IRAP is the acronym for the Information Security Registered Assessors Program. 

The IRAP is an initiative of the Australian Signals Directorate (ASD), which is part of the Australian Cyber Security Centre (ACSC). 
Purpose: Its primary goal is to provide a comprehensive, independent assessment of a system's security controls to determine if they meet the standards required for handling sensitive Australian Government information. 
The Frameworks Used: The assessment is conducted against the mandatory security controls and guidelines outlined in the Australian Government Information Security Manual (ISM) and, for government entities, the Protective Security Policy Framework (PSPF). 
The Assessors: Only ASD-endorsed IRAP Assessors—highly qualified cybersecurity professionals—are authorized to perform these assessments. They maintain an in-depth understanding of the ISM. 
The Outcome (Not a Certification): An IRAP Assessment does not result in a formal "certification" or "Authority to Operate" (ATO). Instead, it produces an IRAP Assessment Report that: Outlines the scope of the assessment. 
Identifies the security strengths and weaknesses (compliance gaps). 
Details the security risks associated with the system's operation. 
Provides recommendations for remediation. 
The report is then used by the relevant government agency's Authorizing Officer to make an informed, risk-based decision about whether to approve the system for use (i.e., grant the Authority to Operate). 

It is mandatory for: 
All government agencies using cloud services or Managed Service Providers (MSPs) to process, store, or communicate government information (classified up to and including PROTECTED). 
Any Cloud Service Provider (CSP) or organisation seeking to win contracts with the Australian Government to host or manage their sensitive data. 

No. Due to strict conflict of interest rules imposed by the IRAP program, we can only provide one of the two services (Readiness or Audit) to the same organization for the same system. This ensures the integrity and independence of your final audit. 

If you are new to ISM compliance or have not been audited in over two years, we strongly recommend starting with the IRAP Readiness Service to identify and fix critical issues before engaging any external auditor. 

The duration varies significantly based on the complexity and size of the system, and the target data classification (e.g., OFFICIAL: Sensitive vs. PROTECTED). Readiness can take 3-12 months; the final audit usually takes 4-8 weeks, plus reporting time. 

The ATO is the final, formal decision made by a government authorizing officer that your system is secure enough to store, process, or communicate government data. The IRAP Audit Report is the primary input for this decision.