Why choose Cyooda for your IRAP assessment?
Cyooda Security has Australia's most experienced and respected IRAP assessor. Our ASD endorsed assessor provides independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.
What makes our services different is the depth of experience gained from working across multiple industries in highly complex operational and senior business leadership positions. We don't just leave you with a report at the end, we partner with you every step of the way.
IRAP Assessment Investment
Professional IRAP assessments starting from $33,000 depending on scope and complexity. Contact us for a detailed quote tailored to your specific requirements.
What is IRAP (InfoSec Registered Assessors Program)?
The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high quality information and communications technology (ICT) security assessment services to government and industry.
An IRAP assessment provides a framework for assessing the implementation and effectiveness of an organisation's security controls against the Australian government's security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
Who are IRAP assessors?
How our IRAP services help you
What makes our services different from everyone else is the depth of experience gained from working across multiple industries in highly complex operational and senior business leadership positions. This depth of experience is what we bring to every engagement and we don't just leave you with a report at the end. We are here to partner with you and will be with you every step of the way and beyond if you need further help.
Our IRAP Assessment Process
Cyooda follow a comprehensive 4-step process that ensures thorough evaluation and compliance:
Plan and Prepare
Gather all relevant documentation and evidence to be validated ahead of the assessment. Review Systems Security Plan Annex or Cloud Controls Matrix.
Define the Scope
Cyooda work with you to establish an agreed scope for the IRAP assessment including relevant systems, networks and security controls to be evaluated.
Assess the Controls
Using interviews, documentation reviews and validation of controls, the in-scope environment is thoroughly assessed against ISM requirements.
Security Report
At the end of the assessment we deliver a comprehensive final report detailing technical findings, recommendations for improvement, and IRAP letter of completion.
Industries we serve
IRAP for Law Firms and Legal Services
Australian law firms increasingly require IRAP assessment to serve government clients, handle sensitive legal matters, and demonstrate robust cybersecurity practices for client data protection.
Legal Sector IRAP Packages
Specialised IRAP assessment packages for law firms, including legal sector risk assessment, document review systems, and client confidentiality controls evaluation.
IRAP Assessment Requirements and Documentation
To be ready for an IRAP assessment, you need these minimum documents and aligned controls:
- Systems Security Plan - Comprehensive overview of security architecture and controls
- Security Risk Management Plan - Risk identification, assessment and mitigation strategies
- Incident Response Plan - Procedures for detecting, responding to and recovering from security incidents
- Continuous Monitoring Plan - Ongoing security monitoring and compliance verification processes
- Plan of Actions and Milestones - Required for revalidation assessments only
Note: If we assist you with preparing any documentation or controls, we cannot assess you and you will need to seek services of another assessor to maintain independence.
IRAP Services Across Australia
Our ASD-endorsed assessor provides IRAP services across major Australian cities and regions:
- IRAP Assessment Sydney - Serving NSW government and enterprise clients
- IRAP Assessment Melbourne - Victoria government agencies and financial services
- IRAP Assessment Brisbane - Queensland government and healthcare organisations
- IRAP Assessment Canberra - Federal government departments and agencies
- IRAP Assessment Perth - WA government and mining sector clients
- IRAP Assessment Adelaide - SA government and critical infrastructure
Frequently Asked Questions About IRAP
Cyooda Security have the most experienced and respected IRAP assessor in Australia.
- Cyooda conduct independent IRAP assessments up to SECRET for ICT Systems, Cloud Services, Gateways, Gatekeeper and Fedlink
- We advise on your organisation's risk posture aligned to the latest control requirements of the ISM
- Our assessor supports you to improve your organisation's security posture and cybersecurity maturity
- Cyooda informs you of the latest updates and support and guide you through the entire IRAP process.
Cyooda's IRAP assessor has unique skills and experience gained over the last 25+ years working with government agencies, financial institutions, telecommunications, mining and global organisations looking to conduct business in Australia.
Our assessor meet's the stringent prerequisites to be an IRAP assessor.
Cyooda Security IRAP assessors provide an independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.
NOTE:
Our IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD
Yes, UK and US companies selling to Australian government must obtain IRAP assessment. We specialise in helping international organisations navigate Australian cybersecurity requirements and achieve ISM compliance for government procurement.
Find out more about how we can help you here.
Organisations that are looking to sell their products, cloud or managed service offerings to Australian Government departments and agencies may be asked if their service has been IRAP assessed as part of one of the early procurement checks.
There are 2 options available to assess if your organisation is ready which are:
- Perform your own self assessment
IRAP assessment collateral is publicly available from the ASD website. These include all of the ISM controls and the cloud security control matrix that we use to assess customers against.
2. Engage Cyooda Security for an IRAP assessment
Cyooda will work with your management, operations and cybersecurity teams to identify the necessary controls and develop the documentation required for you to undertake an assessment.
Note: If we assist you with preparing any of your documentation or controls then we cannot assess you and you will need to seek the services of another assessor.
Most IRAP assessments take 8 -12 weeks depending on system complexity. Simple cloud services may complete faster, while complex infrastructure requiring multiple controls assessment takes longer. We provide realistic timelines during the scoping phase.
The ISM and PSPF are two different security frameworks that guide the security and privacy of government information, systems and networks.
IRAP assessments use Australian Government ISM controls and are mandatory for government suppliers. ISO 27001 is an international standard. IRAP focuses specifically on Australian government security requirements and PROTECTED data handling capabilities.
IRAP is mandatory for government suppliers but increasingly requested by private sector for vendor due diligence. Many enterprises now require IRAP assessment as procurement benchmark for security assurance and risk management.
ISM guidelines mandate IRAP reassessment every 24 months for managed service providers and cloud services. This ensures ongoing compliance with evolving security standards and maintains certification currency for government procurement.
Find us on the following Government Panels
Benefits
Complimentary Services
Achieve and maintain IRAP certification with these essential services that provide ongoing compliance management, technical validation, and strategic oversight for Australian government requirements.
Recent Posts
Lvl 17, Angel Place,
123 Pitt Street,
Sydney
NSW 2000
(02) 7230 1350