IRAP Assessment & Readiness, Australia
Discover
Map goals, users, constraints, existing systems, and the business case before scope locks in.
Design
Shape the architecture, delivery plan, risk register, and success measures around your operating reality.
Build
Ship focused increments with working demos, testing, accessibility checks, and security review.
Support
Monitor, maintain, document, and improve the platform so your team can rely on it long term.
Nano Solutions provides IRAP readiness and remediation for Australian government and their suppliers — we design ISM-aligned architecture, implement the controls, and prepare the evidence an IRAP assessor needs, then close the gaps. Fremantle-based, WA Government CUAICTS2021 ICT panel supplier (Contractor #225).
What is an IRAP assessment?
IRAP — the Infosec Registered Assessors Program, run by the Australian Signals Directorate — is the process under which an ASD-endorsed assessor evaluates a system's security controls against the Australian Government Information Security Manual (ISM). It's commonly required for systems that store or process government information, particularly at the OFFICIAL: Sensitive and PROTECTED classifications.
Importantly, the formal IRAP assessment is conducted by an ASD-endorsed IRAP assessor — not by the system owner or their delivery partner. What we do is get you ready for it: align the system to the ISM, implement and document the controls, and assemble the evidence, so the assessment is a confirmation rather than a list of surprises.
How IRAP relates to the ISM and the Essential Eight
These three fit together: the ISM is the control catalogue; the Essential Eight is a prioritised baseline of mitigations within it; and IRAP is the assessment process that evaluates a system against the ISM. Getting your Essential Eight maturity and ISM alignment right is most of the readiness work — so that's where we start.
How we work
- Gap analysis — assess the system against the relevant ISM controls and your target classification; produce a clear findings register.
- Roadmap — a prioritised, costed remediation plan to reach assessment readiness.
- Remediation (we do it) — implement the controls: identity and access, network segmentation, encryption, logging, hardening, backups.
- Evidence & documentation — assemble the System Security Plan inputs and evidence an IRAP assessor expects.
- Assessment support — work alongside your chosen ASD-endorsed IRAP assessor and remediate any findings.
Who needs IRAP readiness
Australian government entities and their suppliers operating systems that handle government data. As a WA Government CUAICTS2021 panel supplier working with government agencies, this is core ground for us — with Australian-resident engineers and Australian data sovereignty throughout.
Typical investment
- ISM gap analysis & readiness roadmap: from $8,000, scoped to the system and target classification.
- Remediation & control implementation: scoped from the roadmap.
- Assessment support & ongoing compliance: retainer-based.
All prices AUD, exclude GST. Every engagement starts with a free 30-minute scoping call. Book an IRAP readiness conversation.
Frequently Asked Questions
What is an IRAP assessment?
IRAP (the Infosec Registered Assessors Program) is the ASD framework under which an endorsed assessor evaluates a system's security controls against the Australian Government Information Security Manual (ISM). It is commonly required for systems handling government data. The formal assessment is performed by an ASD-endorsed IRAP assessor.
Does Nano perform the IRAP assessment itself?
Nano provides IRAP readiness and remediation — we design ISM-aligned architecture, implement the controls, and prepare the evidence and documentation an IRAP assessor needs. The formal IRAP assessment is conducted by an ASD-endorsed assessor; we get you ready for it and fix what they would otherwise flag.
Who needs IRAP?
Australian government entities and their suppliers operating systems that store or process government information, particularly at OFFICIAL: Sensitive and PROTECTED classifications.
How does IRAP relate to the Essential Eight and the ISM?
The ISM is the control catalogue; the Essential Eight is a prioritised baseline within it; IRAP is the assessment process that evaluates a system against the ISM. We align you to the ISM and Essential Eight first, which is most of the readiness work.
How long does IRAP readiness take?
It depends on the system's size and current maturity. We start with a gap analysis against the ISM, then a costed remediation roadmap; most readiness programmes run over several weeks to a few months before the formal assessment.
Have a question that's not listed here? We're happy to help.
Ask Us AnythingFurther Reading
- Cyber security consulting — the full security advisory practice.
- Essential Eight compliance — the baseline most of IRAP readiness builds on.
- Government — how we work with Australian government agencies.
Last reviewed: July 2026
Ready to Get Started?
Book a free discovery call to discuss your project. No obligation, no jargon — just a conversation about what you need.