Checklist

Navigating your IRAP Journey:
A Pre-Engagement Checklist for Security Leaders

Download Checklist

An IRAP Assessment, endorsed by ACSC, evaluates and strengthens your organisation's cybersecurity, moving beyond mere compliance to robust protection.

Preparing for an IRAP assessment is complex, given the myriad of controls and protocols involved. Mercury’s Pre-Engagement Checklist helps simplify this process by outlining key questions aligned with ACSC’s framework. These questions assist in preparing for an assessment and provide a snapshot of your current cybersecurity posture. Mercury offers the necessary expertise and guidance to help you approach your IRAP assessment with well-founded confidence. 

The checklist is an effective planning tool, identifying any gaps or areas needing additional attention. It is a structured method to ensure that your cybersecurity measures are both effective and in line with industry best practices.

Mercury offers the necessary expertise and guidance at every step to help you approach your IRAP assessment with confidence. 

View the checklist content

Download the checklist today and ensure your IRAP assessment readiness.

  • Define precise assessment scopes, focusing on critical systems and data as per IRAP guidelines.
  • Prepare for every IRAP stage, from planning to review, ensuring thorough readiness and compliance.
  • Ensure your IRAP assessment outcomes align with business objectives through structured pre-planning.
MER - FrontCoverMockup

Thank you for downloading our IRAP Pre-Engagement Checklist. 

Aligning your IRAP assessment preparation with ACSC’s framework

Mercury’s checklist adheres to the ACSC IRAP framework, ensuring alignment with cybersecurity best practices, regulations, and standards for comprehensive security readiness.

Stage 1 - Plan and Prepare

Initial planning and stakeholder engagement. Focuses on governance, cyber strategy, and threat environment.

Initial planning and stakeholder engagement. Focuses on
governance,cyber strategy, and threat environment.

  • Identify concealed vulnerabilities
  • Review data protection measures
  • Engage key stakeholders
  • Self-assess security controls
  • Define assessment objectives
  • Establish governance structure
  • Conduct threat modelling

Stage 2 - Define the Scope

Determines assessment boundaries, including systems, locations, and data. Defines the target of evaluation.

Determines assessment boundaries, including systems, locations, and data. Defines the target of evaluation.

  • Understand system architecture
  • Analyse risk profile
  • Document assessment scope
  • Develop data classification plan
  • Validate controls for system-specific risks

Stage 3 - Assess Security Controls

Evaluates design and operational effectiveness of security controls through evidence and observations.

Evaluates design and operational effectiveness of security controls through evidence and observations.

  • Collect evidence of design effectiveness
  • List security controls for evaluation
  • Document evidence efficiently
  • Assess third-party services
  • Secure permissions for validation

Stage 4 - Assessment Report

Finalises with a report documenting findings and clarifying the risk profile of the scoped environment.

Finalises with a report documenting findings and clarifying the risk profile of the scoped environment.

  • Define assessment report elements
  • Ensure SCM/CSCM compliance
  • Familiarise with matrix format
  • Review ASD's IRAP resources
  • Establish an action team for the assessment report
Download Checklist
We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.