IRAP Assessments & Essential Eight Uplift
Independent security assessment, delivered by an ASD-endorsed IRAP assessor — with one thing most assessors can't offer: the option to price every control gap in dollars, so your remediation budget goes where the risk actually is.
Assessment tells you where you stand. It doesn't tell you what the gap costs.
An IRAP assessment measures your system against the Australian Government Information Security Manual (ISM). An Essential Eight assessment scores your maturity across eight mitigation strategies on a scale from Maturity Level Zero to Maturity Level Three. Both are essential. Both stop at the same place: a list of gaps and a maturity level. Neither answers the question your executive actually asks next — which gap do we fix first, and what does leaving it open cost us?
Our difference. We deliver the assessment to standard — and then, if you want it, we translate the findings into dollars. Each open control becomes a line item with a quantified risk contribution, so remediation is prioritised by exposure reduced per dollar spent, not by gut feel.
What we deliver
Independent assessment of your system's security against the ISM and PSPF, documented to support your authorisation process.
Maturity scoring across all eight strategies (ML0–ML3), with a prioritised, risk-based uplift roadmap.
Each control gap quantified as risk in dollars, so your uplift budget is spent where it reduces the most exposure.
The Essential Eight, briefly
The Essential Eight is the ACSC's baseline of eight prioritised mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Maturity is measured across four levels (ML0–ML3). Non-corporate Commonwealth entities are required to reach Maturity Level Two under the Protective Security Policy Framework (PSPF); increasingly, enterprise clients and cyber insurers expect a baseline level from their suppliers too. There is no formal Essential Eight certification — alignment is demonstrated through assessment and maturity reporting.
How an engagement runs
Scope & target
We agree the system boundary, the assessment standard (ISM / Essential Eight), and your target maturity level based on your risk and obligations.
Assess against the standard
We gather evidence — configuration, patch records, access reviews, backup validation — and assess your control effectiveness against the ISM and the Essential Eight maturity model.
Report the findings
You get a clear assessment report: control-by-control findings, your maturity position, and a risk-based remediation roadmap sequenced to reach your target level.
Cost the gap (optional)
On request, we quantify each open control as an Annual Loss Expectancy contribution, turning your remediation roadmap into a budget case your executive can approve.
Why CyQuantiFi
Assessments delivered by an ASD-endorsed IRAP assessor with nine years at the Australian Department of Defence.
The only IRAP + Essential Eight engagement that can hand you a dollar figure for every gap, not just a maturity score.
Australian-owned and Australian-hosted, with no product we're quietly trying to sell you into the findings.
Findings are evidence-based and traceable, and the remediation roadmap is prioritised by risk, not by whatever's easiest to fix.
Who it's for
Australian organisations that need an IRAP assessment to handle or store government data, non-corporate Commonwealth entities working towards Essential Eight Maturity Level Two, and government suppliers being asked to prove their maturity during procurement due diligence.
Frequently asked questions
What is an IRAP assessment?
The Information Security Registered Assessors Program (IRAP) is an ASD program of endorsed assessors who provide independent assessments of a system's security against the Australian Government Information Security Manual. An IRAP assessment documents your security posture to support an authorisation decision; the authorising officer or authority makes the authorisation, not the assessor.
What are the Essential Eight maturity levels?
The Essential Eight maturity model defines four levels — Maturity Level Zero through Maturity Level Three — measuring how consistently each of the eight mitigation strategies is implemented against increasing levels of adversary tradecraft. Organisations aim for the same level across all eight strategies before progressing higher.
Is Essential Eight compliance mandatory?
Non-corporate Commonwealth entities are required to reach Maturity Level Two under the PSPF. There is no general legal mandate for private businesses, but enterprise clients, government procurement and cyber insurers increasingly expect a baseline maturity level. There is no formal certification — you demonstrate alignment through assessment and reporting.
Can you tell us what our control gaps cost in dollars?
Yes — that's what sets us apart. On request we quantify each open control as a contribution to your Annual Loss Expectancy, so your remediation roadmap becomes a prioritised budget case: fix the gaps that reduce the most risk per dollar first.
Assess to the standard — then price the gap
Book a scoping call for an IRAP or Essential Eight engagement with a quantification option built in.
Related services
- Cyber risk quantification for SOCI & CIRMP — board-ready dollar figures for your CIRMP attestation.
- Third-party & supply-chain cyber risk quantification — quantify the correlated risk in your supply chain.
IRAP is a program of the Australian Signals Directorate. This page describes an assessment service delivered by an ASD-endorsed IRAP assessor and is general information, not authorisation, certification or accreditation. Authorisation decisions rest with the relevant authorising authority.
