Security
Do You Need IRAP to Sell to the Australian Government?
5 June 2026 · Updated 21 June 2026
Short answer: If your cloud or SaaS product stores, processes or transmits Australian Government information at OFFICIAL: Sensitive, PROTECTED or above, you almost certainly need an IRAP assessment before an agency can use it. The trigger is who you sell to and what data you handle, not the size of your company. A startup faces the same obligation as a hyperscaler.
We have seen multiple business miss out on opportunities because their product wasn’t IRAP assessed. Here is when IRAP is actually required, what triggers it, and what it means if you are a SaaS provider or a startup.
When is an IRAP assessment required?
The requirement comes from the Protective Security Policy Framework, which is Australian Government policy. Non corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act must apply the PSPF.
Two parts of the PSPF matter here. PSPF Table 21 requires that SECRET, PROTECTED, OFFICIAL: Sensitive and OFFICIAL outsourced information technology and cloud services are IRAP assessed before they process and store government data. Separately, requirement 0109 states that cloud service providers must have had an IRAP assessment within the previous 24 months against the latest ISM at the time of assessment.
In plain terms: if you are an outsourced IT or cloud service and an agency wants to put its information into your system, that system needs an IRAP assessment first. For cloud providers it is also a standing obligation that refreshes roughly every two years.
What triggers the requirement for you?
Two things together, not your company size: who is buying, and what data you handle. A Commonwealth entity applying the PSPF, or an agency that contractually flows these obligations down to you, on one side; government information classified at OFFICIAL: Sensitive, PROTECTED or above that your system will store, process or transmit, on the other. If both are true, you are in scope. If you only sell to commercial customers, or never touch classified government information, the PSPF requirement does not apply, though customers may still ask about your security posture.
| Situation | IRAP assessment needed? |
|---|---|
| SaaS that will hold PROTECTED government data, sold to a Commonwealth agency | Yes, before the agency uses the system |
| Outsourced IT or cloud service handling OFFICIAL: Sensitive government data | Generally yes, under PSPF Table 21 |
| Three person startup whose product will hold PROTECTED data | Yes, there is no small business exemption |
| Product sold only to commercial customers, no government data | No, the PSPF requirement does not apply |
| Existing cloud provider last assessed 26 months ago | Reassessment due under requirement 0109 |
Does a startup or small SaaS company need IRAP?
Yes, if the triggers above apply. There is no small business exemption. The requirement attaches to the system and the data, so a three person SaaS startup selling a product that will hold PROTECTED data faces the same IRAP obligation as a large vendor. This surprises many founders, who assume IRAP is only for the hyperscalers.
Plan for it early. If your go to market includes government, build toward the ISM controls from the start rather than retrofitting them under deal pressure. Retrofitting is where the cost and delay live.
What classification level do you need?
The classification of the information a system will handle is set by the government agency that owns it, not by you. Confirm it before you scope anything. The common bar for government cloud and SaaS is PROTECTED, and the ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What changes at PROTECTED are the physical security, personnel clearance and network obligations, which expand the work involved. At OFFICIAL: Sensitive a provider is not required to hold cleared personnel; at PROTECTED and above, personnel with access must hold a current Australian Government security clearance.
Getting the classification confirmed up front prevents the two most expensive mistakes: assessing at the wrong level, and scoping a boundary larger than the data actually requires.
Does passing the assessment mean you are approved?
This is the most common misconception, so state it plainly. An IRAP assessment does not approve, certify or endorse your system, and there is no pass mark. The assessor independently tests your controls against the ISM and reports the strengths, weaknesses and residual risks. The agency’s authorising officer then reads that report and decides whether to accept the residual risk and authorise the system to operate, under PSPF requirement 0086.
So being IRAP assessed does not guarantee a sale. It gives the agency what it needs to make a risk based decision. A clean assessment with few residual risks makes that decision easy. A report full of open risks makes it hard.
What do you need to get ready?
At a minimum, expect to produce and maintain a System Security Plan and its annex, a Security Risk Management Plan, system design documentation, a continuous monitoring plan, an incident response plan, and your security policies and procedures. You will also need the right people available for the assessor, and evidence that your controls are not just documented but actually operating. A readiness review before the formal assessment is the usual way to find and close gaps before they cost assessor time.
If government is on your roadmap, treat IRAP as a design input, not a final hurdle. The complete IRAP assessment guide sets out the full process, and Cybernion runs independent assessments and readiness for OFFICIAL: Sensitive, PROTECTED and SECRET systems.
Frequently asked questions
Is IRAP mandatory?
It is mandatory in effect for outsourced IT and cloud services that handle Australian Government information at OFFICIAL: Sensitive and above, because the PSPF requires those services to be IRAP assessed before an agency uses them. It is not a law you break, it is a policy requirement agencies must apply, and they pass it to you through procurement.
Do I need IRAP if I only handle OFFICIAL data?
OFFICIAL outsourced IT and cloud services fall within the PSPF Table 21 requirement, so an assessment is generally expected. Confirm the exact classification with the agency, since OFFICIAL: Sensitive and above clearly require it.
Can I sell to government before I am IRAP assessed?
Generally not for systems that will hold classified government information, because the assessment is required before the agency uses the system. Some early engagement and proof of concept work may happen first, but production use of government data waits on the assessment and the authorisation.
How often do I need to be reassessed?
For cloud service providers, within the previous 24 months under requirement 0109. Treat IRAP as a roughly two year cycle, lighter each time if you maintain your posture between assessments.
Does being IRAP assessed mean I passed?
No. There is no pass or fail. The assessment reports your security position, and the agency decides whether to authorise the system based on the residual risk.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD Infosec Registered Assessors Program (IRAP), cyber.gov.au, 2026 (IRAP Consumer Guide, July 2025)
- Information Security Manual, cyber.gov.au, June 2026
- Protective Security Policy Framework, Table 21 and requirements 0086 and 0109, protectivesecurity.gov.au, 2024
- Cloud assessment and authorisation, cyber.gov.au, 2024
Last updated: 21 June, 2026