Regular IRAP Assessment of Sensitive Gateways
Sensitive gateways must have an IRAP assessment at least every two years using the latest ISM standards.
Plain language
This control is about making sure that the security systems protecting sensitive information are regularly checked and kept up to the latest standards. If these gateways aren't checked every two years, they might become outdated, leaving your organisation open to data breaches or cyber-attacks that could compromise important information.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET gateways undergo an IRAP assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
Why it matters
Without 24‑monthly IRAP assessments, OFFICIAL: Sensitive/PROTECTED/SECRET gateways can retain unaddressed ISM gaps, increasing compromise risk and data exposure.
Operational notes
Schedule IRAP for each sensitive gateway at least every 24 months, and ensure the assessor uses the latest ISM release available before the assessment (or later); retain reports and evidence.
Implementation tips
- The IT team should schedule regular assessments: Set up a recurring calendar reminder every two years to initiate an assessment for your sensitive gateways, ensuring they're inspected against the most recent security standards available.
- The system owner should gather relevant information: Collect any documentation, configuration details, and vendor contacts related to the current setup of your gateways to prepare for the assessment.
- Management should appoint an IRAP assessor: Contact a certified IRAP assessor who is familiar with Australian Signals Directorate (ASD) standards and arrange for their review of your gateways.
- The assessor and IT team should work together during the assessment: Collaborate to ensure the assessor understands your systems, provides accurate feedback, and notes areas that need improvement.
- The IT manager should implement recommended changes: Based on the assessor's findings, create a timetable to update and fix identified issues in your system, ensuring changes are documented for accountability.
Audit / evidence tips
-
Askthe latest IRAP assessment report: Request a copy of the report completed by the certified assessor, detailing the findings and any recommendations for improvements
-
Goodincludes documented reminders and past completion dates
-
Askhow they prepare for and conduct an IRAP assessment
Goodinvolves mentioning document collection, liaising with assessors, and following up on recommendations
Cross-framework mappings
How ISM-0100 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.