ASD-aligned security assessment for cloud and on-premise systems serving Australian government. Delivered by our in-house IRAP assessor — not outsourced.
IRAP Assessment
IRAP Assessor
ON STAFF
ISM Controls
247
Assessed
Your cloud platform or system needs IRAP certification to serve Australian government clients, but the assessment process feels opaque and resource-intensive.
IRAP assessors are in high demand. External engagements can mean long lead times and limited availability when you need assessment quickly.
The Information Security Manual has hundreds of controls. You need an assessor who understands which controls apply to your specific system and architecture.
Assessment of your system architecture against ISM security principles and ASD guidelines.
Evaluation of applicable ISM controls for your specific system classification and deployment model.
Technical security testing aligned to the IRAP assessment methodology.
Comprehensive report documenting assessment findings, risk ratings, and recommendations.
Assessment of cloud service provider controls and shared responsibility model where applicable.
Prioritised recommendations for addressing identified gaps before or after certification.
You're building platforms that serve Australian government and need IRAP certification to access that market.
You need independent IRAP assessment of internal systems or third-party services to meet ISM and PSPF obligations.
You're developing systems for Defence or national security clients that require assessed security postures.
Federal agency
Scoped, assessed, and reported on three high-priority SRAs in a single calendar year — an enterprise integration platform, a supplier-security uplift, and a public-facing online services portal with paired penetration testing — all delivered inside the agency's assessment window.
Federal department
Led the department's Essential Eight maturity review using ACSC verification methodology, then ran continuous-assurance activities through annual PSPF reporting and ASD cyber survey submissions — keeping E8 posture live between formal reviews.
Federal agency
Delivered executive and board-ready cyber governance papers, stood up a Foreign Ownership Control and Influence process, and supported system accreditation activities across a shared-services environment — so the agency walked into its next review with defensible answers.
Yes. Our IRAP assessor is a member of the Strategic Cyber team — not outsourced or subcontracted. This means faster engagement, tighter communication, and consistent quality throughout the assessment.
Timelines vary based on system complexity and classification level. A typical assessment for a cloud platform takes 8–16 weeks including both Stage 1 and Stage 2 activities.
Essential Eight is a set of 8 mitigation strategies focused on cyber resilience. IRAP is a broader security assessment methodology covering the full ISM control set applicable to a specific system. Many systems need both.
Absolutely. We provide prioritised remediation guidance as part of the SAR, and can support implementation of identified fixes through our uplift and advisory services.
Most IRAP assessments run 6-12 weeks depending on system scope and ISM-control count. We scope tightly upfront so the timeline is predictable and you know the evidence expectations from day one.
IRAP assessments are scoped and priced per system. We'll give you a firm range after a scoping conversation — pricing depends on system complexity, ISM controls in scope, and classification level.
IRAP is specifically for ISM-aligned evaluations of systems used by Australian government. Our assessor is AGSVA-cleared and has delivered IRAPs for federal agencies — not general-purpose auditors who also offer IRAP on the side.