IRAP (InfoSec Registered Assessors Program) and ASD Essential Eight

Providing independent guidance and assurance for your security program with highly qualified ASD endorsed assessors.

We don't just offer a one size fits all approach, our security assessments are tailored to suit your specific requirements.

What is IRAP (Infosec Registered Assessors Program)?

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high quality information and communications technology (ICT) security assessment services to government and industry.

What is an IRAP Assessment?

An IRAP assessment provides a framework for assessing the implementation and effectiveness of an organisation's security controls against the Australian government's security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF)

Cyooda Security has ASD endorsed, qualified IRAP assessors.

Our assessors provide you with an independent assessment of the security of your systems, provide guidance and remediation advice, and highlight remaining residual risks, so you can make informed decisions for improvement.

Cyooda Security have the most experienced and respected IRAP assessors in Australia.

  • Cyooda assessors conduct independent IRAP assessments up to SECRET for ICT Systems, Cloud Services, Gateways, Gatekeeper and Fedlink
  • We advise on your organisation's risk posture aligned to the latest control requirements of the ISM
  • Our assessors support you to improve your organisation's security posture and cybersecurity maturity
  • Cyooda assessors inform you of the latest updates and support and guide you through the entire IRAP process.

Cyooda's IRAP assessors have unique skills and experience gained over the last 25+ years working with government agencies, financial institutions, telecommunications, mining and global organisations looking to conduct business in Australia.

Our assessors meet the stringent prerequisites to be IRAP assessors.

Cyooda Security assist and guide UK and American organisations through the complex requirements and approvals pertaining to cybersecurity when conducting business with the Australian Government.

Find out more about how we can help you here.

Cyooda Security IRAP assessors provide an independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.

Our assessors follow a 4 step process that:

  • prepares your organisation so that it is ready to undertake the assessment
  • clearly defines the scope
  • assesses the controls
  • finally provide you with an IRAP report and letter of completion


Our IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD

Organisations that are looking to sell their products, cloud or managed service offerings to Australian Government departments and agencies may be asked if their service has been IRAP assessed as part of one of the early procurement checks.

The guidelines from the Australian Information Security Manual (ISM) mandates that managed service providers, outsourced cloud service providers and their cloud services undertake a security assessment by an IRAP assessor once every 24 months.

There are 2 options available to assess if your organisation is ready which are:

  1. Perform your own self assessment

IRAP assessment collateral is publicly available from the ASD website. These include all of the ISM controls and the cloud security control matrix that we use to assess customers against.  

To be ready for an IRAP assessment the minimum set of documents and aligned controls you need are:

  • Systems Security Plan
  • Security Risk Management Plan
  • Incident Response Plan
  • Continuous Monitoring Plan
  • Plan of actions and milestones (for revalidation only)

If you need assistance or would just like to chat about any of the above requirements then please get in touch.

2. Engage Cyooda Security for an IRAP assessment

Cyooda will work with your management, operations and cybersecurity teams to identify the necessary controls and develop the documentation required for you to undertake an assessment.

Note:  If we assist you with preparing any of your documentation or controls then we cannot assess you and you will need to seek the services of another assessor.

ASD Essential Eight Assessment

Cyooda Security are endorsed by the Australian Signals Directorate (ASD) as an authorised IRAP assessor which includes providing ASD Essential Eight assessments.

The Essential Eight assessment comprises of 3 distinct phases:

  • Consult and prepare – understand scope, desired maturity level, process, policy, and people.
  • Engage and gather evidence – interview relevant system and policy owners, review architecture and system documentation, assess a sample of systems that represent the in-scope environment.
  • Analyse and assess – analyse findings and provide a detailed report.

Assessment against the Essential Eight are conducted using the Essential Eight Maturity Model and specific criteria for each control taken from the ASD Information Security Manual (ISM).

As a minimum an organisation should be aiming to reach maturity level one to be considered to have effective controls.

Let us know how we can help
Please enable JavaScript in your browser to complete this form.
Please select the area of interest related to your enquiry
Describe anything specific you would like to tell us about the service selected
ASD Essential 8


Mitigate Risks

Enables identification of gaps in processes, documentation and controls


Improves the overall security posture of the organisation and its systems


Demonstrates compliance with the Australian government ISM / PSPF


Provides confidence to the business and your customers that systems and data are secure.

Ready to have a conversation?

Find out how Cyooda Security can help you with your IRAP requirement, as well as improve your organisation's overall security posture to build strong cyber resilience.

Join over 2500+ people who receive our cyber security tips and news every 2 weeks

Cyooda Security - Leading provider of cyber security services in Australia

Lvl 17, Angel Place,

123 Pitt Street,


NSW 2000

 (02) 7230 1350

Message us >>