Preparation is the work you do before the assessor arrives: current documentation, gathered evidence, available people, and access logistics. Organisations that arrive without this groundwork extend the timeline and create evidence gaps the assessor must record as constraints. Preparation is the cheapest money you spend on IRAP.
Preparing for an IRAP assessment is work the organisation does before the assessor arrives. It covers documentation, evidence, personnel availability, and access logistics. Organisations that arrive at an IRAP assessment without this groundwork in place extend the timeline and create gaps in evidence that the assessor must document as constraints. The ASD IRAP Consumer Guide includes a baseline preparation checklist, and this article works through what that preparation involves in practice.
| Preparation area | What to have ready before the assessor starts |
|---|---|
| Documentation | A current System Security Plan and Annex (SSP-A), plus the supporting documents the ASD checklist lists, accurate and approved |
| Evidence | Configuration exports, scan results, patching history, log samples, backup and access review records that reflect ongoing practice |
| People and access | System administrators, security staff and system owners scheduled; system access, facility access and clearance verification arranged |
| Timelines | Start date, end date and any milestones tied to your authorisation deadlines, agreed with the assessor in advance |
Stackform’s journey
The assessment boundary was agreed. Stackform had a clear picture of what the assessor would evaluate. What James had not yet done was look at whether Stackform was actually ready for someone to start assessing it. The quality of evidence available at the start of an assessment is one of the biggest variables in how smoothly it runs. An assessor who arrives and cannot access documentation, cannot get system accounts provisioned, or cannot get the right people on a call, will document those gaps as constraints. That does not help the authorising officer form a positive view of the organisation’s security posture. Preparing for an IRAP assessment properly is the organisation’s responsibility, not the assessor’s.
What documentation do you need ready before an IRAP assessment?
The primary document the assessor will use to understand the system is the System Security Plan and Annex, referred to as the SSP-A. This document describes the system, its components, its data flows, and how security controls have been implemented. If the SSP-A does not exist or has not been kept current, it needs to be written or updated before assessment begins. An assessor cannot assess what is not documented.
Beyond the SSP-A, the ASD preparation checklist identifies a set of documents that should be ready before the assessment starts. These documents do not need to be perfect. They need to be accurate, approved by the relevant authority, and reflective of what is actually implemented. An assessor can only assess what is implemented, not what is planned.
- Risk management documents, including any existing risk register or risk treatment plan for the system
- Design and architectural documents, including logical and physical diagrams of the system environment
- Incident response plans and playbooks relevant to the system
- Organisational security policies and standard operating procedures covering the system
- Configuration and build documents, including hardening guidelines applied to the system
- Business continuity and disaster recovery plans
- Any previous security assessment reports or penetration test results
- Service provider security contract extracts where third parties are involved in delivering or maintaining the system
What evidence should you collect before the assessor arrives?
Documentation describes what should be in place. Evidence demonstrates that it is. Preparing for an IRAP assessment means beginning to collect that evidence before the assessor asks for it. Useful evidence to have ready includes screenshots of system configurations and cryptographic settings, vulnerability scan results, patching history, log samples, backup and restoration test records, and records of access control reviews. Where controls are demonstrated through automated mechanisms, the assessor will want to see configuration exports or tool outputs, not just policy documents that describe the intent.
Evidence gathered only in the days before an assessment, or created specifically for it, is lower quality than evidence that reflects ongoing operational practice. Assessors are trained to identify the difference. Historical evidence, such as months of patching records rather than a single current snapshot, gives the assessor a much stronger basis for rating a control effective.
Who needs to be available, and what access does the assessor need?
The assessor will need to speak with people, not just read documents. System administrators, security personnel, and system owners should be scheduled and available during the assessment period. Interviews are a core part of the evidence gathering process. If key personnel are unavailable, controls that depend on demonstrating human processes cannot be fully assessed.
Access logistics are equally important. The assessor will need system access appropriate to the assessment scope, facility access if on-premises components are involved, and clearance verification where required. Sorting these ahead of time avoids delays at the start of the assessment that compress the available time for actual assessment work.
How do you agree the assessment timeline and milestones?
Assessment timelines should be agreed with the assessor before work begins. The key variables are the start date, expected end date, and any milestones tied to the organisation’s own authorisation deadlines. How long an assessment runs depends on complexity, scope size, the availability of evidence, and the assessor’s familiarity with the environment. Organisations that arrive well prepared consistently complete assessments faster than those that do not.
What Stackform did
James spent the three weeks before the assessment start date working through the preparation checklist with Cybernion. The SSP-A was reviewed and updated to reflect configuration changes made since the document was last touched. Architectural diagrams were redrawn to match the agreed boundary. Patching records were pulled from the patch management platform. System administrators were briefed on the assessment timeline and asked to hold availability during the assessment window. When the assessor arrived, they had access to a documentation package that matched the system as it was actually built. The assessment started on the agreed date without any provisioning delays.
Preparation does not guarantee a clean assessment report. But it gives the assessor the best starting point, and it gives the organisation the best chance of the report reflecting its actual security posture rather than the gaps in its evidence collection. Next: how the IRAP assessment process works.
Related reading: how to choose an IRAP assessor, how to define the assessment boundary, and the complete IRAP assessment guide. Cybernion runs IRAP readiness with organisations preparing for assessment.
The names of the organisations and individuals have been changed to protect their privacy. The situations described are based on real patterns observed across Australian government and enterprise environments.
Frequently asked questions
When should we start preparing for an IRAP assessment?
As early as possible once the assessor is engaged and the boundary is agreed. Documentation gaps and evidence shortfalls take time to address. Starting preparation in the weeks before the assessor arrives rather than the days makes a material difference to how the assessment runs.
What is the most important document to have ready?
The SSP-A. The assessor uses it to understand the system, its components, and how controls are implemented. If it does not exist or is out of date, it needs to be written or updated before the assessment starts.
Does our evidence need to be perfect before the assessment begins?
No, but it needs to be accurate and reflective of what is actually implemented. Historical evidence is more valuable than evidence created specifically for the assessment. Assessors are trained to distinguish between ongoing operational records and documentation produced for the occasion.
What happens if we cannot get key personnel available during the assessment?
Controls that depend on demonstrating human processes cannot be fully assessed without the relevant people. The assessor will document any gaps in evidence availability as constraints in the report. Those constraints form part of what the authorising officer reviews.
Does being well prepared affect the assessment outcome?
Preparation affects the quality of evidence available to the assessor, which affects the confidence with which controls can be rated. It does not lower the standard. It gives the organisation the best chance of the report reflecting its actual security posture rather than the gaps in its evidence collection.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD IRAP Consumer Guide, July 2025
- IRAP Common Assessment Framework, April 2025
Last updated: 21 June, 2026