The Information Security Registered Assessors Program (IRAP) is a key initiative by the Australian Cyber Security Centre (ACSC), operated under the Australian Signals Directorate (ASD). It is designed to provide a standardized framework for assessing the security posture of cloud and information and communications technology (ICT) systems, ensuring they meet the stringent requirements outlined in the Australian Government’s security standards.
IRAP assessments are conducted by independent assessors who are endorsed by the ASD. These experts evaluate systems against the information security manual (ISM) and the protective security policy framework (PSPF). This thorough evaluation process demonstrates an organization’s compliance with cybersecurity best practices and ensures that systems handling sensitive or classified government data meet national risk management and data protection requirements.
Who needs IRAP assessment?
IRAP assessment is essential for various sectors, including:
- Government entities: All levels of Australian government, including federal departments, state agencies, and local councils, typically require IRAP assessments for systems handling sensitive or classified information.
- Cloud and ICT vendors: Organizations offering cloud-based solutions or ICT services to government or regulated sectors must undergo IRAP assessments. This includes cloud service providers (CSPs), SaaS vendors, infrastructure providers, and third-party partners working with or on behalf of government customers.
Why is IRAP assessment important?
- Trust and credibility: IRAP assessment demonstrates that an organization complies with robust Australian Government security standards. It builds trust, enhances credibility, and demonstrates a commitment to safeguarding sensitive information, which is crucial for public sector engagement
- Government compliance: For businesses seeking contracts with Australian government agencies, IRAP assessment is often a mandatory requirement, particularly for systems managing sensitive or classified data. It opens doors to significant market opportunities within the public sector.
- Enhanced security posture: Completing IRAP assessment involves implementing robust security controls based on ISM and PSPF standards. This drives stronger risk management, improves visibility into vulnerabilities, and helps organizations establish robust, repeatable security practices.
How does IRAP compare to FedRAMP and ISO 27001?
IRAP, FedRAMP, and ISO 27001 are widely recognized frameworks that help organizations demonstrate the strength of their security controls. While all three aim to reduce risk and ensure proper information security management, they differ significantly in purpose, scope, and regional application.
- IRAP is designed specifically for Australia and focuses on aligning with the Australian Government’s information security manual (ISM) and protective security policy framework (PSPF).
- FedRAMP is the U.S. federal government’s standardized approach to evaluating cloud service providers based on NIST security controls.
- ISO 27001 is an internationally recognized standard that provides a framework for building and maintaining an information security management system.
The table below provides a high-level comparison of these three frameworks:
| Feature/Aspect | IRAP | FedRAMP | ISO 27001 |
| Region of applicability | Australia | United States | Global |
| Purpose | Assesses ICT/cloud services for compliance with Australian Government security standards | Authorizes cloud services for U.S. federal agencies | Provides a globally recognized ISMS framework |
| Standards used | ISM, PSPF | NIST SP 800-53 | ISO/IEC 27001 |
| Certification level | Up to PROTECTED (and higher, case-by-case) | Low, Moderate, High impact levels | ISMS implementation and audit |
| Assessment method | Independent IRAP assessor | 3PAO + FedRAMP ATO process | Independent accredited auditor |
| Mandate | Required for government systems processing sensitive/classified info | Required for U.S. federal cloud contracts | Often voluntary; may be mandated by partners or regulators |
| Certification output | Security assessment report (SAR) | FedRAMP authorization to operate (ATO) | ISO 27001 certificate |
What is IRAP Protected-level assessment?
The Australian Government classifies information into four main sensitivity levels: UNCLASSIFIED, PROTECTED, SECRET, and TOP SECRET. Each level requires progressively more stringent security controls, as defined in ISM and PSPF standards. These controls guide how information must be stored, accessed, transmitted, and protected.
- UNCLASSIFIED: Information that does not require special handling but may still be sensitive in nature. Systems handling unclassified data may be subject to baseline security measures but are not typically required to undergo IRAP assessment.
- PROTECTED: Highly sensitive government information that, if compromised, could cause damage to the national interest, individuals, or organizations. Most commercial IRAP assessments are performed at this level. A successful IRAP assessment at the PROTECTED level confirms that the system implements appropriate technical and procedural safeguards to securely handle such data.
- SECRET: Information that, if compromised, could cause serious damage to national security. Assessments at this level are rare and typically reserved for systems developed or operated within government or defense environments.
- TOP SECRET: Information that, if compromised, could cause exceptionally grave damage to national security. This classification level involves the most rigorous security controls, including specialized infrastructure and highly restricted access.
While IRAP assessors are qualified to assess systems up to SECRET and even TOP SECRET in some cases, the PROTECTED level is the most relevant and broadly applicable classification for commercial cloud and SaaS providers working with Australian public sector customers.
What are the steps in the IRAP assessment process?
The IRAP assessment process follows a structured approach designed to identify risks and ensure alignment with Australian Government security standards:
- Engage an IRAP assessor: Select an ASD-endorsed assessor with domain expertise relevant to your operating environment and security requirements.
- Perform the security assessment: The assessor evaluates the system’s controls through documentation review, technical testing, and stakeholder interviews, with reference to ISM and PSPF standards.
- Generate the security assessment report (SAR): The assessor presents a comprehensive report that outlines the system’s compliance status, risks, control gaps, and remediation recommendations.
- Remediate and finalize: The organization addresses identified issues and submits an updated system for re-evaluation. Once complete, the SAR can be shared with government customers to support procurement decisions.
What are the benefits of using IRAP-assessed services?
Organizations that leverage IRAP-assessed services gain a range of strategic and operational advantages:
- Security Assurance: Systems have been independently assessed against the Australian Government’s most stringent cybersecurity frameworks (ISM and PSPF), giving agencies and partners greater confidence in their security posture.
- Improved Risk Management: The assessment process helps identify security gaps and areas for improvement, resulting in stronger controls and more mature security practices.
- Streamlined Procurement: For public sector buyers, engaging with IRAP-assessed vendors simplifies the procurement process by reducing the need for duplicative security reviews.
- Market Differentiation: Service providers that have completed an IRAP assessment are better positioned to compete for government and critical infrastructure contracts, where security alignment is a key requirement.
- Regulatory Alignment: IRAP controls often overlap with other standards and industry regulations, such as ISO 27001 and PCI-DSS, helping streamline broader compliance efforts.
- Reduced Cyber Risk: The rigorous assessment process strengthens both technical and procedural safeguards, contributing to improved threat prevention, detection, and response capabilities.
What does CyberArk’s IRAP Protected-level assessment mean for customers?
CyberArk has successfully completed an IRAP assessment at the PROTECTED classification level, which evaluates both the design and operational effectiveness of security controls. This assessment confirms that CyberArk’s SaaS offerings — including CyberArk Endpoint Privilege Manager and CyberArk Workforce Identity, with additional capabilities to be added in the future — meet the stringent requirements outlined in the Australian Government’s information security manual (ISM) and protective security policy framework (PSPF).
As Australian government agencies accelerate their digital modernization and adopt cloud-first strategies, identity security has become critical to protecting high-value assets and services. The IRAP assessment assures that CyberArk’s solutions are well-equipped to defend against identity-centric attacks and aligned with national cybersecurity mandates.
This achievement demonstrates CyberArk’s commitment to providing the highest level of security for public sector organizations and critical infrastructure, enabling customers to securely manage access for all identities — human, AI, or machine — across hybrid and cloud environments.
