IRAP – the Infosec Registered Assessors Program – is run by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC). It endorses suitably qualified cyber security professionals to provide independent assessment of a system's security against the Information Security Manual (ISM). An IRAP assessment is typically the path an organisation takes to demonstrate a system can securely handle Australian Government data, and it underpins a delegate's decision to grant an Authority to Operate (ATO).
It is important to be precise about the relationship between the two: IRAP is the assessment program; the ISM is the control catalogue. An IRAP assessor does not invent controls – they assess your system against the ISM and report on how effectively those controls are implemented.
The ISM in briefLink to this section
The ISM is a comprehensive cyber security framework that ASD updates regularly (typically quarterly). It is built around four cyber security principles, which map to the lifecycle of managing security risk:
- Govern – identifying and managing security risks.
- Protect – implementing controls to reduce those risks.
- Detect – identifying and understanding cyber security events and incidents.
- Respond – responding to and recovering from incidents.
Beneath the principles sit the ISM's 22 guidelines – from cyber security roles and security documentation through to system hardening, cryptography, gateways, and data transfers. The guidelines contain hundreds of individual controls, each tagged to a principle and to the security classifications it applies to. Because control identifiers change between releases, we work to the current ISM at the time of your assessment rather than a fixed snapshot.
Security classifications and scopeLink to this section
IRAP assessments cover systems handling data up to and including PROTECTED. The Australian Government classification ladder is OFFICIAL → OFFICIAL: Sensitive → PROTECTED → SECRET → TOP SECRET; systems at SECRET and above are handled directly by ASD rather than through IRAP. Establishing the correct classification of the data your system processes, stores and communicates is the first step – it determines which ISM controls apply and how stringently.
The assessment lifecycleLink to this section
An IRAP assessment is not a pass/fail certificate; it is an independent security assessment report that informs a risk-based authorisation decision. It generally proceeds in stages:
- Scoping and planning – define the system boundary, its data classification, and the authorisation boundary.
- Stage 1 (design review) – assess the security documentation and the design of controls against the ISM, identifying gaps before they are built.
- Remediation – address the findings from Stage 1.
- Stage 2 (implementation review) – assess the effectiveness of the implemented controls, gathering evidence that they operate as documented.
- Security assessment report – the assessor documents the system's security posture, residual risks, and recommendations.
- Authorisation – an authorising officer (the delegate) weighs the residual risk and decides whether to grant an Authority to Operate, usually for a defined period, after which reassessment is required.
How the Essential Eight fits inLink to this section
The Essential Eight is a subset of the mitigation strategies within the ISM. Meeting it – patching, MFA, application control, macro restrictions, application hardening, restricting admin privileges, and regular backups – is necessary groundwork for an IRAP assessment, but it is only part of the picture. The ISM goes much further, covering governance, personnel and physical security, cryptography, gateways, and far more. If you are early in the journey, the Essential Eight is the right first milestone; the ISM is the destination.
How we help you reach an Authority to OperateLink to this section
We are compliance specialists who work backwards from the assessor's expectations. Our role is to get your system genuinely ready – and the evidence genuinely in order – so the IRAP assessment is a confirmation rather than a discovery.
- Scoping and classification. We help you define a clean system and authorisation boundary and confirm the data classification that drives control selection.
- Documentation. We author the full ISM document set – System Security Plan (SSP), Security Risk Management Plan (SRMP), Incident Response Plan (IRP), and standard operating procedures – to the structure assessors expect.
- Control implementation. We implement and harden across all 22 guidelines below, mapping each control to your real stack and producing the evidence to prove it.
- Pre-assessment. We run a mock assessment against the current ISM to surface and close gaps before the IRAP assessor arrives.
- Through the assessment. We work alongside your IRAP assessor through Stage 1 and Stage 2, and support the authorising officer's risk-based decision.
The table below maps the ISM's 22 guidelines to the control focus within each, and to how we help you implement and evidence them.
ISM guidelines and IRAP assessment scope
Guidelines for Cyber Security Roles
| Principle | Control focus | How we help |
|---|---|---|
| Govern | Chief Information Security Officer – leadership of and accountability for the organisation's cyber security. | We help you stand up the CISO function (including on a fractional basis), with clear authority, reporting lines, and an oversight rhythm the assessor can verify. |
| Govern | System owners – named accountability for each system and its security posture. | We define system ownership and the authorisation responsibilities each owner carries, documented for assessment. |
Guidelines for Cyber Security Incidents
| Principle | Control focus | How we help |
|---|---|---|
| Respond | Managing cyber security incidents – an incident response capability and plan. | We write an ISM-aligned incident response plan, define the response team and severities, and prove the capability works with a tabletop exercise. |
| Respond | Reporting cyber security incidents – internal escalation and notification to ASD. | We bake ASD/ACSC reporting triggers and timelines into your runbooks so notifications are made correctly and quickly. |
Guidelines for Procurement and Outsourcing
| Principle | Control focus | How we help |
|---|---|---|
| Govern | Cyber supply chain risk management – assessing risk introduced by suppliers and components. | We build supplier risk assessment and tiering aligned to the ISM, covering sub-processors and country-of-origin considerations. |
| Govern | Managed services and cloud services – assurance over outsourced providers. | We assess providers' IRAP status, document shared-responsibility boundaries, and ensure contracts carry the right security and data-sovereignty clauses. |
Guidelines for Security Documentation
| Principle | Control focus | How we help |
|---|---|---|
| Govern | Development and maintenance of security documentation – a current, governed document set. | We produce the full ISM documentation suite and keep it version-controlled with a defined review cycle. |
| Govern | System-specific documentation – SSP, SRMP, IRP, SOPs and continuity plans. | We author the System Security Plan, Security Risk Management Plan, Incident Response Plan and standard operating procedures to the structure assessors expect. |
Guidelines for Physical Security
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Facilities and systems – protecting the environments that house systems to the appropriate security zone. | We map physical security zone requirements to your sites and document compliant arrangements, including data-centre attestations. |
| Protect | ICT equipment and media – siting and protection of equipment handling sensitive data. | We define siting, access and protection controls for equipment and media, scaled to the classification involved. |
Guidelines for Personnel Security
| Principle | Control focus | How we help |
|---|---|---|
| Govern | Cyber security awareness training – building security competence across the workforce. | We deliver role-based awareness training with completion evidence aligned to ISM expectations. |
| Protect | Access to systems – clearances, need-to-know and authorisation of access. | We implement need-to-know and clearance-based access controls and document the authorisation process for each system. |
Guidelines for Communications Infrastructure
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Cabling infrastructure – installation and protection of cabling to the relevant standard. | We assess cabling against ISM requirements for the applicable classification and document compliant installations. |
| Protect | Emanation security (TEMPEST) – controlling unintended emissions in higher-classification environments. | We advise where emanation security applies and coordinate ASD guidance for higher-classification fit-outs. |
Guidelines for Communications Systems
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Telephony, video conferencing and IP telephony – protecting voice and conferencing channels. | We secure unified-communications platforms and document call and conferencing protections for sensitive discussions. |
| Protect | Fax machines and multifunction devices – controlling legacy data paths. | We harden or retire MFD and fax paths that could leak sensitive data, and document the decision. |
Guidelines for Enterprise Mobility
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Mobile device management – enforced policy on managed mobile devices. | We deploy MDM with ISM-aligned policy – encryption, enrolment, app control – and document the configuration. |
| Protect | Mobile device usage – acceptable use, including overseas travel with sensitive data. | We write mobile usage and travel policies, including secure handling of devices and data when staff travel overseas. |
Guidelines for Evaluated Products
| Principle | Control focus | How we help |
|---|---|---|
| Govern | Evaluated product selection and usage – using assured products in their evaluated configuration. | We help you select Common Criteria or ASD-evaluated products where required and deploy them in their evaluated configuration. |
Guidelines for ICT Equipment
| Principle | Control focus | How we help |
|---|---|---|
| Protect | ICT equipment management – controlled lifecycle for equipment handling sensitive data. | We maintain an equipment register with classification handling and lifecycle controls. |
| Protect | Sanitisation and disposal – securely retiring equipment. | We implement certified sanitisation and disposal with destruction certificates, per ISM media-handling rules. |
Guidelines for Media
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Media usage – controlling sensitive data on removable and fixed media. | We define removable-media policy, encryption and registers to keep sensitive data accounted for. |
| Protect | Media sanitisation, destruction and disposal – verifiable end-of-life handling. | We implement ISM-compliant sanitisation and destruction procedures with retained evidence. |
Guidelines for System Hardening
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Operating system hardening – removing unneeded functionality and enforcing baselines. | We apply ASD and vendor hardening guides, strip unnecessary functionality, and enforce a measured secure baseline. |
| Protect | Application hardening – including the Essential Eight controls the ISM incorporates. | We harden Office, browsers, PDF readers and runtimes, implementing the Essential Eight application-hardening and macro controls the ISM builds on. |
| Protect | Authentication hardening – strong, phishing-resistant authentication and credential protection. | We enforce phishing-resistant MFA, credential-protection technologies, and session controls across the system. |
| Protect | Virtualisation and server-role hardening – securing hypervisors and server functions. | We harden hypervisors and server roles and document the secure configuration baseline for assessment. |
Guidelines for System Management
| Principle | Control focus | How we help |
|---|---|---|
| Protect | System administration – secure, separated administration of systems. | We implement separated administration with Privileged Access Workstations, just-in-time elevation, and full logging. |
| Protect | System patching – meeting ISM patch timeframes for applications and operating systems. | We run a patch programme that meets ISM timeframes, mirroring the Essential Eight patch controls, with exception tracking. |
| Protect | Data backup and restoration – protected, tested recovery. | We design protected, access-controlled backups and validate them through documented restoration exercises. |
Guidelines for System Monitoring
| Principle | Control focus | How we help |
|---|---|---|
| Detect | Event logging and monitoring – capturing, protecting and reviewing security-relevant events. | We define centralised, protected logging and monitoring (SIEM or managed detection) aligned to ISM event-logging requirements. |
| Detect | Vulnerability management – vulnerability scanning and penetration testing. | We run regular vulnerability scanning and coordinate penetration testing, tracking remediation to closure with evidence. |
Guidelines for Software Development
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Secure application development – security embedded across the development lifecycle. | We embed secure-SDLC practices – threat modelling, secure coding standards, and testing – into your pipeline. |
| Protect | Web application development – hardening internet-facing applications. | We align web applications to OWASP and ISM web-hardening requirements, with security testing as a release gate. |
Guidelines for Database Systems
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Database servers – hardening and isolating database infrastructure. | We harden and segment database servers and restrict administrative access to them. |
| Protect | Database management and content – protecting the data itself. | We implement least-privilege database access, encryption of sensitive fields, and monitoring of high-value data. |
Guidelines for Email
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Email usage – protective markings and acceptable handling of sensitive information. | We set protective-marking and acceptable-use rules for email handling of sensitive information. |
| Protect | Email gateways and servers – anti-spoofing, filtering and encryption. | We deploy SPF, DKIM and DMARC, content filtering, and TLS to ISM standards to protect inbound and outbound mail. |
Guidelines for Networking
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Network design and configuration – a segmented, defensible architecture. | We design segmented, defensible network architecture and document the data flows and trust boundaries for assessment. |
| Protect | Wireless networks – securing wireless access to ISM standards. | We secure wireless with strong authentication and segregation from sensitive zones. |
| Protect | Service continuity for online services – resilience of internet-facing services. | We plan DDoS resilience and availability protections for your internet-facing services. |
Guidelines for Cryptography
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Cryptographic fundamentals – using ASD Approved Cryptographic Algorithms with sound key management. | We ensure only ASD Approved Cryptographic Algorithms and Protocols are in use, with a documented key-management lifecycle. |
| Protect | Transport and protocol security – TLS, SSH, S/MIME and IPsec configured to approved parameters. | We configure TLS, SSH, S/MIME and IPsec to ISM-approved parameters and retire weak protocols and ciphers. |
Guidelines for Gateways
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Gateways and firewalls – controlled, logged traffic flows between networks. | We design ISM-compliant gateway and firewall architecture with controlled, logged, default-deny traffic flows. |
| Protect | Cross Domain Solutions and diodes – bridging domains of differing classification. | We advise on Cross Domain Solutions and data diodes where information must move between domains of differing classification. |
| Protect | Web proxies and content filtering – controlling web usage. | We implement web filtering and proxy controls aligned to ISM web-usage requirements. |
Guidelines for Data Transfers
| Principle | Control focus | How we help |
|---|---|---|
| Protect | Data transfer processes – authorised, filtered movement of data between systems. | We define import/export procedures, content filtering, and authorisation for moving data between systems and classifications. |