An IRAP assessment is commonly required for ICT systems that store, process, or transmit Australian Government information. For many government procurements, a current IRAP assessment is a prerequisite to operate or provide services.

Outside government, organisations may choose to undertake IRAP to demonstrate alignment with Australia’s highest security expectations. Completing an IRAP assessment signals a strong commitment to security, assurance, and risk management, and can support both public and private sector opportunities.

The Information Security Manual (ISM) recommends that systems undergo IRAP assessment at least every 24 months. Reassessment may also be required sooner if there are significant system changes, risk events, or shifts in operating environment.

An IRAP assessment is an independent evaluation of an ICT system’s security controls, risks, and implementation maturity.

Assessments are conducted against two Australian Government frameworks:

• Information Security Manual (ISM) – assessing the design and effectiveness of technical, operational, and governance controls at a point in time.
• Protective Security Policy Framework (PSPF) – assessing compliance with minimum security requirements across people, information, and physical security.

Cyber XL delivers IRAP assessments through a structured four-stage approach:

Planning and preparation
We establish scope, timelines, data handling arrangements, and access requirements. Stakeholders are engaged early to ensure assessment activities are efficient and well-coordinated.

Scope validation
The system boundary, environments, data classification, technologies, and applicable controls are confirmed to ensure the assessment is accurate and defensible.

Control assessment and testing
System documentation and evidence are reviewed, and controls are tested to determine whether they are appropriate for the system’s risk profile and operating effectively in practice.

Reporting and security control matrix
A detailed IRAP report and Security Control Matrix are produced, outlining control implementation status, risks, strengths, and areas requiring remediation.

An IRAP readiness review helps organisations understand how prepared they are before committing to a formal IRAP assessment. It reduces risk, avoids surprises, and improves assessment outcomes.

Cyber XL conducts readiness reviews in two stages:

Preliminary gap analysis
We assess how the system would perform under IRAP, identify control gaps, and estimate the effort required to remediate them.

Security documentation review
Key artefacts such as the System Security Plan, continuous monitoring approach, and incident response documentation are reviewed against IRAP expectations, with clear recommendations provided.

Cyber XL provides IRAP advisory services to government and private sector organisations preparing for IRAP or aligning with ISM requirements.

Our advisory services include strategy development, architecture review, control uplift, and alignment of existing frameworks (such as ISO or NIST) to the ISM. The objective is to reduce risk and position systems for a successful future assessment.

Our advisory engagements typically include:

Scoping and planning
Defining assessment scope, control applicability, and evidence requirements.

Architecture review and workshops
Reviewing system design and security implementation against ISM expectations.

Findings and recommendations
Providing clear, prioritised guidance to address gaps and improve assurance posture.

IRAP assessments typically take between two and six months. Timeframes depend on system complexity, readiness, scope, and the availability of evidence and stakeholders.

Cyber XL works closely with clients to optimise timelines without compromising assessment quality.

The cost of an IRAP assessment varies based on scope, complexity, and readiness. Cyber XL provides tailored estimates following an initial discussion to ensure transparency and alignment with expectations.