Skip to main content

An IRAP Assessor will assist you to navigate through the accreditation framework, by helping you to understand and implement Australian Government security standards, requirements, controls and recommendations.

Any entity can engage an IRAP Assessor, not just Australian government entities.

Security assessments of SECRET and below systems can be undertaken by an organisation’s own assessors or IRAP Assessors. It is however best practice and strongly recommended to engage an IRAP Assessor when performing a security assessment. For commercial or government Secure Internet Gateway (SIG) intended for use by multiple entities across government, and outsourced cloud service providers and their cloud services security assessments must be undertaken by an IRAP Assessor. In all cases, assessors should hold an appropriate security clearance and have an appropriate level of experience and understanding of the type of system they are assessing.

IRAP Assessors provide assessment services based on:

You can select an IRAP Assessor here.

IRAP Assessors will:

  • learn and understand your system architecture

  • ensure that the required physical certification has been attained

  • ensure that assessed security controls are implemented and operating effectively

  • propose mitigation strategies for any security controls that are not as effective as planned, and

  • enable the reviewer of the report to make an informed risk-based decision about the system’s suitability for their security needs and risk appetite.

IRAP services include providing advice for, and assessments of:

  • cloud services,

  • gateways,

  • specialised government network connections,

  • information systems

  • system documentation, and

  • risk mitigation.


When you engage an IRAP Assessor you:

  • should clearly define the scope of work and expected deliverables, and

  • must not define favourable assessment outcomes because this jeopardises the integrity of the assessment.

If you are engaging an IRAP Assessor to:

  • re-assess a system, you should allow sufficient time to ensure the assessment can be completed before the current assessment expires, or

  • re-assess an ASD Certified PROTECTED Gateway, you should engage the IRAP Assessor approximately three months before the current assessment expires to ensure the assessment can be completed before the current assessment expires.

ASD recommends seeking at least three quotes when engaging an IRAP Assessor. Note ASD does not recommend specific IRAP Assessors nor assist in selecting an IRAP Assessor for a particular task.

Do not restrict engagement to those IRAP Assessors geographically closest to you.