Any entity can engage an IRAP Assessor, not just Australian government entities. Security assessments of SECRET and below systems can be undertaken by an organisation’s own assessors or IRAP Assessors. It is however best practice and strongly recommended to engage an IRAP Assessor when performing a security assessment. For commercial or government gateways, and outsourced cloud service providers and their cloud services, security assessments must be undertaken by an IRAP Assessor. In all cases, assessors should hold an appropriate security clearance and have an appropriate level of experience and understanding of the type of system they are assessing. IRAP Assessors provide assessment services based on: the Protective Security Policy Framework (PSPF) the Information Security Manual (ISM), and other Australian Government security guidance and advice. You can select an IRAP Assessor here. IRAP Assessors will: learn and understand your system architecture ensure that the required physical certification has been attained ensure that assessed security controls are implemented and operating effectively propose mitigation strategies for any security controls that are not as effective as planned, and enable the reviewer of the report to make an informed risk-based decision about the system’s suitability for their security needs and risk appetite. IRAP services include providing advice for, and assessments of: cloud services, gateways, specialised government network connections, information systems, system documentation, and risk mitigation. Tips When you engage an IRAP Assessor you: should clearly define the scope of work and expected deliverables, and must not define favourable assessment outcomes because this jeopardises the integrity of the assessment. If you are engaging an IRAP Assessor to re-assess a system, you should allow sufficient time to ensure the assessment can be completed before the current assessment expires. ASD recommends seeking at least three quotes when engaging an IRAP Assessor. Note ASD does not recommend specific IRAP Assessors nor assist in selecting an IRAP Assessor for a particular task. Do not restrict engagement to those IRAP Assessors geographically closest to you.