Skip to content
arrow_back
ISM-0100
search
ISM-0100 policy ASD Information Security Manual (ISM)

Regular IRAP Assessment of Sensitive Gateways

Sensitive gateways must have an IRAP assessment at least every two years using the latest ISM standards.

Proactive NC OS P ASD Information Security ManualGuidelines for gatewaysaudit testing
record_voice_over

Plain language

This control is about making sure that the security systems protecting sensitive information are regularly checked and kept up to the latest standards. If these gateways aren't checked every two years, they might become outdated, leaving your organisation open to data breaches or cyber-attacks that could compromise important information.

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S

ISM last updated

Feb 2025

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

Gateways

Topic

Assessment of Gateways

Official control statement

Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET gateways undergo an IRAP assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
policy ASD Information Security Manual (ISM) ISM-0100
priority_high

Why it matters

Without 24‑monthly IRAP assessments, OFFICIAL: Sensitive/PROTECTED/SECRET gateways can retain unaddressed ISM gaps, increasing compromise risk and data exposure.

settings

Operational notes

Schedule IRAP for each sensitive gateway at least every 24 months, and ensure the assessor uses the latest ISM release available before the assessment (or later); retain reports and evidence.

build

Implementation tips

  • The IT team should schedule regular assessments: Set up a recurring calendar reminder every two years to initiate an assessment for your sensitive gateways, ensuring they're inspected against the most recent security standards available.
  • The system owner should gather relevant information: Collect any documentation, configuration details, and vendor contacts related to the current setup of your gateways to prepare for the assessment.
  • Management should appoint an IRAP assessor: Contact a certified IRAP assessor who is familiar with Australian Signals Directorate (ASD) standards and arrange for their review of your gateways.
  • The assessor and IT team should work together during the assessment: Collaborate to ensure the assessor understands your systems, provides accurate feedback, and notes areas that need improvement.
  • The IT manager should implement recommended changes: Based on the assessor's findings, create a timetable to update and fix identified issues in your system, ensuring changes are documented for accountability.
fact_check

Audit / evidence tips

  • AskThe latest IRAP assessment report: Request a copy of the report completed by the certified assessor, detailing the findings and any recommendations for improvements
  • GoodIncludes documented reminders and past completion dates
  • AskHow they prepare for and conduct an IRAP assessment GoodInvolves mentioning document collection, liaising with assessors, and following up on recommendations
link

Cross-framework mappings

How ISM-0100 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

Mapping detail

Mapping

Direction

Controls