Common IRAP Misconceptions

#1 The product meets the client’s business and technical requirements, the IRAP Report guarantees government procurement.

FALSE. An IRAP assessment supports only internal authorisation decisions. Departments review the IRAP Report to understand security risk. Significant non-compliance with the ASD Information Security Manual often results in buyers selecting a lower risk provider.

#2 IRAP is a certification or accreditation.

FALSE. IRAP Certification or Accreditation does not exist. An IRAP Assessment is an independent review performed by an ASD endorsed IRAP Assessor. It evaluates the design and effectiveness of security controls against the Information Security Manual. The final authorisation and subsequent procurement decision always sits with the government department.

#3 IRAP removes the need for agency security responsibility.

FALSE. IRAP Reports outline provider security posture and shared responsibility obligations. They include consumer guidance for secure configuration and use of the service. Departments must still implement and manage controls outlined in the IRAP Report.

#4 IRAP Reports are classified TOP SECRET and cannot be shared.

FALSE. Reports are usually classified as Proprietary or Commercial in Confidence. They can be shared under NDA to support procurement and cyber due diligence. Many organisations use them as technical assurance artefacts in the sales process.

#5 IRAP is a tick box exercise. I can select the cheapest quote to meet government procurement requirements.

FALSE. And often a costly mistake. You may have spent months building the opportunity and weeks preparing the proposal, only to fail at an early procurement assurance gate. Lower cost IRAP quotes can lack depth and assessment rigour. Experience matters. An IRAP assessor must quickly understand your architecture, hosting model, and control implementation against the ASD Information Security Manual. Select an IRAP assessor that can best represent your organisation and the product or service.