What is an Information Security Registered Assessors Program, or IRAP, assessment?

by | Jan 3, 2023 | IRAP

The Information security Registered Assessors Program (IRAP) assessment is conducted by the Australian Signals Directorate (ASD) – by proxy – to evaluate the information security measures implemented by an organisation. It is designed to assess an organisation’s compliance with the Australian Government Information Security Manual (ISM) and to identify potential vulnerabilities and weaknesses in its information security posture relative to what ISM considers best practice.

The IRAP Assessment is carried out by an independent Assessor – like Redacted Information Security – who has been trained and certified by the ASD to conduct the assessment. The process involves a comprehensive review of an organisation’s information security policies, procedures, and practices, as well as the technical security controls that are in place to protect its information assets.


The Benefits of an IRAP Assessment

  • Improved Information Security: An IRAP Assessment helps organisations identify weaknesses in their information security posture and take steps to address them. This can help to reduce the risk of data breaches, cyber attacks, and other security incidents.
  • Compliance with Government Standards: An IRAP Assessment evaluates an organisation’s compliance with the Australian Government Information Security Manual (ISM). This can help organisations meet their legal and regulatory obligations and avoid penalties for non-compliance.
  • Competitive Advantage: An IRAP Assessment can help organisations demonstrate to customers, partners, and stakeholders that they take information security seriously and have implemented robust security measures to protect their sensitive data.
  • Risk Management: An IRAP Assessment helps organisations identify and prioritise security risks, and take steps to mitigate them. This can help organisations reduce the likelihood and impact of security incidents.


The Steps Involved in an IRAP Assessment

  1. Planning: The first step is to plan the assessment, which involves determining the scope of the assessment, identifying the objectives, selecting the assessment team, and defining the assessment methodology.
  2. Information gathering: This step involves collecting information about the organisation’s information security policies, procedures, and practices. The information can be gathered through interviews, document reviews, and site visits.
  3. Risk assessment: The next step is to conduct a risk assessment to identify potential vulnerabilities, threats, and risks to the organisation’s information security. This involves evaluating the likelihood and impact of potential security incidents.
  4. Gap analysis: After identifying the risks, the assessment team performs a gap analysis to compare the organisation’s information security policies, procedures, and practices against best practices, industry standards, and regulatory requirements.
  5. Reporting: The results of the assessment are documented in a report that includes findings, recommendations, and an action plan. The report should be reviewed and approved by the organisation’s management before it is finalised.
  6. Follow-up: Once the assessment report has been completed, the organisation should take action to address any identified vulnerabilities and implement any recommended changes. The assessment team may conduct follow-up reviews to ensure that the organisation has implemented the necessary improvements.


Overall, an IRAP assessment is a comprehensive process that requires careful planning, information gathering, risk assessment, gap analysis, reporting, and follow-up. The assessment is designed to help organisations identify and address vulnerabilities and risks to their information security and ensure that they comply with regulatory requirements and best practices. This will improve their information security posture, meet their compliance obligations, and gain a competitive advantage in their respective industries.

The team at Redacted Information Security represent 25% of consultants globally that can run an IRAP program of work up to, and including,  ‘Secret’ level clearance. So if you’d like to learn more about IRAP, and how it can help your organisation, contact us today.


The team at Redacted occasionally put together a synopsis or discussion of their collective ideas on a given topic.