IRAP Assessment Services | ASD-Endorsed Security Assessor Australia

Cyooda Security have the most experienced and respected IRAP assessor in Australia.

• Cyooda conduct independent IRAP assessments up to SECRET for ICT Systems, Cloud Services, Gateways, Gatekeeper and Fedlink
• We advise on your organisation's risk posture aligned to the latest control requirements of the ISM
• Our assessor supports you to improve your organisation's security posture and cybersecurity maturity
• Cyooda informs you of the latest updates and support and guide you through the entire IRAP process.

Cyooda's IRAP assessor has unique skills and experience gained over the last 25+ years working with government agencies, financial institutions, telecommunications, mining and global organisations looking to conduct business in Australia.

Our assessor meet's the stringent prerequisites to be an IRAP assessor.

Cyooda Security IRAP assessors provide an independent assessment of your security controls, processes and documentation aligned to the ISM and PSPF frameworks.

NOTE:

Our IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD

Yes, UK and US companies selling to Australian government must obtain IRAP assessment. We specialise in helping international organisations navigate Australian cybersecurity requirements and achieve ISM compliance for government procurement.

Find out more about how we can help you here.

Organisations that are looking to sell their products, cloud or managed service offerings to Australian Government departments and agencies may be asked if their service has been IRAP assessed as part of one of the early procurement checks.

There are 2 options available to assess if your organisation is ready which are:

1. Perform your own self assessment

IRAP assessment collateral is publicly available from the ASD website. These include all of the ISM controls and the cloud security control matrix that we use to assess customers against.  

2. Engage Cyooda Security for an IRAP assessment

Cyooda will work with your management, operations and cybersecurity teams to identify the necessary controls and develop the documentation required for you to undertake an assessment.

Note:  If we assist you with preparing any of your documentation or controls then we cannot assess you and you will need to seek the services of another assessor.

Most IRAP assessments take 8 -12 weeks depending on system complexity. Simple cloud services may complete faster, while complex infrastructure requiring multiple controls assessment takes longer. We provide realistic timelines during the scoping phase.

The ISM and PSPF are two different security frameworks that guide the security and privacy of government information, systems and networks.

IRAP assessments use Australian Government ISM controls and are mandatory for government suppliers. ISO 27001 is an international standard. IRAP focuses specifically on Australian government security requirements and PROTECTED data handling capabilities.

IRAP is mandatory for government suppliers but increasingly requested by private sector for vendor due diligence. Many enterprises now require IRAP assessment as procurement benchmark for security assurance and risk management.

ISM guidelines mandate IRAP reassessment every 24 months for managed service providers and cloud services. This ensures ongoing compliance with evolving security standards and maintains certification currency for government procurement.