Information Security Registered Assessors Program
The ASD-endorsed program that certifies cybersecurity professionals to assess ICT systems against the ISM.
What IRAP actually is.
IRAP is the ASD program that trains and authorises cybersecurity professionals to conduct independent security assessments of ICT systems against the ISM. Assessments are a prerequisite for systems that process Australian Government information at OFFICIAL: Sensitive or higher, and they are commonly used by cloud providers and SaaS vendors seeking to host Commonwealth workloads. An IRAP assessment produces a Security Assessment Report; the Authorising Officer then accepts residual risk through an Authority to Operate.
Any cloud service or system proposed for use by a Commonwealth entity at OFFICIAL: Sensitive or PROTECTED. Often adopted by state and territory governments, critical-infrastructure operators and defence suppliers.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Scope definition
Define the system boundary, data flows and classification before assessment begins.
-
02
Stage 1 assessment
Design-stage review of whether the proposed controls adequately protect the classified data.
-
03
Stage 2 assessment
Operational review of implemented controls - evidence, testing and residual risk identification.
-
04
Security assessment report
Formal report for the system owner and Authorising Officer, aligned to ISM controls.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Information Security Registered Assessors Program
cyber.gov.au/irap
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against IRAP.
Assessment, engineering and operational services that line up with the framework's control areas.
IRAP Assessment
PROTECTED-certified assessors for Australian government and regulated entities.
ASD Essential Eight
Reach Maturity Level 3 across the ACSC's eight prioritised mitigation strategies.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Where IRAP shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Government
IRAP-assessed, PROTECTED-cleared cybersecurity for Commonwealth, state and local agencies operating under the ISM and PSPF.
Critical Infrastructure
SOCI Act-aligned OT/ICS cybersecurity for energy, water, telecommunications, transport and data-storage operators.
Banking & Finance
APRA CPS 234 and CPS 230 aligned cybersecurity for banks, insurers, superannuation funds and RSE licensees.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.