Federal agency
Multiple SRAs delivered within a single review window
Scoped, assessed, and reported on three distinct SRAs within one assessment cycle, covering an integration platform, supplier uplift, and public-facing services.
IRAP
IRAP assessment for government-aligned assurance
ASD-aligned security assessment for cloud and on-premise systems serving Australian government. Delivered by our in-house IRAP capability — not outsourced.
AGSVA Cleared Team
Canberra-Based
In-House IRAP Capability
IRAP Assessment
Assessment Status
System Architecture Review
COMPLETE
ISM Control Assessment
COMPLETE
Controls Effectiveness Testing
IN PROGRESS
Security Assessment Report
PENDING
Controls Matrix
PENDING
IRAP Capability
ON STAFF
ISM Controls
247
Assessed
The challenge
Why IRAP assessment matters
Government customers require IRAP
Your cloud platform or system needs an IRAP assessment to serve Australian government clients, but the assessment process feels opaque and resource-intensive.
Translating ISM into system context
The Information Security Manual is large and detailed. You need an IRAP capability that understands the controls applicable to your system and can translate their effectiveness within that context — giving you better visibility of the risks that matter.
Knowing what's actually in scope
System boundaries, environments (admin, test, development), and shared-responsibility models can be unclear at the outset. You need an assessor who scopes accurately upfront so findings are practical and reflect how the system really operates.
What you get
What's included in an IRAP Assessment
Per the IRAP Consumer Guide, an IRAP assessment report includes the items below. Note that an IRAP assessment is not a risk assessment — risk treatment decisions sit with the system owner.
Overview of the system and environments
Description of the system and the environments in scope, including administrative, test, and development environments where applicable.
Assessment details and boundary
Assessment scope and the system boundary, including what is in and out of scope and why.
System security strengths and weaknesses
An overview of the system's strengths and weaknesses, drawn from assessment of applicable ISM controls.
Governance arrangements
The governance arrangements supporting the system, including roles, responsibilities, and authorisation pathways.
Detailed findings with evidence
Detailed assessment findings, supporting information, and evidence collected during the assessment.
Recommended remediation activities
Prioritised remediation activities to address identified weaknesses.
Completed assessment controls matrix (annex)
The Security Assessment Report is supported by a Cloud Controls Matrix or Security Controls Matrix as an annex — recording assessor judgements against each applicable ISM control.
How IRAP works
The four phases of an IRAP assessment
IRAP assessments are structured into four phases, in line with the ASD IRAP Consumer Guide.
Phase 1 — Plan and prepare
Define scope, system boundary, and assessment objectives. Confirm environments in scope and applicable ISM controls.
Phase 2 — Design Effectiveness Review
Assess whether the system has been designed to implement applicable ISM controls effectively (formerly referred to as "Stage 1").
Phase 3 — Operational Effectiveness Review
Assess whether implemented controls are operating effectively in practice (formerly referred to as "Stage 2"). Controls testing here is distinct from a vulnerability assessment.
Phase 4 — Report
Produce the Security Assessment Report and supporting controls matrix annex covering findings, evidence, governance, and recommended remediation.
Right for you
Who should consider IRAP assessment
Cloud and SaaS providers
You're building platforms that serve Australian government and need IRAP assessment to access that market.
Government agencies
You need independent IRAP assessment of internal systems or third-party services to meet ISM and PSPF obligations.
Defence technology companies
You're developing systems for Defence or national security clients that require assessed security postures.
Managed Service Providers (MSPs)
Managed Service Providers should also consider undergoing IRAP assessment — particularly where shared services support Australian government clients with ISM obligations.
Proof
Real engagements, real outcomes
Federal department
Essential Eight maturity maintained between formal assessments
Delivered an Essential Eight maturity review across a multi-system environment using ACSC verification methodology. Followed with continuous assurance aligned to PSPF reporting and ASD survey cycles, maintaining visibility of control effectiveness between formal assessments.
Federal agency
Board-ready cyber governance, stood up from scratch.
Delivered executive and board-ready cyber governance papers, stood up a Foreign Ownership Control and Influence process, and supported system accreditation activities across a shared-services environment — so the agency walked into its next review with defensible answers.
Common questions
Frequently asked questions
Do you have IRAP capability in-house?
Yes. Our IRAP capability is part of the Strategic Cyber team — not outsourced or subcontracted. This means faster engagement, tighter communication, and consistent quality throughout the assessment.
How long does an IRAP assessment take?
Timelines vary based on system complexity and classification level. A typical cloud-platform assessment runs 8–16 weeks including both the Design Effectiveness Review and Operational Effectiveness Review. We scope tightly upfront so the timeline is predictable and evidence expectations are clear from day one.
What's the difference between IRAP and Essential Eight?
Essential Eight is a set of 8 mitigation strategies focused on cyber resilience. IRAP is a broader security assessment methodology covering the full ISM control set applicable to a specific system. Many systems need both.
Can you help with remediation after the assessment?
Absolutely. We provide prioritised remediation guidance as part of the SAR, and can support implementation of identified fixes through our uplift and advisory services.
How do we budget for an IRAP assessment?
IRAP assessments are scoped and priced per system. We'll give you a firm range after a scoping conversation — pricing depends on system complexity, ISM controls in scope, and classification level.
How is this different from a general cyber audit?
IRAP is specifically for ISM-aligned evaluations of systems used by Australian government. Our IRAP capability is AGSVA-cleared and has delivered IRAPs for federal agencies — not general-purpose auditors who also offer IRAP on the side.