FAQs

Common questions about our IRAP assessment services.

Will you come to our office and complete an IRAP assessment?

Redacted conducts most assessments remotely unless compelling reasons exist for onsite work. For PROTECTED documentation or above, assessments use client-provided infrastructure. After initial reporting, assessors determine required evidence formats—interviews, configuration witnessing, screenshots, or disk image analysis. Some evidence gathering occurs remotely; physical attendance is needed for system component verification when necessary. A face-to-face meeting is conducted at final report delivery.

How long does an IRAP assessment take?

Assessments typically span 2–6 months. Smaller systems with limited technology stacks may complete in two months, while larger systems require extended timeframes. In 99% of delay cases, client organisations cause postponements—commonly occurring before or after initial report delivery. Organisations should prepare documentation and control implementations before Stage 1 commences rather than attempting these during the assessment.

How much will an IRAP assessment cost?

Pricing is customised per assessment. Initial scoping meetings gather system information regarding boundaries, technology stack, and architecture to determine duration, complexity, and cost. Redacted charges flat fees rather than hourly rates, believing this approach provides superior value and aligns with assessment purposes. This method ensures cost certainty and quality assurance without prolonged contractor engagement through review cycles.

Can you prepare our security documentation and conduct our IRAP assessment?

No. IRAP code of conduct requirements mandate assessor independence and impartiality. We cannot assess systems we contributed to creating. You may engage Redacted for either security planning/documentation aligned with ISM standards or IRAP assessment services—not both simultaneously.

What security documentation does my system need before conducting an IRAP assessment?

Minimum required (per ISM):

  1. System security plan
  2. Incident response plan
  3. Continuous monitoring plan
  4. Plan of action and milestones
  5. Security Assessment Report (created through the IRAP process)

Additional documents may be required depending on your system, including: radio frequency/infrared device registers, business continuity/disaster recovery plans, cable documentation, cryptographic key management procedures, incident registers, equipment/media management policies, network diagrams, patch management procedures, vulnerability disclosure processes, and web usage policies.

What should I bring to the IRAP assessment?

All security related documentation should be provided to the assessors in the first instance, including all policies and procedures referenced in this documentation. Documentation delays may postpone report production.

Still Have Questions?

Get in touch and we'll be happy to help.

Contact Us