Service
IRAP Assessments
ASD-endorsed IRAP assessments for PROTECTED and OFFICIAL: Sensitive systems. Assessment-only engagements, ISM-aligned, with clear reporting for your authorising officer.
When you'd engage us
Your system is targeted for use with Australian Government data at OFFICIAL: Sensitive or PROTECTED. You've either completed your System Security Plan and supporting artefacts, or you need an independent ASD-endorsed assessor to work through them with you and produce the findings your authorising officer will rely on.
What an engagement includes
- Scoping workshop and confirmation of system boundary, data types, and classifications.
- Review of the SSP, SRMP, and supporting evidence against the current ISM.
- Targeted fieldwork: configuration walk-throughs, control interviews, evidence inspection.
- Findings register with risk-rated observations and recommended treatments.
- Final IRAP report pitched at the authorising officer's decision, not at us.
- One round of material-findings re-test within the engagement window.
How we work
Assessment-only. You prepare the documentation and evidence; we review, test, and report. If you need help preparing your SSP or uplifting the environment before assessment, that's a separate ISM Advisory engagement — and we don't assess what we've advised on, to preserve independence.
What you need to get a formal quote
Under a mutual NDA we'd ask for:
- A system boundary diagram and summary of components and integrations.
- Current SSP and SSP Annex A (drafts are fine).
- Target classification, data types, and user populations.
- Infrastructure footprint and jurisdictions.
- Target assessment window and any procurement constraints.