Guide · IRAP · Updated June 2026

The IRAP Common Assessment Framework, explained

In 2025 the Australian Signals Directorate (ASD) published the IRAP Common Assessment Framework (CAF) — a standard methodology for how Infosec Registered Assessors Program assessors evaluate ICT systems against the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF). Here is what it changes, and what it means for the people running and receiving assessments.

What is IRAP?

The Infosec Registered Assessors Program (IRAP) is an ASD program under which endorsed, qualified ICT professionals assess whether a system has appropriate security controls in place. IRAP assessors evaluate systems — cloud services, gateways, and on-premises environments — against the ISM, the ASD's catalogue of cyber security controls. The goal is to give Australian government entities confidence that a system can handle their data at a given classification.

Why a Common Assessment Framework?

Before the CAF, two assessors could approach the same system differently, producing reports that were hard to compare. The Common Assessment Framework standardises the methodology: a consistent way to define scope, assess controls, and document findings, so that an assessment of a gateway reads the same way as an assessment of a cloud service. For system owners, that means more predictable, comparable results; for assessors, a clearer shared baseline.

The six-step lifecycle

The ISM's risk management approach draws from NIST Special Publication 800-37, and the assessment lifecycle follows the same shape:

1. Define the system — establish scope, boundary and the classification of data the system handles.
2. Select controls — determine which ISM controls apply, based on classification and risk.
3. Implement controls — the system owner puts the selected controls in place.
4. Assess controls — the assessor evaluates both implementation and effectiveness, gathering evidence.
5. Authorise the system — the authorising officer accepts residual risk and approves operation.
6. Monitor the system — controls are kept current and reassessed as the system and threats change.

Implementation vs effectiveness

A recurring theme in ASD's assessment guidance is the difference between a control being implemented and being effective. A policy can exist on paper (implemented) but not actually reduce risk in practice (not effective). A good assessment tests both, and the evidence behind each judgement is what makes the result defensible.

The output of an assessment is only as strong as the evidence and the audit trail behind it. Scope, methods, findings and sign-off all need to hold up to scrutiny later.

Where the ISM and PSPF meet

The PSPF is the broader Australian Government protective security policy; the ISM operationalises its cyber requirements as concrete controls. An IRAP assessment is where those controls are tested against a real system at a real classification — OFFICIAL: Sensitive, PROTECTED, or above.

What it means for assessors and MSPs

A standard framework rewards a standard workflow. Running scoping, evidence collection, fieldwork, findings and certification the same way every time — with chain of custody on evidence and an append-only audit trail — is exactly what a comparable, defensible assessment needs.

That is what OakAttest is built for: it takes an IRAP or ISM assessment from scoping to certification in one place, with Australian data residency and a full audit trail. For firms and MSPs running many engagements, the consistency the CAF asks for becomes the default.

← Back to Resources