An IRAP assessment follows four stages from the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls against the ISM, and produce the report and control matrix. The assessor leads each stage; your role is access, documentation, evidence and people.
The assessor leads every stage. Your job is to make access, documentation, evidence and the right people available when each stage calls for them. The four stages are not ambiguous, and knowing what each one demands is the difference between engaging with the process and reacting to it.
Stackform had done the preparation. The assessor held the documentation package, system access was provisioned, and the agreed boundary was in writing. James Hartley’s first question at the opening session was the practical one. What actually happens now?
| Stage | What the assessor does | What you contribute |
|---|---|---|
| 1. Plan and prepare | Submits the Assessment Record and Conflict of Interest declaration to ASD, confirms timelines and methods, identifies the applicable frameworks | Agree the schedule, name the people, provision access |
| 2. Define the boundary | Documents and validates the boundary, maps the shared responsibility model, records inclusions and exclusions | Confirm the boundary through your delegate |
| 3. Assess the controls | Examines, interviews and tests each applicable ISM control and assigns an implementation outcome | Make documentation, evidence and people available |
| 4. Produce the report | Writes the Security Assessment Report and Controls Matrix with findings, recommendations and justifications | Review the draft, prepare to use it for authorisation |
What happens in Stage 1, plan and prepare?
Planning happens before any assessment work, and it sets how the rest will run. The assessor submits the Assessment Record and Conflict of Interest declaration to ASD via the ACSC Partner Portal at least seven business days before the assessment starts.
During planning the assessor confirms timelines, milestones and access requirements with the organisation. They identify the frameworks and policies that apply to the system, including the ISM, the PSPF and any other relevant guidance such as the Hosting Certification Framework. They settle which assessment methods will be used, how evidence will be collected and protected, and whether any managed service providers need to be brought into the process. The assessor may produce an assessment plan to formalise this and share it with you. Where a security assessment team is involved, team composition and responsibilities are set here. Good preparation before this point shortens everything that follows.
For Stackform, Stage 1 confirmed the agreed boundary in writing, set a weekly check-in cadence, and named the system administrators and security personnel who would be available for interviews during Stage 3.
What happens in Stage 2, define the assessment boundary?
The assessor defines the assessment boundary in agreement with the organisation’s delegate. The boundary is set in detail before the assessment, but within the process itself Stage 2 is where it is formally documented and validated before any control assessment begins.
The assessor reviews the system architecture, identifies the components in scope, maps the shared responsibility model with any third party providers, and confirms the boundary is complete and appropriate. Inclusions and exclusions are both documented. The assessor will keep reviewing and validating the boundary as the assessment progresses if new information emerges.
What happens in Stage 3, assess the controls?
This is the substantive work of the assessment and the longest stage, and it places the most demand on your people’s time. The assessor collects and reviews evidence to determine whether each applicable ISM control is operating effectively within the boundary, using three methods.
Examine means reviewing documents, configurations, system designs, policies and procedures. This is where the SSP-A, architectural diagrams and configuration exports are used directly. Interview means discussions with people across the organisation, including system owners, system administrators, security operations staff and end users, to understand how controls work in practice and to locate further evidence. Test means exercising controls under defined conditions to compare actual behaviour against expected behaviour, such as attempting access with an account that should be blocked, testing backup restoration, or verifying that a cryptographic configuration enforces the expected protocol.
For each control the assessor assigns one of seven standardised implementation outcomes.
| Outcome | What it means |
|---|---|
| Effective | The control meets the intent of the ISM control objective |
| Ineffective | The control does not adequately meet the intent of the control objective |
| Alternate control | The objective is met through a different control than the one specified |
| Not assessed | The control has not yet been assessed |
| Not applicable | The control does not apply to the system within the boundary |
| No visibility | The evidence available did not let the assessor confirm the control, equivalent to ineffective |
| Not implemented | The control has not been put in place, generally for a documented business or technical reason |
Every outcome, including not applicable and not implemented, carries a written justification. The assessor does not rate risks. They describe what they found and the impact a weakness or gap may have; the risk rating and the authorisation decision sit with the system authoriser. The assessor only assesses what is implemented at the time of the assessment. Programs of work underway may be noted in the report but are not assessed.
For Stackform, Stage 3 ran across three weeks. The assessor examined the SSP-A and configuration documentation in the first week, interviewed the system administrators and security lead in the second, and completed technical testing and log review in the third. Two controls rated no visibility because the evidence available was a policy document that restated the control rather than demonstrated it. James heard about it during the assessment, not as a surprise in the final report.
What happens in Stage 4, produce the report?
Once control assessment is complete, the assessor produces the Security Assessment Report and the Controls Matrix. The report documents the assessment boundary, an overview of the system and environments assessed, the security strengths and weaknesses, any limitations that affected evidence gathering or testing, and the outcome of each control with its justification and supporting evidence.
The report includes recommendations. Assessors give descriptive recommendations that explain the issue and its implications, giving you enough context to decide how to address it; they do not prescribe a specific solution or dictate how a recommendation must be implemented. The assessor does not recommend whether the system should be authorised. That decision is for the authorising officer.
Before the report is finalised it is reviewed internally by the assessor and by the organisation’s stakeholders. The final report and Controls Matrix are provided to the assessed entity and a copy is submitted to ASD. For Stackform, the draft report reached James two weeks after Stage 3 concluded. He worked through the findings with Cybernion before it was finalised, and the report became the foundation for the authorisation package. Cybernion runs independent IRAP assessments end to end, and the complete IRAP guide sets the process in context.
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Frequently Asked Questions
How long does an IRAP assessment take?
It varies with system complexity, scope size, evidence availability and the assessor’s familiarity with the environment. Thorough preparation before the assessment starts is the most effective way to reduce the overall timeline.
What are the seven IRAP implementation outcomes?
Effective, Ineffective, Alternate Control, Not Assessed, Not Applicable, No Visibility, and Not Implemented. Every outcome must include a written justification from the assessor. Not Implemented is distinct from Ineffective: Not Implemented means the control has not been put in place, usually for a documented business or technical reason.
Does the assessor tell us which findings are highest priority?
The assessor describes the potential impact of each weakness or gap but does not rate risks on behalf of the organisation or the consuming agency. Key vulnerabilities should be identified clearly in the report so the authorising officer and the organisation can prioritise them, but the risk rating itself is the organisation’s responsibility.
Can we fix issues found during the assessment before the report is finalised?
The assessor assesses what is implemented at the time of assessment. Remediations completed after the assessment period may be noted as programs of work underway but cannot be assessed as implemented unless the assessor has time and evidence to verify the change within the assessment timeframe. This should be discussed with the assessor if a finding is identified early in the process.
Who receives the final IRAP assessment report?
The assessed entity receives the report and controls matrix. The assessor also submits a copy to ASD as part of the quality assurance process. The assessed entity then uses the report as the basis for the authorisation package submitted to the system authoriser.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
- Information Security Manual, June 2026
Last updated: 21 June, 2026