Information Security Registered Assessors Program (IRAP)

An IRAP Assessor will help you understand and implement Australian Government security standards, requirements, controls, and recommendations when you navigate the accreditation framework.

An IRAP Assessor could be engaged by any entity, not just Australian government entities.

When performing a security assessment, it is highly recommended to use an IRAP Assessor. An IRAP Assessor must conduct security assessments for commercial or government Secure Internet Gateways (SIG) designed for usage by many entities across government, as well as outsourced cloud service providers and their cloud services. Assessors should always have a valid security clearance and a proper level of experience and knowledge of the type of system they are assessing.


IRAP Assessors provide assessment services based on:

  • The Attorney-General's Department's Protective Security Policy Framework (PSPF)
  • The Australian Government Information Security Manual (ISM), and
    Other Australian Government security guidance and advice.


IRAP Assessors will:

  • Ensure that you have the appropriate physical certification.
  • Ensure that assessed security controls are implemented and operating effectively
  • Understand and learn about your system's architecture.
  • Recommend mitigation strategies for any security controls that aren't performing as planned
  • Enable the reviewer of the report to make an informed risk-based decision about the system’s suitability for their security needs and risk appetite.


IRAP services include providing advice for, and assessments of:

  • Cloud services
  • Gateways
  • Specialized government network connections
  • Information systems
  • System documentation
  • Risk mitigation