Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 12 Jun 2019
Last updated: 15 Dec 2020

Content written for

Small & medium business
Large organisations & infrastructure
Government

Attachments

An IRAP Assessor will assist you by helping you to understand and implement security controls and recommendations to protect your systems and data.

Any entity can engage an IRAP Assessor, not just Australian government entities.

Security assessments of SECRET and below systems can be undertaken by an organisation’s own assessors or IRAP Assessors. It is however best practice, and strongly recommended, to engage an IRAP Assessor when performing a security assessment. For commercial or government gateways, and outsourced cloud service providers and their cloud services, security assessments must be undertaken by an IRAP Assessor. In all cases, assessors should hold an appropriate security clearance and have an appropriate level of experience and understanding of the type of system they are assessing.

IRAP Assessors provide assessment services based on:

The IRAP Consumer Guide has been developed to provide entities seeking to have an IRAP assessment, with helpful information on:

  • how to engage an IRAP Assessor
  • how to prepare for an IRAP assessment
  • understanding the assessment process, and
  • how to best use the information provided in the IRAP assessment report. 

You can select an IRAP Assessor here.

IRAP Assessors will:

  • learn and understand your system architecture
  • ensure that the required physical certification has been attained
  • ensure that assessed security controls are implemented and operating effectively
  • propose mitigation strategies for any security controls that are not as effective as planned, and
  • enable the reviewer of the report to make an informed risk-based decision about the system’s suitability for their security needs and risk appetite.

IRAP services include providing advice for, and assessments of:

  • cloud services,
  • gateways,
  • specialised government network connections,
  • information systems,
  • system documentation, and
  • risk mitigation.

Other things to remember:

When you engage an IRAP Assessor you:

  • should clearly agree with your Assessor on a defined scope of work and expected deliverables, and
  • must not define favourable assessment outcomes because this jeopardises the integrity of the assessment.

If you are engaging an IRAP Assessor to re-assess a system, you should allow sufficient time to ensure the assessment can be completed before the current assessment expires.

ASD recommends seeking at least three quotes when engaging an IRAP Assessor. Note ASD does not recommend specific IRAP Assessors nor assist in selecting an IRAP Assessor for a particular task.

Do not restrict engagement to those IRAP Assessors geographically closest to you.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it