SecureSupply helps government suppliers, technology providers and system owners define the assessment boundary, close readiness gaps, organise evidence and coordinate the engagement with an independent ASD-endorsed IRAP assessor.
SecureSupply is not ASD-endorsed. We help prepare and coordinate the engagement; an independent ASD-endorsed IRAP assessor conducts the formal assessment and issues the assessment report.
An IRAP assessor does not accredit, certify, approve, endorse or register a system on behalf of ASD or the Australian Government. Completing an assessment does not mean the system is automatically compliant or secure. The report equips the relevant authorising officer to decide whether the residual risks are acceptable for the intended use.
Many organisations approach IRAP with security controls in place, but no settled system boundary, incomplete documentation and evidence spread across internal teams, cloud providers and managed service partners. The issue is rarely one technical gap. It is whether the organisation can explain the system, show who owns each control and present evidence that can be tested by the independent assessor.
IRAP assesses a defined ICT system or service. It does not assess the whole company by default.
SecureSupply helps clarify the intended use, information classification, government customer requirements, hosting model, environments, data flows, external dependencies and shared security responsibilities. This establishes what is in scope, what is out of scope and why.
An assessment becomes slower and more expensive when documentation is incomplete, responsibilities are unclear or evidence cannot be produced.
We review the system security plan, architecture and data-flow diagrams, risk material, security procedures, incident response arrangements, continuous monitoring approach, change and configuration controls, service-provider artefacts and previous assessment findings. We then identify what must be corrected, completed or evidenced before the formal assessment begins.
The formal assessment must be objective and independent. An assessor cannot simply validate security work that they designed or implemented.
SecureSupply defines readiness, remediation, coordination and formal assessment roles at the outset. We prepare the client and coordinate access, evidence and engagement logistics, while the formal assessment remains the responsibility of an independent ASD-endorsed IRAP assessor.
IRAP is evidence-based. The assessor may examine documents and configurations, interview personnel and test security mechanisms and operating activities.
A policy that says a control exists is not the same as evidence that the control is correctly implemented and operating as intended. We help teams assemble evidence that is relevant, current and ready for independent technical scrutiny.
A useful assessment does more than produce a list of controls. It explains the system boundary, the security strengths and weaknesses, the evidence examined, the effectiveness of control implementation, the limitations of the assessment and the work required to address weaknesses.
The formal report should give authorising officers, system owners and risk owners a clear basis for decision-making, while giving technical teams enough detail to act. SecureSupply helps the client understand and respond to those findings without substituting its judgement for that of the assessor.
An IRAP assessment informs a risk decision; it does not make that decision.
After the independent assessment, SecureSupply can help translate findings into a prioritised plan of action and milestones, updated security documentation and a coherent authorisation package. This keeps remediation tied to the intended use of the system rather than turning the exercise into unfocused compliance activity.
The Infosec Registered Assessors Program is administered by the Australian Signals Directorate. ASD endorses qualified ICT security professionals to conduct independent assessments of systems and services against applicable controls from the Information Security Manual and other relevant Australian Government security guidance.
IRAP assessors can assess ICT systems, cloud services, gateways and specialised government network connections at SECRET and below. The scope and depth of an assessment depend on the system, its intended use, the information it handles and the assurance required.
The assessment is specific to the stated system boundary and the evidence available at the time. Material changes to architecture, services, configurations, information flows or operating responsibilities may require further assessment.
IRAP is relevant when a government customer, contract, procurement process or authorisation framework requires independent evidence about the security of a defined system or service.
Not every Defence supplier, DISP member or technology product needs an IRAP assessment. The requirement depends on the system, the information involved, the contract, the consuming agency and the intended authorisation decision.
DISP and IRAP are related but they are not interchangeable.
DISP considers whether an organisation can meet Defence security obligations across governance, personnel, physical and information/cyber security domains. IRAP assesses the security controls protecting a defined ICT system or service.
DISP membership does not automatically make a system IRAP-assessed. An IRAP assessment does not replace DISP membership or address the full set of organisational security obligations.
SecureSupply helps clients determine which obligation applies, where the boundaries intersect and how to sequence readiness, independent assessment and DISP activity without duplicating effort.
SecureSupply supports planning, boundary definition, evidence preparation and engagement coordination. The formal control assessment and assessment report are completed independently by an ASD-endorsed IRAP assessor.
SecureSupply confirms the intended decision, client stakeholders, target framework, likely assessor needs, dependencies, timeframes and evidence responsibilities. We also make the service roles explicit so readiness support is separated from formal assessment.
SecureSupply helps validate the systems, services, environments, devices, locations, data flows, dependencies and shared responsibilities in scope. We organise the evidence set, identify gaps and coordinate readiness actions before assessor time is committed.
SecureSupply coordinates access, evidence exchange, interviews, demonstrations and issue clarification. The ASD-endorsed IRAP assessor independently examines documentation and configurations, interviews personnel, tests controls and determines the formal findings.
The independent assessor produces the Security Assessment Report and controls matrix. SecureSupply can help the client interpret findings, prioritise remediation, update documentation and prepare inputs for the authorisation decision.
The applicable controls depend on the system and assessment boundary. Evidence may need to address:
The assessor assesses what is implemented. Planned improvements can be acknowledged, but they do not substitute for controls that are operating and supported by evidence.
Depending on scope, the engagement may produce:
SecureSupply does not issue the formal IRAP report or controls matrix. Those artefacts are produced by the independent ASD-endorsed assessor. SecureSupply supports the client in preparing for the assessment and acting on its findings.
Cloud and SaaS environments use a layered assurance model.
A cloud infrastructure provider may have an assessment covering its infrastructure responsibilities. A SaaS provider may have a separate assessment covering the service layer. The consuming organisation remains responsible for its own configuration, identities, integrations, data handling, monitoring and operating processes.
SecureSupply helps map these layers, identify inherited controls and show where the customer, SaaS provider, managed service provider and infrastructure provider each retain responsibility. This prevents a common error: assuming that a vendor's IRAP assessment automatically covers the way your organisation has designed and operates the solution.
IRAP readiness sits at the intersection of system engineering, cyber security, governance and executive risk acceptance. Treating it as a document exercise creates weak evidence, avoidable rework and a poor use of assessor time.
We focus on how controls work and how that can be demonstrated. Policies, diagrams, configurations, logs, tickets, records, interviews and tests must tell a consistent story.
We translate between executive risk owners and technical teams, so the assessment is understood, the evidence is credible and the findings can actually be acted on.
The objective is not to build the most elaborate security environment. It is to implement and evidence controls that are appropriate to the system, information, threat and customer requirement.
Where independence requirements permit, SecureSupply can support remediation planning, evidence improvement, authorisation documentation, delta assessment preparation and ongoing security assurance.
SecureSupply supports readiness, remediation planning, evidence improvement, authorisation documentation and assessment coordination. The independent assessor retains responsibility for formal testing, control conclusions and the assessment report.
No. IRAP is an assessor program and an assessment process. The assessor reports on a defined system and the effectiveness of applicable controls. The relevant authorising officer decides whether to accept the residual risk and authorise the system for use.
Not in every case. It may be required by the consuming agency, the contract, the procurement process, a gateway or cloud requirement, or the system authorisation approach. Confirm the requirement before committing to a full assessment.
Only for the provider responsibilities and services covered by that assessment. Your configuration, identities, integrations, operating procedures and other customer responsibilities still need to be addressed. The provider report should be used as an input, not treated as blanket coverage.
No. SecureSupply provides IRAP readiness and assessment coordination. We help define scope, prepare documentation and evidence, manage readiness actions and coordinate the engagement. The formal assessment, control findings and assessment report are completed independently by an ASD-endorsed IRAP assessor.
The formal IRAP assessor must remain independent and manage conflicts of interest. A person who designed or implemented the system or controls may not be able to assess that same work. Roles should be settled before readiness activity begins.
Not necessarily. The applicable control set and assessment boundary are agreed for the system and intended use. The report must make clear what was assessed, what was excluded and what evidence was available.
IRAP assessors can provide assessments for non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET systems. TOP SECRET systems require assessment by ASD assessors or their delegates.
There is no reliable standard duration. Time depends on scope, system complexity, number of environments and services, evidence quality, stakeholder availability, testing depth and the maturity of the documentation. Preparation is the main controllable factor.
There is no universal expiry rule for every assessment. Currency depends on the customer requirement, the system's changes, the relevant ISM release and the risk environment. Some cloud and government requirements specify recency expectations. Material change may require a delta assessment, addendum or new report.
Clarify the decision the assessment must support. Then define the system boundary, information classification, customer requirement, service dependencies and control ownership. Do not start by buying tools or writing generic policies.
IRAP is most efficient when the system boundary, documentation, control ownership and evidence are settled before formal assessment begins. Late discovery of boundary gaps, inherited cloud controls, missing evidence or conflicted roles can delay procurement and system authorisation. SecureSupply helps you establish a defensible boundary, get the evidence into order and coordinate an efficient engagement with an independent ASD-endorsed IRAP assessor.