IRAP guidance — preparing for the 2026 framework.

The Information Security Registered Assessors Program (IRAP) is the Australian Signals Directorate's framework for assessing implementations of the Information Security Manual (ISM). In January 2026 ASD published an updated IRAP Quality Assurance Framework, raising the bar on how assessments are conducted and documented.

What changed in January 2026

Assessors now face scrutiny of their methodology, not just their findings. For organisations preparing for assessment this means a higher bar on evidence: traceable, attributable, and explicitly mapped to ISM controls. Spreadsheets and disconnected documents that previously satisfied assessment will not meet the new framework's standard.

What evidence is now required

• Evidence must be traceable — every claim points to a system of record (log, policy document, configuration export, screenshot with timestamp)
• Evidence must be attributable — who collected it, when, and how
• Evidence must be ISM-mapped — explicitly tied to one or more ISM control identifiers, not just an E8 control name
• Methodology must be documented — assessors will be asked to explain their sampling, scope, and validation approach

Five most common evidence gaps we see

• Patch deployment evidence missing timestamps (you know patches were applied; you cannot prove when)
• Privileged-access requests not validated and logged as discrete events
• Application-control rulesets not reviewed within the required cadence
• Backups never restored end-to-end (the existence of a backup job is not evidence of recoverability)
• Phishing-resistant MFA deployed only to IT staff, leaving the general privileged-user population on lower factors

How to prepare

Run an evidence-readiness dry run before booking your IRAP assessment. For each control, attempt to produce timestamped, ISM-mapped evidence for your target maturity level — and see where the gaps are while you still have time to close them.