top of page
IRAP and ISM header.jpg

IRAP and ISM Consulting

If you are developing, operating, or providing a system for the Australian government or its agencies, we can help. 

What is the ISM?

The Information Security Manual (ISM) is a document that is published by the Australian Signals Directorate (ASD) that outlines the security requirements and best practices for Australian government information systems. It covers topics such as governance, risk management, physical security, personnel security, and information and communications technology security.

What is IRAP?

IRAP stands for Information Security Registered Assessors Program. It is a program that certifies individuals to provide security assessment services to the Australian government and its agencies. IRAP assessors are trained and endorsed by ASD and have a thorough knowledge of the Information Security Manual (ISM).

If you are developing, operating, or providing a system for the Australian government or its agencies, you will need to comply with the ISM requirements and undergo an IRAP or Entity assessment.


When, and what type of assessment you need can vary depending on a range of factors, such as the classification of the system, its intended function and purpose, and the end client, along with many other factors, and our experienced team can help you through this process.

How can we help you?

We offer a range of services to help you achieve your IRAP and ISM goals. 

IRAP/ISM Gap Analysis

We will conduct a comprehensive gap analysis of your system or service against the ISM requirements and identify any areas which require additional attention, such as adjustments to the security architecture, configuration or management arrangements. We will then provide you with a detailed report of the findings and recommendations such as:

  • System architecture and design

  • Control selection

  • Use of inherited controls from the hosting environment (cloud or on premises)

  • Configuration and management

  • Ongoing maintenance and operations of the system

  • Gaps in security documentation

Preparation of system-specific security documentation


We can help you prepare the required security documentation required by the ISM, such as the:

  • System Security Plan (SSP) and Annex - Statement of Applicability (SoA)

  • Cyber security Incident Response Plan (IRP)

  • Continuous monitoring plan

  • Security assessment report

  • Plan of action and milestones

IRAP/Entity Assessment


We can perform an independent assessment of your system or service and verify the effectiveness of your security controls and risk management processes. We will provide you with a final report with assessment findings which may be used to make an informed decision about managing any security risks in the system.

In addition to the above, we can also provide services to support the design and development phase of these systems, to help you "bake in" security from the beginning of the process. This can help you avoid any costly redevelopments in order to meet security requirements, or conversely, save you from implementing security features and controls you may not need.

If you are operating a number of these systems, speak to us about managing the entire security process for your organisation, to establish robust, efficient and scalable security assessment processes.


Why work with De Stefano & Co?

Our team has extensive experience in the provision of IRAP and ISM consulting services for the Commonwealth Government, global software and cloud providers, and the Department of Defence.

Get in touch with our team today.

bottom of page