Everything you need to know about the Information Security Registered Assessors Program, from ISM controls to assessment readiness. A practical guide for CISOs and security leaders.
Request a TrialThe Information Security Registered Assessors Program (IRAP) is an initiative managed by the Australian Signals Directorate (ASD) that provides a framework for assessing the security posture of systems that process, store, or communicate government data. IRAP assessors are cybersecurity professionals who have been endorsed by the ASD to independently evaluate whether an organisation's security controls meet the requirements of the Australian Government Information Security Manual (ISM).
At its core, IRAP exists to give the Australian Government confidence that its data is being handled securely, whether that data resides on-premises, in commercial cloud environments, or within managed service providers. The program was established to create a consistent, repeatable methodology for security assessments, replacing what was previously an ad hoc and inconsistent process across government agencies.
IRAP assessments are conducted against specific security classification levels. The Australian Government classifies information according to its sensitivity and the potential damage that could result from unauthorised disclosure. The most common classification levels relevant to IRAP assessments are:
An IRAP assessment is not a one-off certification. It is a point-in-time evaluation that provides assurance to government agencies that a system meets the required security standards. Organisations are expected to maintain their security posture continuously and undergo reassessment as their systems evolve or as the ISM is updated.
Any organisation that processes, stores, or communicates Australian Government data at OFFICIAL: Sensitive or above is expected to undergo an IRAP assessment. In practice, this encompasses a broad range of organisations across both the public and private sectors.
Government suppliers and contractors form the largest group of organisations requiring IRAP assessment. If your organisation provides services to an Australian Government agency and handles government data as part of that engagement, the contracting agency will typically require evidence that your systems have been assessed by an IRAP assessor. This applies to IT service providers, software vendors, consulting firms, and any other supplier that touches government information.
Cloud service providers seeking to host government workloads must demonstrate that their platforms meet the relevant ISM controls. The Australian Government maintains a list of assessed cloud services through the Certified Cloud Services List (CCSL), though the program has evolved in recent years. Major cloud providers such as AWS, Microsoft Azure, and Google Cloud have undergone IRAP assessments for their Australian regions, but organisations building on top of these platforms still need to assess their own application layers and configurations.
Critical infrastructure operators are increasingly expected to align with ISM controls, particularly those in sectors such as energy, telecommunications, financial services, and healthcare. While IRAP assessment may not always be mandatory for these organisations, many adopt the framework voluntarily as a rigorous benchmark for their security programmes.
Organisations handling protected information, including defence industry participants and national security-related contractors, face the most stringent requirements. These organisations must demonstrate compliance with the full suite of PROTECTED-level ISM controls and typically engage IRAP assessors with specific security clearances.
The Information Security Manual (ISM) is the Australian Government's primary cybersecurity framework, published and maintained by the Australian Signals Directorate. It serves as the authoritative reference for security controls that organisations must implement to protect government information. The ISM is not merely a set of guidelines — it is the standard against which IRAP assessors evaluate an organisation's security posture.
The ISM currently contains 992 controls spanning a comprehensive range of security topics. These controls are organised into groups covering areas such as access control, cryptography, network security, system hardening, personnel security, physical security, media management, and incident response. Each control is assigned applicability levels that indicate at which classification levels it must be implemented:
A significant development in recent years is the ASD's decision to publish the ISM in OSCAL (Open Security Controls Assessment Language) format. OSCAL is a standardised, machine-readable format developed by NIST that enables automated processing of security control catalogues. This means organisations can programmatically import ISM controls, track their implementation status, and generate compliance artefacts without relying solely on manual spreadsheet-based processes.
The ISM is updated regularly by the ASD to reflect the evolving threat landscape. Controls are added, modified, or retired with each revision. This creates a significant operational challenge for organisations undergoing IRAP assessment: they must not only implement the controls but also keep pace with changes between revisions, ensuring that their documentation and evidence remain current with the latest version of the ISM.
An IRAP assessment is a structured process that typically unfolds over several months, depending on the size and complexity of the organisation and the classification level being assessed. Understanding the stages of this process is essential for proper planning and resource allocation.
Scoping is the first critical stage. During scoping, the organisation and the IRAP assessor work together to define the boundaries of the assessment. This includes identifying the systems in scope, the data classification levels, the relevant ISM controls, and any exclusions. A well-defined scope prevents scope creep during the assessment and ensures that both parties have aligned expectations. Scoping also determines which of the 992 ISM controls are applicable to the organisation's specific environment and use case.
Gap analysis follows scoping. This is an internal exercise — often conducted with the assessor's guidance — where the organisation evaluates its current security posture against the applicable ISM controls. The gap analysis identifies controls that are fully implemented, partially implemented, or not yet addressed. This stage produces a clear picture of the remediation work required before the formal assessment can proceed.
Remediation is typically the most time-consuming stage. Based on the gap analysis findings, the organisation implements missing controls, updates documentation, deploys technical safeguards, and gathers evidence of implementation. Effective remediation requires coordination across multiple teams — IT operations, security, development, HR, and facilities — as ISM controls span technical, procedural, and physical domains.
Formal assessment is conducted by the IRAP assessor once the organisation believes it has addressed all applicable controls. The assessor reviews the Statement of Applicability (SOA), examines evidence for each control, interviews key personnel, and inspects technical configurations. The SOA is a pivotal document — it lists every applicable ISM control and records the organisation's implementation status, along with justifications for any controls deemed not applicable.
Upon completion, the assessor produces a Security Assessment Report (SAR) that documents their findings, including any residual risks or areas of non-compliance. This report is provided to the sponsoring government agency, which uses it to make risk-based decisions about authorising the system to handle government data.
The ASD's Essential Eight mitigation strategies represent a prioritised subset of security controls drawn from the broader ISM. Originally developed as the "Top 4" and later expanded, the Essential Eight identifies the most effective strategies for mitigating cyber security incidents. These strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.
Each Essential Eight strategy is measured against a maturity model with four levels: Maturity Level Zero (ML0) through Maturity Level Three (ML3). ML0 indicates that the strategy has significant weaknesses, while ML3 represents the highest level of implementation aligned with the ASD's intent. Organisations are expected to achieve a consistent maturity level across all eight strategies, as achieving ML3 in some areas while remaining at ML0 in others leaves exploitable gaps.
For organisations preparing for IRAP assessment, the Essential Eight provides a pragmatic starting point. Many of the ISM controls that assessors examine are directly related to Essential Eight strategies. An organisation that has achieved ML2 or ML3 across all eight strategies will have already addressed a substantial portion of the technical controls required for an OFFICIAL: Sensitive IRAP assessment.
It is common for organisations to begin their compliance journey with Essential Eight maturity assessment before progressing to a full IRAP engagement. This phased approach allows security teams to build capability, establish evidence collection processes, and demonstrate progress to leadership — all of which contribute to a smoother and more efficient formal IRAP assessment when the time comes.
Preparing for an IRAP assessment presents several recurring challenges that can delay timelines, increase costs, and frustrate security teams. Understanding these challenges in advance allows organisations to plan proactively.
Manual tracking of 992 controls is perhaps the most pervasive challenge. Many organisations begin their IRAP journey with spreadsheets — mapping ISM controls to their implementation status, responsible owners, and evidence artefacts in Excel workbooks. While this approach can work for small environments, it quickly becomes unmanageable as the number of controls, systems, and stakeholders grows. Version control issues, conflicting edits, and stale data are common symptoms of spreadsheet-based compliance tracking.
Evidence staleness is a related problem. IRAP assessors need to see current evidence that controls are implemented and operating effectively. Screenshots, configuration exports, policy documents, and audit logs all have a shelf life. Evidence gathered during a gap analysis six months ago may no longer reflect the current state of the environment. Organisations need mechanisms to continuously refresh their evidence base, not just collect it once.
Coordination with assessors can be complex, particularly when assessors need access to specific systems, personnel, or documentation. The back-and-forth of evidence requests, clarification questions, and additional documentation can stretch assessment timelines significantly. Without a structured way to share artefacts and track outstanding requests, the process becomes inefficient for both parties.
No single source of truth compounds all of the above challenges. When control statuses live in spreadsheets, evidence lives in shared drives, policies live in document management systems, and technical configurations live in cloud consoles, there is no unified view of assessment readiness. Security leaders struggle to answer the fundamental question: "How ready are we for assessment?"
ISM revision management adds a further layer of complexity. When the ASD publishes an updated version of the ISM, organisations must identify which controls have changed, assess the impact on their existing compliance posture, and update their documentation accordingly. Without tooling that tracks control changes between revisions, this becomes a labour-intensive and error-prone exercise.
QuantAssure is designed to streamline the IRAP preparation process, giving security teams a purpose-built platform to track ISM controls, manage evidence, and measure readiness — without replacing the critical role of the IRAP assessor. The platform addresses the core challenges of IRAP preparation by providing structure, automation, and visibility where manual processes fall short.
Automated ISM control import and tracking. QuantAssure ingests the ISM control catalogue directly from the ASD's OSCAL-format publication, ensuring your organisation is always working from the latest revision. All 992 controls are imported with their metadata, applicability levels, and topic classifications. When a new ISM revision is published, QuantAssure identifies which controls have been added, modified, or retired, allowing your team to assess the impact without manually comparing spreadsheets.
AI-powered control mapping. QuantAssure's AI engine automatically maps your existing security findings — from vulnerability scanners, endpoint management tools, and cloud security services — to the relevant ISM controls. This means that when your IRAP assessor asks for evidence of a specific control's implementation, you can immediately surface the relevant findings, configurations, and remediation actions that demonstrate compliance.
Statement of Applicability generation. The platform generates and maintains your Statement of Applicability automatically. As you update control statuses, attach evidence, and document implementation details, the SOA remains current. You can export it in CSV format for sharing with assessors, and import assessor feedback back into the platform to track remediation actions — creating a seamless round-trip workflow.
Essential Eight maturity scoring. QuantAssure tracks your organisation's Essential Eight maturity across all eight strategies, providing visibility into your current maturity level and identifying the specific controls that need attention to reach your target level. The readiness dashboard shows progress over time, helping security leaders communicate improvement to executive stakeholders.
Evidence management with freshness tracking. Rather than letting evidence go stale in shared drives, QuantAssure provides a centralised evidence repository linked directly to ISM controls. Each piece of evidence is timestamped, and the platform flags evidence that is approaching or has exceeded its freshness threshold. This ensures that when your assessor reviews your controls, the supporting evidence reflects your current security posture.
IRAP readiness dashboard. The compliance dashboard provides a real-time view of your assessment readiness, broken down by control topic, applicability level, and implementation status. Security leaders can quickly identify which areas are on track and which require additional attention, enabling data-driven prioritisation of remediation efforts in the lead-up to a formal assessment.
QuantAssure gives your team the tools to track ISM controls, manage evidence, and measure readiness — so you can approach your assessment with confidence.