A founding initiative of ×
Note: This organisation (AusISA) is not affiliated with the Australian Information Security Association (AISA). Though we do consider AISA a great organisation — you should definitely check them out.
IRAP 2.0 Assessor Training

Frequently Asked Questions

Everything you need to know about the AusISA IRAP 2.0 Assessor Training Course — prerequisites, course structure, assessments, and the pathway to ASD endorsement.

Course Structure

How the course works

The IRAP 2.0 Assessor Training Course runs across three weeks. Each week serves a distinct purpose — building knowledge, applying it under supervision, and demonstrating competency through assessed deliverables.

Week 1 — Pre-Reading

Self-Paced Preparation

Before the course begins, you complete approximately one week of mandatory self-paced reading. This ensures all participants arrive with a baseline understanding of the IRAP framework, the ISM, and the PSPF.

  • IRAP Policy & Procedures (2026)
  • IRAP Common Assessment Framework (CAF)
  • IRAP Consumer Guide
  • Information Security Manual (ISM)
  • Protective Security Policy Framework (PSPF)
  • ASD Strategies to Mitigate Cyber Security Incidents
  • ASD Essential Eight Maturity Model
Week 2 — Course Delivery

Instructor-Led Training

Five days of intensive, scenario-based training delivered by active IRAP assessors. Includes theory, hands-on labs, and the formal IRAP examination.

  • IRAP policy, CAF, and quality assurance framework
  • Interpreting architecture diagrams and scoping assessments
  • Hands-on lab: assessing ISM controls in a simulated government environment
  • Governance, independence, and conflict of interest
  • IRAP report writing methodology
  • Formal IRAP examination (Day 5)
  • Daily reflections
Week 3 — Assessments

Completing Deliverables

After the course week, you have approximately one week to finalise and submit your assessed deliverables.

  • Cloud Controls Matrix (CCM) — a completed cloud security assessment
  • IRAP Assessment Report — a condensed report using the modified ASD template, based on your course lab work
Eligibility

Prerequisites & qualifications

To be eligible for ASD endorsement as an IRAP assessor, you must hold one certification from Category A and one from Category B:

  • Category A (security management): CISSP, CISM, or GSLC
  • Category B (audit / assessment): CISA, PCI QSA, or CRISC

You do need to hold both certifications at the time of enrolment, and you will need them in order to apply for ASD endorsement after passing the course.

ASD requires a minimum of five years of information security experience, with demonstrated work implementing or assessing security controls aligned to the ISM and/or the PSPF.

This experience should include practical familiarity with Australian Government security frameworks — not just general IT security.

Yes. You must be an Australian citizen to be endorsed as an IRAP assessor by ASD. This is a non-negotiable requirement set by the Australian Signals Directorate.

A Negative Vetting Level 1 (NV1) clearance is required to be endorsed as an IRAP assessor. You do not need it at the time of enrolment, but you will need it before ASD will grant endorsement.

ASD may sponsor clearance processing for successful course graduates who do not yet hold an NV1.

Under the IRAP 2.0 framework, existing IRAP assessors are required to complete the updated training course as part of their membership renewal. A reduced rate applies for current assessors — see the course schedule for pricing.

Assessments

Exams & grading

There are three assessed components:

  1. IRAP Examination — a formal knowledge assessment conducted on the final day of the course week
  2. IRAP Report Assessment — a condensed IRAP-style assessment report using a modified ASD template, based on your lab work during the course. You have approximately one week after the course to finalise it.
  3. Daily Reflections — short reflective entries completed during and after the course week

The IRAP examination is:

  • 3 hours in duration
  • Open book — you may reference any materials
  • A mix of multiple-choice and short-answer questions
  • Negative marking applies to multi-select questions where too many options are selected (over-selection)
  • Large Language Models (LLMs) are permitted during the exam

The pass mark for the IRAP examination is 80%.

To pass the course overall, you must achieve 80% on the exam and satisfactorily complete the IRAP report assessment and daily reflections.

If you score between 75% and 79.9% on the exam and have passed all other components, you are eligible for a supplementary exam.

  • The supplementary exam has the same 80% pass mark
  • It must be attempted within 3 months of your original exam
  • Only one supplementary attempt is available

If you score below 75%, or fail the supplementary exam, you must wait at least 6 months before re-enrolling in the course. There is no further re-sit option for that intake — you would need to complete the full course again.

Results are provided within 30 business days of the final assessment submission. Once issued, your results are valid for 3 months to apply for ASD endorsement.

After the Course

Endorsement & next steps

No. Passing the IRAP training course is one step in the endorsement process. ASD endorsement is a separate decision made by the Australian Signals Directorate and involves additional requirements including:

  • Holding the required Category A and Category B certifications
  • A minimum Negative Vetting Level 1 (NV1) security clearance
  • Submitting the IRAP Application, Assessor Agreement, Confidentiality Deed, and ACSC Partner Portal Deed
  • Meeting ASD's character, experience, and independence requirements

You must apply to ASD for endorsement within 3 months of receiving your results. If you do not apply within this window, you may need to re-sit the examination or retake the course.

IRAP membership operates on a 24-month renewal cycle. There are multiple pathways available for renewal, which may include re-completing the training course, demonstrating continued professional development, or meeting other ASD-specified requirements.

Practical Details

Course logistics

AusISA offers both in-person and live-virtual (online) delivery options. Check the course schedule for current offerings and formats.

In-person courses include catering and are held in Canberra, with other capital cities available on demand.

Pricing for the IRAP 2.0 course is:

  • New IRAP Assessors: $7,620 AUD + GST
  • Current IRAP Assessors: $3,950 AUD + GST

Group and agency discounts are available for bookings of 5 or more participants. Contact courses@australianinformationsecurity.academy for volume pricing.

We accept credit card (instant confirmation) and invoice (your spot is confirmed once the invoice is paid). Both options are available at checkout.

The course is delivered exclusively by active practitioners — ASD-endorsed IRAP assessors and experienced operators with deep experience across Defence, Intelligence, and Critical Infrastructure. See our facilitators page for the full team.

Ready to enrol?

Start your path to IRAP endorsement

View upcoming course dates and secure your seat. Courses are intentionally small and fill quickly.

View Courses & Register

Questions? Email courses@australianinformationsecurity.academy