Frequently Asked Questions

Can you help us prepare for and conduct the IRAP assessment?

No. The IRAP code of conduct requires IRAP assessors to be independent and unbiased. We cannot assess a system that we have had any input into creating. You can choose to hire IBICyber to build your security planning and documentation in line with the ISM, or you can hire us to perform the IRAP assessment — but not both for the same system.

How long does an IRAP assessment take?

An assessment can take anywhere from 1 to 6 months. Smaller systems with a short technology stack can be completed in as little as one month. The larger the system, the longer it will take.

In 99% of cases, assessment delays are caused by the client organisation — often from the mistaken belief that documentation and control implementation can be completed during the assessment. This is not possible. IBICyber strongly advises organisations to be ready before Stage 1 begins.

How much will an IRAP assessment cost?

IBICyber prices every assessment bespoke. In our initial scoping meeting, we gather information about your system — its boundaries, technology stack, and architecture — to determine duration, complexity, and cost.

IBICyber charges a flat fee (rather than time-based rates) for all IRAP consulting. A flat fee gives clients a known expenditure and quality assurance, without keeping a contractor on retainer for review cycles.

As of July 2025, assessments typically range between $40,000 AUD and $100,000 AUD (inclusive of GST). Get in touch for a personalised quote.

What security documentation does my system need before an IRAP assessment?

While the ISM is not prescriptive in nature, the following core documents should be held at a minimum:

• System security plan
• Incident response plan
• Continuous monitoring plan
• Plan of action and milestones

The fifth ISM document — the Security Assessment Report — is produced through the IRAP process itself. Additional documents such as network diagrams, software registers, patch management processes, and mobile device policies should also be held where relevant. Contact us for a full documentation checklist.

What should I bring to the IRAP assessment?

All security-related documentation must be provided to the assessors at the outset, including all policies and procedures referenced in that documentation. Delays in delivering documentation result in delays to the final IRAP report.

We recommend reviewing the ASD Information Security Manual internally to assess your readiness before engaging an assessor.

Will you come to our office to conduct the assessment?

It is unlikely our consultants will need to sit in your office daily. The bulk of the assessment is conducted remotely, unless there is a compelling reason to perform documentation review onsite. Any travel costs incurred are additional to the assessment fee.

System documentation can be shared via IBICyber’s secure cloud file-sharing platform. Where documentation is classified as PROTECTED or above, IBICyber will conduct the assessment remotely using your provided infrastructure.

How will the assessment be conducted?

After you provide initial documentation, IBICyber assessors prepare an initial report and determine which evidence formats are needed to assess physical control implementation. Evidence formats may include:

• Interviews with key personnel
• Witnessing configurations on screen
• Screenshots of configurations
• In some cases, parsing a standard operating environment disk image

The majority of evidence gathering is conducted remotely. IBICyber finds it necessary to conduct a face-to-face meeting at the delivery of the final report to walk through the assessment findings in detail.

Where can I find more information?

The ASD IRAP Consumer Guide provides guidance on how to engage an assessor, prepare for an assessment, understand the process, and use the information in the final report.

Download it at: ASD IRAP Consumer Guide