government-grade assurance

ASD-aligned security assessment for cloud and on-premise systems serving Australian government. Delivered by our in-house IRAP assessor — not outsourced.

Book Your Assessment Explore Services

AGSVA Cleared Team Canberra-Based In-House IRAP Assessor

IRAP Assessment

Assessment Status

System Architecture Review COMPLETE

ISM Control Assessment COMPLETE

Vulnerability Assessment IN PROGRESS

Security Assessment Report PENDING

Cloud Assessment PENDING

IRAP Assessor

ON STAFF

ISM Controls

247

Assessed

The challenge

Why IRAP assessment matters

Government customers require IRAP

Your cloud platform or system needs IRAP certification to serve Australian government clients, but the assessment process feels opaque and resource-intensive.

Long wait times with external assessors

IRAP assessors are in high demand. External engagements can mean long lead times and limited availability when you need assessment quickly.

ISM complexity

The Information Security Manual has hundreds of controls. You need an assessor who understands which controls apply to your specific system and architecture.

What you get

What's included in IRAP Assessment

System architecture review

Assessment of your system architecture against ISM security principles and ASD guidelines.

ISM control assessment

Evaluation of applicable ISM controls for your specific system classification and deployment model.

Vulnerability assessment

Technical security testing aligned to the IRAP assessment methodology.

Security Assessment Report (SAR)

Comprehensive report documenting assessment findings, risk ratings, and recommendations.

Cloud assessment

Assessment of cloud service provider controls and shared responsibility model where applicable.

Remediation guidance

Prioritised recommendations for addressing identified gaps before or after certification.

Case study to be inserted here

Right for you

Who should consider IRAP assessment

Cloud and SaaS providers

You're building platforms that serve Australian government and need IRAP certification to access that market.

Government agencies

You need independent IRAP assessment of internal systems or third-party services to meet ISM and PSPF obligations.

Defence technology companies

You're developing systems for Defence or national security clients that require assessed security postures.

"Having an assessor who understood both cloud architecture and government security requirements made the process far more efficient than we expected."

CTO, Cloud Platform Provider (anonymised)

247

ISM controls assessed

12w

Assessment timeline

Agencies now served

ASD

Aligned assessment

Common questions

Frequently asked questions

Do you have an IRAP assessor on staff?

Yes. Our IRAP assessor is a member of the Strategic Cyber team — not outsourced or subcontracted. This means faster engagement, tighter communication, and consistent quality throughout the assessment.

How long does an IRAP assessment take?

Timelines vary based on system complexity and classification level. A typical assessment for a cloud platform takes 8–16 weeks including both Stage 1 and Stage 2 activities.

What's the difference between IRAP and Essential Eight?

Essential Eight is a set of 8 mitigation strategies focused on cyber resilience. IRAP is a broader security assessment methodology covering the full ISM control set applicable to a specific system. Many systems need both.

Can you help with remediation after the assessment?

Absolutely. We provide prioritised remediation guidance as part of the SAR, and can support implementation of identified fixes through our uplift and advisory services.