Navigating IRAP Assessment & Preparation: When they make sense and when they don’t

TL;DR: Cyber security is about more than ticking boxes.

As cyber security threats and incidents have made headlines, many business leaders have focused on strengthening their defences. However, one mistake many people make is seeing cyber security as an exercise in ticking boxes. This is when IRAP assessments & preparation come into play.

IRAP assessments are one of these boxes that many leaders feel they must tick. However, not every company will need to undergo this assessment; if you are one of these businesses, completing an IRAP assessment will be more a waste of time and money than an exercise to strengthen cyber security. IRAP is more than just a necessary step, but an input into understanding the residual risks associated with operating a system in order to make an informed, risk-based decision. If this is viewed from the lense of a compliance exercise, its a waste of money, however if it is employed as intended, it is a valuable tool and well worth the time and effort.

So, let’s discuss whether an IRAP assessment is appropriate for your organisation.

What is an IRAP assessment?

The Information Security Registered Assessor Program (IRAP) is a cybersecurity assessment framework created for Australian organisations. A certified assessor conducts the assessment to evaluate the security posture of organisations that handle sensitive or classified data.

These assessments are time-consuming, involving a comprehensive evaluation of an organisation’s information security practices, policies, procedures, and technical controls.

IRAP assessments typically cover various aspects of information security, including risk management, access controls, incident response, network security, physical security, and personnel security. The assessors identify vulnerabilities and weaknesses in the assessed entity’s information security defences and recommend improvements.

When your organisation needs an IRAP assessment

Your organisation should undergo an IRAP assessment if you handle government data. You must comply with cyber security requirements such as the Australian Government Protective Security Policy Framework (PSPF) and the ACSC’s Information Security Manual (ISM).

For example, a large engineering company that works on government contracts must undergo an IRAP assessment. A smaller company might also need to undergo an assessment if they provide project management software or cloud services used by government agencies, however this may be dependent on the agency and any security controls that can be inherited from other systems.

In short, if you partner with or supply to a government agency, it is likely you need an IRAP assessment.

When you don’t need an IRAP assessment

You will not need to complete an IRAP assessment if you do not handle government data. Whilst it is good practice, the time, effort and cost of undergoing an assessment could be better spent on other meaningful security activities.

Too many people focus on cyber security as a box-ticking exercise or getting a document you can post on LinkedIn. If you want to complete an assessment simply to get a badge or certificate, you might end up aligning your business with compliance requirements that do not suit your goals. You will also create unnecessary security policies that hinder business activities, just to pass an assessment you do not need.

Instead, you will see better results by taking the time to:

  • Understand the business goals
  • Connect with security professionals that can find the right framework for your business
  • Get a gap assessment against that framework to understand what it requires of you
  • Align your business to the framework.

If you do not need an IRAP assessment, the ISM and the Essential Eight Maturity Model are good frameworks for measuring your business and identifying security gaps. But, many other frameworks might align better with your business model or be more appropriate to your industry.

Remember, these exist to serve as a guide, not a high school pass/fail assessment that sometimes we get a little fixated on and overwhelmed.

What is needed from an IRAP assessor?

IRAP assessors must be familiar with the various threats that could pose a risk to your organisation’s information and systems, including foreign intelligence services.

Foreign intelligence services are one of a number of threats faced by organisations handling government data. These services aim to gather sensitive information by infiltrating systems through cyberattacks. These attacks can result in the theft of intellectual property, sensitive personal information, or national security secrets. IRAP assessors must understand the tactics, techniques, and procedures that foreign intelligence services use to compromise an organisation’s security. Other threats include malicious code, insiders and individuals seeking to commercially exploit sensitive information.

If you want to undergo an IRAP assessment, our team at Mercury understand these threats and can guide you in aligning your business with the framework. We will prepare your business by educating you on your obligations and responsibilities and build a cyber security strategy that evolves as your business changes.

What is needed from the organisation undergoing an assessment?

There is not only a sizeable documentation requirement, but the demonstrable security controls and security culture represent a massive uplift for most organisations. This is at the heart of an IRAP assessment; the organisation can demonstrate it functions as a security-conscious entity and not simply an efficient box-ticking mechanism.


IRAP assessments are a critical cybersecurity framework for Australian organisations that handle government data. Completing an IRAP assessment demonstrates your organisation’s commitment to information security and your ability to meet the stringent security requirements set forth by the Australian Government.

However, not every organisation needs to complete an IRAP assessment; other established frameworks may be more relevant and appropriate for your industry.

If you plan to undergo an IRAP assessment, you should engage a qualified IRAP assessor with a deep understanding of the threat landscape.

Why choose Mercury as your IRAP assessor?

For the best results, you need to see cyber security as an intrinsic element of your organisation, tailored to meet your specific needs. Please contact us if you’re unsure whether your company should undergo an IRAP assessment. We can discuss whether it’s appropriate or if you should take a different direction to improve your cyber security posture.

Our threat-centric, mission-focused approach aligns with the core objective of the framework; to protect systems and data from cyber threats. We also have deep experience with various threat actors, including foreign intelligence. You can visit our Governance Services page for more on our capabilities.

Related blogs

Optimising cloud security: How to strike a balance between cloud performance and cost

Breaking into Salesforce: Our experience with Penetration Testing

We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.