:PROPERTIES:
:ID:       7f46764b-47b8-4892-a526-2c1b9ee6e6df
:ID:       auto-irap
:CREATED:  [2026-05-23 Sat]
:END:
#+title: IRAP (Infosec Registered Assessors Program — Australia)
#+filetags: :passepartout:compliance:framework:irap:


** IRAP (Infosec Registered Assessors Program)

Australian government's cloud security assessment program — analogous to
[[id:e6993701-3c67-49bf-82f3-06907572cbf3][FedRAMP]]. Cloud services used by Australian government agencies must have an
IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.

Who must comply: Cloud providers selling to Australian federal, state, and
local government agencies. Also critical infrastructure providers.

Why it matters: Like FedRAMP and [[id:085b76cc-4a65-4660-9c70-85aee10ca99e][ISMAP]], IRAP is a procurement gate. An IRAP
Protected-level assessment is expensive and takes 6-12 months. First-mover
advantage: the gate stack's deterministic audit trail can be the primary
evidence artifact, reducing assessment scope/cost.