What is IRAP (Infosec Registered Assessors Program)

The logo of IRAP.

What is IRAP?

IRAP stands for Information Security Registered Assessors Program. It is a government-led program in Australia that endorses individuals from the private and public sectors to provide security assessment services to the Australian government. IRAP assessors are ASD-certified ICT professionals who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD’s Information Security Manual.

The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.

Sekuro IRAP Services

The Infosec Registered Assessor Program (IRAP) is an initiative by the Australian Signals Directorate (ASD) to provide high quality Information and Communications Technology (ICT) security assessment services to Australian Government and Industry.

Sekuro’s IRAP Assessors are endorsed by the ASD, who ensure suitably-qualified cyber security professionals can assist in navigating the Information Security Manual (ISM), Protective Security Policy Framework (PSPF) and other Australian Government Guidance.

Why choose Sekuro to be your IRAP Assessor?

Sekuro is one of the most experienced and respected IRAP Assessors in Australia. A large number of Australian and International organisations have chosen Sekuro to be their IRAP partner.

  • Sekuro Assessors conduct independent IRAP assessments up to the SECRET classification as defined in the Protective Security Policy Framework (PSPF).
  • Demonstrated ability to advise on your organisation’s risk posture regarding the latest control requirements stipulated within the most recent ISM Version.
  • Sekuro Assessors provide ongoing support and assist with continuous improvement in aligning to the most recent ISM Version.
  • Sekuro Assessors support you in improving their cyber security maturity in an evolving threat landscape.
  • Our Assessors inform you on the latest updates and guidance from the Australian Cyber Security Centre (ACSC).

The IRAP Assessment will help give local, state, and federal government agencies and organizations the reassurance they need to feel comfortable leveraging the Shibumi platform to support the government’s most critical programs of work,” said Bob Nahmias, Founder and CEO of Shibumi.

Dynatrace, a software intelligence company, achieves IRAP certification with Sekuro for its Dynatrace® Platform.

Dynatrace has achieved the Australian Government security status of “PROTECTED”. This enables Dynatrace to serve Australian government customers with the Dynatrace® Platform to provide AI-powered observability, automation, and optimisation for complex cloud environments, improving performance, security, and user experience.

Read more about our work together.

“The successful completion of this IRAP assessment now allows us to expand our ability to work with both public sector organisations and commercial businesses which require the higher ‘PROTECTED’ status to have been reached,” said Rafi Katanasho, Chief Technology Officer and VP Solution Engineering APAC, Dynatrace. “We’ll now be able to provide the robust cloud capabilities they require to gain accurate and informed data insight in real time to make better business decisions.”

Sekuro IRAP Assessors

Sekuro’s IRAP Assessors have unique skill sets and have provided guidance for Defence, Federal Government, telecommunications, multi-national entities or other organisations looking to do business in Australia, and various cloud service providers.

Our Assessors meet the stringent prerequisites required to be an IRAP Assessor.

These include:

  • Extensive ISM experience
  • NV1 clearance or above
  • Industry recognised certifications

How do Sekuro IRAP Assessors Assist and Guide?

Sekuro’s IRAP Assessors assist in securing your systems and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.

Our Assessors clearly define the scope of work and provide unbiased and independent outcomes for your environment. Upon the completion of an IRAP Assessment, Sekuro will provide you with the following:

  • Cloud Security Controls Matrix which details the implementation status of controls from the Information Security Manual.
  • Cloud Security Assessment report.
  • An IRAP Letter of completion.

Sekuro’s IRAP Assessors do not endorse, accredit, certify, or register systems on behalf of the ASD.

What is an IRAP Assessment?

An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. The assessment is conducted against the Australian government’s security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).

The results of an IRAP assessment can help organisations to:

  • Identify and mitigate security risks
  • Improve their security posture
  • Demonstrate compliance with Australian government security requirements
  • Gain confidence in the security of their systems and data

If you are an organisation that handles Australian government data, you may be required to undergo an IRAP assessment.

Liaising with the ACSC

We commonly liaise with agencies and/or ACSC on behalf of our clients to:

  • Advise ACSC on customers’ certification requirements.
  • Discuss assessment report findings, provide details on specific services recommended for certification.
  • Discuss the value these services will bring to the Australian Government.


All that we do helps make the entire process easier for our customers.

IRAP FAQ

An IRAP assessment is an independent assessment of the implementation, appropriateness and effectiveness of a system’s security controls.

The assessment is conducted by an IRAP assessor, who is a cyber security professional endorsed by the Australian Signals Directorate (ASD) to provide security assessment services for systems that handle information up to SECRET level.

The assessment is based on the Australian government’s security requirements, as outlined in the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF). The assessment aims to identify security risks and suggest mitigation measures for the system. The assessment outcomes are documented in a security assessment report, which is used by consumers to conduct their own assessment and authorisation of the system’s suitability for their security needs and risk appetite.

An IRAP assessment follows four stages: plan and prepare, define the scope of the assessment, assess the security controls, and produce the security assessment report and security controls matrix.

An IRAP assessment is a process that evaluates the security and privacy of a system or service against the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF). The IRAP assessment is conducted by an independent assessor who is certified by the Australian Signals Directorate (ASD).

The duration of an IRAP assessment depends on several factors, such as the complexity and scope of the system or service, the availability and quality of documentation, the level of engagement and cooperation from the system owner and stakeholders, and the number and severity of findings and recommendations.

According to the ASD, a typical IRAP assessment can take anywhere from four to 12 weeks, but some may take longer depending on the circumstances. The IRAP assessment consists of four phases: scoping, testing, reporting, and certification. Each phase can vary in length depending on the specific requirements and challenges of the system or service being assessed.

To prepare for an IRAP assessment, you need to follow these steps:

- Identify the system or service that you want to assess and its security classification level.
- Contact an IRAP assessor who is certified by the ASD and has experience in assessing similar systems or services.
- Define the scope and objectives of the assessment with the IRAP assessor and agree on the terms of reference, timeline, and deliverables.
- Provide the IRAP assessor with all the relevant documentation and evidence that demonstrate how your system or service meets the ISM and PSPF requirements.
- Facilitate the IRAP assessor's access to your system or service and support them during the testing phase.
- Review the draft IRAP assessment report and provide feedback to the IRAP assessor.
- Implement the IRAP assessor's recommendations and remediate any findings or gaps identified in the report.
- Obtain the certification from the ASD or an authorised delegate that confirms your system or service is compliant with the ISM and PSPF.

The ISM and PSPF are two frameworks that guide the security and privacy of Australian Government information and systems.

The ISM stands for the Information Security Manual, which is a set of mandatory and non-mandatory controls that help protect information from cyber threats. The ISM covers topics such as governance, risk management, access control, encryption, incident response, and auditing.

The PSPF stands for the Protective Security Policy Framework, which is a set of mandatory requirements and guidance that help protect people, information, and assets from physical, personnel, and governance risks. The PSPF covers topics such as security culture, vetting, classification, storage, disposal, and reporting.

Both the ISM and PSPF are updated regularly by the ASD to reflect the changing threat environment and best practices. They are aligned with each other and with international standards such as ISO 27001 and ISO 31000.

The ISM and PSPF are updated regularly by the ASD to reflect the changing threat environment and best practices. They are aligned with each other and with international standards such as ISO 27001 and ISO 31000.

The ISM is updated twice a year, usually in March and December. The latest version of the ISM was released in March 2024. The ASD publishes a summary of the changes for each update on its website. The ISM is also available in the Open Security Controls Assessment Language (OSCAL) format.

The PSPF is updated as needed, depending on the feedback from stakeholders and the security risk context. The latest version of the PSPF was released in October 2020. The ASD provides guidance on how to report on the maturity and effectiveness of the PSPF implementation on its website.

Already know what you are after?

Get a quick quote from our consultants.

Scroll to Top

Aidan Tudehope

Co-Founder of Macquarie Technology

Aidan Tudehope, Co-Founder of Macquarie Technology

Aidan is co-founder of Macquarie Telecom and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group with a focus on business growth, cyber security and customer satisfaction. 

Aidan has been responsible for the strategy and execution of the investment in Intellicentre 4 & 5 Bunkers, Macquarie Government’s own purpose-built Canberra data centre campus. This facility is leveraged to deliver Secure Cloud Services and Secure Internet Gateway.

With a unique pan-government view on the cyber security landscape, we are invested in leading the contribution from the Australian industry on all matters Cyber policy related.

Aidan holds a Bachelor of Commerce Degree.

James Ng

CISO, Insignia Financial

James Ng, CISO, Insignia Financial

James is a leader with a range of experience across various cyber security, technology risk and audit domains, bringing a global lens across a diverse background in financial services, telecommunications, entertainment, consulting and FMCG (Fast Moving Consumer Goods). He is currently the General Manager – Cyber Security at Insignia Financial and most recently was at AARNet (Australia’s Academic and Research Network) where he oversaw a managed Security Operations Centre (SOC) capability for Australian universities. Prior to this James was the acting Chief Information Security Officer for Belong and led the cyber governance and risk team at Telstra.

Noel Allnutt

CEO, Sekuro

Noel Allnutt CEO | Sekuro

Noel is a driven and award-winning IT leader. He has a passion for developing great teams and accelerating client innovation, and in enabling organisations to create a secure and sustainable competitive advantage in the digital economy. Noel also hosts the ‘Building Resilience Podcast,’ which explores the world of sport and deconstructs the tools and ethos of world-class athletes that can help create growth and optimise business and life.

Audrey Jacquemart

Bid Manager, Sekuro

Audrey Jacquemart, Bid Manager, Sekuro

Audrey is an innovative cybersecurity professional with a versatile profile spanning across Product Management, Presales and Delivery. She has worked within organisations from start-ups to large international organisations in Europe and APAC before joining Sekuro.

Nicolas Brahim

Principal Consultant, CRP and OT

Nicolas Brahim, Principal Consultant, CRP and OT

Nico leads Sekuro’s Cyber Resilience Program and OT Cybersecurity, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.

Trent Jerome

Chief Financial Officer, Sekuro

Trent Jerome

Trent is a seasoned CFO with over 30 years’ experience in Finance. Trent has broad experiences across Capital raises, debt financing, M&A and business transformation. He is a CPA and member of AICD. Trent works with Boards around risk and risk mitigation plans and assists Boards in navigating the risk mitigation versus cost conversation.

Ada Guan

CEO and Board Director, Rich Data Co

Ada Guan, CEO and Board Director, Rich Data Co

Ada is the CEO and Co-founder of Rich Data Co (RDC). RDC AI Decisioning platform provides banks the ability to make high-quality business and commercial lending decisions efficiently and safely. With over 20 years of global experience in financial services, software, and retail industries, Ada is passionate about driving financial inclusion at a global scale.

Before launching RDC in 2016, Ada led a Global Client Advisor team at Oracle Corporation, where she advised Board and C-level executives in some of the largest banks globally on digital disruption and fintech strategy. She also drove Oracle’s thought leadership in banking digital transformation for Global Key Accounts. Previously, Ada implemented a multi-million dollar program to deliver a mission-critical services layer for Westpac Bank in Australia and formulated the IT strategy that was the basis of an $800m investment program to transform Westpac’s Product and Operation division and complete the merger with St. George Bank. Ada is an INSEAD certified international director and holds an EMBA from the Australia Graduate School of Management, and a Master of Computer Engineering from the University of New South Wales, Australia. She also graduated from the Executive Insight Program at Michigan University Ross Business School and IESE Business School.

Megan Motto

Chief Executive Officer, Governance Institute of Australia

Megan Motto, CEO, Governance Institute of Australia

Megan Motto is Chief Executive Officer of Governance Institute of Australia, a national education provider, professional association and leading authority on governance and risk management. The Institute advocates on behalf of professionals from the listed, unlisted, public and not-for profit sectors.

Megan has over 25 years of experience with large associations, as a former CEO of Consult Australia, as well as holding significant positions in Australia’s built environment sector and business chambers.

She is currently a director of Standards Australia, a member of the ASIC Corporate Governance Consultative Panel and a councillor of the Australian Chamber of Commerce and Industry (ACCI) where she chairs the Data, Digital and Cyber Security Forum.

Megan’s expertise spans governance, risk management, public policy and education. She holds a Bachelor of Arts/Bachelor of Education, a Masters of Communication Management and a Graduate Diploma of Corporate Governance and Risk Management. She is a Fellow of the Governance Institute of Australia, the Chartered Governance Institute and the Australian Institute of Company Directors and is also a member of Chief Executive Women. Megan is also an Honorary Life Trustee of the Committee for Economic Development of Australia (CEDA) and was a 2014 recipient of the AFR/Westpac 100 Women of Influence.

Shamane Tan

Chief Growth Officer, Sekuro

Shamane Tan, Chief Growth Officer, Sekuro

Sekuro’s Chief Growth Officer, Shamane Tan, is passionate about uniting minds and experiences, excelling in aligning C-Suite and Board members with cyber security imperatives. As the author of “Cyber Risk Leaders,” she unravels executive communication nuances and distils C-Suite expectations. 

Her work extends to “Cyber Mayday and the Day After,” a roadmap for navigating crises by mining the wisdom of C-level executives from around the globe. It’s filled with interviews with managers and leaders who’ve braved the crucible and lived to tell the tale. Her most recent book, “Building a Cyber Resilience: A Cyber Handbook for Executives and Boards,” was featured on Forbes Australia’s top list of books for CEOs. 

Shamane has also founded a transcontinental cyber risk and executive meetup spanning Sydney, Melbourne, Adelaide, Perth, Singapore, the Philippines, and Tokyo, fostering mentorship, women’s empowerment and thought leadership. As a strong advocate for the importance of having a voice and helping others use theirs, Shamane Tan has spoken at TEDx and global conferences, including FS-ISAC, RSA, Silicon Valley, Fortune 500 and ASX companies. 

Recipient of the IFSEC Global Top 20 Cybersecurity Influencer award and named among the 40 under 40 Most Influential Asian-Australians, Shamane leverages her unique fusion of technical prowess and business acumen to help organisations progress on their security maturity journey.

David Gee

David Gee, CIO, CISO, NED, Board Advisor & Author

 

David Gee, CIO, CISO, NED, Board Advisor & Author

David has just retired in July 2024 and is building out his portfolio. He is an Advisor with Bain Advisory Network and also an Advisor to JS Careers (Cyber Recruitment) and Emertel (Software Commercialisation).

He is a seasoned technology executive with significant experience and has over 25 years’ experience in CIO and CISO roles across different industries and countries. At Macquarie Group David served as Global Head Technology, Cyber and Data Risk. Previously was CISO for HSBC Asia Pacific. His career as a CIO spans across multiple industries and geographies including – Metlife, Eli Lilly and Credit Union Australia. He was winner CIO of the Year 2014, at CUA where he successfully completed a significant Transformation of Core Banking, Online and Mobile Banking systems.

David is past Chairman for the FS-ISAC Strategy Committee and awarded Global Leaders Award in 2023 for his contributions to the cyber security industry. A regular conference keynote speaker and 150+ published articles for CIO Australia, Computerworld, iTnews and CSO (Cyber Security), David now writes for Foundry CIO.com and AICD.

His most recent book – the Aspiring CIO & CISO was published in June 2024 and David is writing his second – A Day in the Life of a CISO with a number of CISOs from around the world for 2025.

Naomi Simson

Co-founder, Big Red Group and Former Shark Tank Judge

Naomi Simson, Co-founder, Big Red Group

INTRODUCTION

For 25 years as an entrepreneur, Naomi Simson has been bringing people together whether it’s with her business experience, her speaking or writing. Passionate about small business and local community, Naomi is considered a home grown success story.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia and she appears regularly on ABC The Drum. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano, as well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has four seasons of her podcast ‘Handpicked’, and she has authored two best-selling books Live What You Love, and Ready to Soar, and is sought after speaker.

FULL BIO

For 25 years Naomi has been bringing people together whether it’s with her business experience, her speaking or writing. She is a strong advocate of business owners.

Known as an entrepreneur and business leader; following the growth of RedBalloon which she founded in 2001, Naomi co-founded the Big Red Group (BRG) in 2017.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano. As well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has authored two best-selling books Live What You Love, and Ready to Soar, and is an engaging, humorous and insightful speaker. She has four seasons of her Podcast – Handpicked.

Naomi is relatable across a broad variety of audiences and topics, often drawing on her personal experiences to provide thoughtful and valuable views into topics; including the customer obsession, intentional leadership, growth mindset, personal development. She is a regular panellist on ABC The Drum.

Peter Ngo

Product Line Manager, Global Certifications, Palo Alto Networks

Peter Ngo

Peter leads the Commercial Cloud, Global Certifications organisation at Palo Alto Networks which oversees global cloud security compliance efforts to various frameworks and standards including IRAP, SOC 2, ISO, PCI, C5, ISMAP, and IRAP and more for 25+ cloud products.

He has held many roles over the years covering areas of IT Operations, and Governance, Risk, & Compliance (GRC) for a wide range of industries including technology, insurance, and manufacturing.

Peter holds various security and professional certifications, including the CCSP, CISSP, PCI ISA, CISA, CISM, CDPSE & ISO Lead Auditor, in addition to a Master of Science degree in Information Assurance. 

Jack Cross

CISO, QUT

Jack Cross

Jack Cross is an experienced business leader with expertise in digital technologies and risk management. Through a steadfast commitment to integrating people, processes, and technology, he champions the fight against cyber threats while mitigating organisational risks. 

Over the past 15 years, Jack has navigated diverse leadership roles within the Defence and Education sectors, honing his skills in steering multidisciplinary teams through intricate and sensitive technical landscapes. In addition to this experience, he holds numerous formal qualifications such as: a Master of Systems Engineering (Electronic Warfare); CISSP; and CISM certifications.

Nadene Serman

Global CTO, Infotrack

Nadene Serman

Nadene Serman is a leading IT executive with a proven track record spearheading first-of-its-kind technology and business transformation for some of the most prominent organisations globally and in Australia. As the Global Chief Technology Officer of InfoTrack, she is a key protagonist of innovation as an enabler of InfoTrack’s next stage growth. Her energy, commercial acuity and strategic capability have fueled her success.

Nadene leads with clarity, transparency and urgency, uniting people in complex, multi-layered technology and business execution, and go-to-market transformation and innovation. She tackles and resolves complex and seemingly intractable challenges while building support and collaboration – even in times of crisis. Her people-first, ‘think straight, talk straight’ approach makes her a formidable force.

John Doe

President Great Technology

Cyber Resilience Program | Sekuro

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.