The Real Cost of an IRAP Assessment: Part 1 – The Preparation Phase
"How much does an IRAP assessment cost?" It’s the question that is on everyones mind. The reality? The assessor's fee is the easy part. The real cost lies in Preparation and Maintenance.
Written by: Hareen Siriwardena
28 November 2025
At a recent AISA Conference, a fellow attendee asked the question that was on everyone’s mind: “How much does an IRAP assessment cost?”
The host hesitated, answering with the classic “how long is a piece of string?” but eventually, numbers were thrown out by the speaker and attendees alike. Some were surprisingly low, others uncomfortably high. A few had me seriously questioning the depth, quality and credibility of what could realistically be delivered at that price.
For SaaS vendors and commercial entities looking to sell to the Australian Federal or State Government, the sticker price of the assessor is only the tip of the iceberg. The true cost lies in the preparation and maintenance. Systems must be re-assessed every 24 months and starting from scratch every two years gets real old, real fast.
In this three-part series, we will break down the costs for the three primary stages of the IRAP lifecycle: Preparation, Assessment, and Maintenance.
Understanding the Landscape: PSPF, ISM, and IRAP
Before talking dollars, it is critical to understand the framework you are paying to comply with. If you are familiar with the US market, you can think of this ecosystem as the Australian equivalent to FedRAMP, though there are distinct differences in execution.
- PSPF (Protective Security Policy Framework): The overarching policy that tells government entities what they must protect.
- ISM (Information Security Manual): The technical manual that details how to protect it (the controls).
- IRAP (Infosec Registered Assessors Program): The independent assessment that proves to the government you have met the requirements of the ISM.
Phase 1: The Cost of Preparation
By design, the IRAP process is documentation-heavy. You are required to state your claims of security control implementation via mandatory artifacts. These claims must then be evidenced through records and configuration reviews by an IRAP assessor.
Consequently, preparation is the most resource-intensive stage. In my 10+ years in professional services, I have seen that attempting an assessment without adequate preparation leads to three expensive outcomes:
- Missed Functionality: Reports often overlook critical security functionality. We recently uncovered three additional identity providers in a system that previous assessors had completely missed because they were not identified in system documentation.
- The “Never-Ending” Assessment: Assessors constantly turning over rocks and finding undocumented components leads to scope creep and “cheeky” change requests.
- “No Visibility” Results: A report filled with “no visibility” tags is a red flag to Federal buyers. It forces them to question the security maturity of your product.
The Friction of Procurement
If you want to sell a managed service, SaaS platform or cloud service to the Australian Federal or State Government, the lack of a current IRAP assessment is the ultimate deal-breaker.
I have seen large procurements put on hold while a vendor is told to go seek an IRAP assessment. IRAP assessments can take up to 12 weeks, and developing mandatory system documentation can take months. If the purchaser has no other option, they might wait. But more often, they will pivot to the vendor that can tick the compliance boxes immediately.
The Mandatory Documentation: A Cost Breakdown
The ASD Information Security Manual (ISM) outlines five “mandatory” documents. To give you a realistic budget, the table below estimates the effort for an experienced technical document writer, usually another IRAP Assessor (charging between $1,800 – $2,800 per day) to create these artifacts for a system of low-to-moderate complexity.
| Mandatory Artefact | Estimated Effort | Estimated Cost (at ~$2.3k/day) |
|---|---|---|
| System Security Plan (SSP) Annex A | 15 Days | ~$34,500 |
| System Security Plan (SSP) | 10 Days | ~$23,000 |
| Incident Response Plan | 5 Days | ~$11,500 |
| Continuous Monitoring Plan | 3 Days | ~$6,900 |
| Change & Config Mgmt Plan | 2 Days | ~$4,600 |
| Total Estimated Effort | ~35 Days | ~$80,500 |
The Hidden “Internal” Cost
The financial figures above only cover the external consultant. They do not include the massive burden on your internal GRC teams, system engineers, and architects.
For a recent low-medium complexity system, the documentation suite required:
- 20 hours of workshops.
- 3+ Subject Matter Experts (SMEs) in every session.
That equals more than a full working week for your most senior (and expensive) technical resources. These are opportunity costs often overlooked when Sales VPs ask, “How much will this cost?”
The Scalability Problem: Why Spreadsheets Fail
Most organizations attempt to manage this preparation using spreadsheets to track the SSP Annex A (the control implementation details). While this might work for a one-time assessment of a single system, it does not scale.
- Information Silos: Valuable data collected in spreadsheets is rarely reused for other systems, even though they all rely on the exact same enterprise control.
- Version Control Chaos: If an enterprise-wide control changes (e.g., a new Identity Management policy), updating that across multiple spreadsheets is a manual nightmare.
- Inheritance Issues: Tracking controls inherited from hyperscale cloud providers (like AWS or Azure) gets complicated very fast in Excel.
Since the ISM requires IRAP assessments to be performed at least every two years, relying on static documents ensures your next assessment will be just as expensive as the first.
Better Way to Prepare
This is where Navi changes the equation. Navi allows organizations to maintain control implementation information democratically—creating a single source of truth. Instead of static spreadsheets, you have a living record of compliance that scales across the enterprise.
3 Tips for Your Preparation Phase
If you are currently preparing for an assessment (and still using spreadsheets), here is how to minimize the pain:
- Start with the SSP Annex A: Do not just write “Yes/No.” The IRAP assessor needs to know HOW the requirement is met and WHERE they can verify it.
- Create a ‘Master’ Template: Pre-document your organization-wide controls (e.g., ISM-0039L: Cyber Security Strategy). You should only have to write this once.
- Map Inheritance Early: Identify which controls are inherited from your Cloud Service Provider immediately to avoid duplicating work.
- Be Honest with your Assessor: As an assessor there is nothing worse than turning up to a kick-off meeting where you have been told the system is read for assessment - only to find a half completed SSP-A from 4 years ago.
Stay tuned for Part 2 of this series, where we will break down the cost factors of the Assessment Stage itself.