IRAP Assessment Services
Comprehensive, independent cybersecurity assessments aligned with the Australian Government’s Information Security Manual (ISM).
What is an IRAP Assessment?
The Information Security Registered Assessors Program (IRAP) is managed by the Australian Signals Directorate (ASD). Through the IRAP process, assessors identify security risks, provide remediation guidance, and help organisations achieve the certification needed to operate within Australian Government environments.
IRAP Assessors are independent cybersecurity professionals formally accredited by the ASD, authorised to evaluate the security posture of ICT systems and cloud services against the ISM. They typically hold security clearances and deep expertise in information security, risk management, and compliance frameworks — acting as trusted third parties up to and including TOP SECRET classification levels.
Organisations that do not fully comply with the ISM may still achieve IRAP certification based on their risk profile, as assessed by the IRAP Assessor and accepted by the ASD.
How the Assessment Works
Our IRAP Assessments follow a structured 5-stage process. Your IBICyber consultant will guide you through every step.
Stage 0 — Pre-Assessment & Scoping
Capture system details, prepare a proposal, and establish an indicative schedule. Often provided at reduced cost or absorbed into Stage 1 if the engagement proceeds.
Stage 1 — Plan and Prepare
Validation of the assessment scope and confirmation that all identified services are covered by defined system components. Can move quickly when your environment is well documented.
Stage 2 — Define Scope
Initial review of documentation and technology controls. Your consultant flags early findings and non-compliance areas so you have maximum time to remediate before formal assessment.
Stage 3 — Assess Controls
Collection and review of evidence to evaluate how effectively security controls are implemented against the ISM. Includes interviews, configuration examination, and control testing — the majority conducted remotely.
Stage 4 — Reporting
Delivery of the comprehensive Security Assessment Report (SAR) and Controls Matrix, documenting findings mapped to each relevant ISM control. Includes time for client review and a face-to-face final debrief.
Deliverables
- Security Assessment Report (SAR)
- ISM Controls Matrix
- Risk findings & mitigations
- Face-to-face debrief session
Engagement Scenarios
The scope of your IRAP assessment depends on the size and complexity of your environment. IBICyber offers three engagement tiers:
| Scenario | Context | Estimated Effort |
|---|---|---|
| Small | Single Application (Hosted/SaaS), simple network architecture, comprehensive documentation, limited integrations | ~20 Days |
| Medium | On-Premise/Cloud/Hybrid, moderate integrations, partial documentation, some controls immature | ~30 Days |
| Large | Multi-region, Multi-Cloud, complex network architecture, numerous integrations, high assurance requirements | ~50 Days |
Stage-by-Stage Breakdown
| Stage | Activity | Small | Medium | Large |
|---|---|---|---|---|
| Stage 0 | Pre-Assessment & Scoping | 1 day | 1 day | 1 day |
| Stage 1 | Plan and Prepare | 1 day | 2 days | 4 days |
| Stage 2 | Define Scope | 3 days | 5 days | 5 days |
| Stage 3 | Assess Controls | 10 days | 15 days | 30 days |
| Stage 4 | Reporting | 5 days | 7 days | 10 days |
| Total Days | 20 | 30 | 50 | |
Time and Cost Estimates
Assessment timelines typically range from 20 to 60 days, depending on the size, complexity, and preparedness of your organisation.
As of July 2025, an IBICyber IRAP assessment costs approximately between $40,000 AUD and $100,000 AUD (inclusive of GST). We charge a flat fee — not hourly or daily rates — giving you a known expenditure and quality assurance without monitoring contractor hours.
Liaising with the ASD
IBICyber has an established relationship with the ASD. We liaise on your behalf to advise on certification requirements, discuss assessment findings, and demonstrate the value of your services to the Australian Government.
Ready to start your IRAP assessment?
Reach out for a 30-minute scoping session to understand how we can help with your IRAP requirements.
IBICyber 