New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Government assurance

IRAP & the ACSC Information Security Manual (ISM)

The ACSC's Information Security Manual is the control catalogue that IRAP-endorsed assessors evaluate systems against, so they can securely handle Australian Government data up to PROTECTED.

IRAP – the Infosec Registered Assessors Program – is run by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC). It endorses suitably qualified cyber security professionals to provide independent assessment of a system's security against the Information Security Manual (ISM). An IRAP assessment is typically the path an organisation takes to demonstrate a system can securely handle Australian Government data, and it underpins a delegate's decision to grant an Authority to Operate (ATO).

It is important to be precise about the relationship between the two: IRAP is the assessment program; the ISM is the control catalogue. An IRAP assessor does not invent controls – they assess your system against the ISM and report on how effectively those controls are implemented.

The ISM in briefLink to this section

The ISM is a comprehensive cyber security framework that ASD updates regularly (typically quarterly). It is built around four cyber security principles, which map to the lifecycle of managing security risk:

  • Govern – identifying and managing security risks.
  • Protect – implementing controls to reduce those risks.
  • Detect – identifying and understanding cyber security events and incidents.
  • Respond – responding to and recovering from incidents.

Beneath the principles sit the ISM's 22 guidelines – from cyber security roles and security documentation through to system hardening, cryptography, gateways, and data transfers. The guidelines contain hundreds of individual controls, each tagged to a principle and to the security classifications it applies to. Because control identifiers change between releases, we work to the current ISM at the time of your assessment rather than a fixed snapshot.

Security classifications and scopeLink to this section

IRAP assessments cover systems handling data up to and including PROTECTED. The Australian Government classification ladder is OFFICIAL → OFFICIAL: Sensitive → PROTECTED → SECRET → TOP SECRET; systems at SECRET and above are handled directly by ASD rather than through IRAP. Establishing the correct classification of the data your system processes, stores and communicates is the first step – it determines which ISM controls apply and how stringently.

The assessment lifecycleLink to this section

An IRAP assessment is not a pass/fail certificate; it is an independent security assessment report that informs a risk-based authorisation decision. It generally proceeds in stages:

  1. Scoping and planning – define the system boundary, its data classification, and the authorisation boundary.
  2. Stage 1 (design review) – assess the security documentation and the design of controls against the ISM, identifying gaps before they are built.
  3. Remediation – address the findings from Stage 1.
  4. Stage 2 (implementation review) – assess the effectiveness of the implemented controls, gathering evidence that they operate as documented.
  5. Security assessment report – the assessor documents the system's security posture, residual risks, and recommendations.
  6. Authorisation – an authorising officer (the delegate) weighs the residual risk and decides whether to grant an Authority to Operate, usually for a defined period, after which reassessment is required.

How the Essential Eight fits inLink to this section

The Essential Eight is a subset of the mitigation strategies within the ISM. Meeting it – patching, MFA, application control, macro restrictions, application hardening, restricting admin privileges, and regular backups – is necessary groundwork for an IRAP assessment, but it is only part of the picture. The ISM goes much further, covering governance, personnel and physical security, cryptography, gateways, and far more. If you are early in the journey, the Essential Eight is the right first milestone; the ISM is the destination.

How we help you reach an Authority to OperateLink to this section

We are compliance specialists who work backwards from the assessor's expectations. Our role is to get your system genuinely ready – and the evidence genuinely in order – so the IRAP assessment is a confirmation rather than a discovery.

  • Scoping and classification. We help you define a clean system and authorisation boundary and confirm the data classification that drives control selection.
  • Documentation. We author the full ISM document set – System Security Plan (SSP), Security Risk Management Plan (SRMP), Incident Response Plan (IRP), and standard operating procedures – to the structure assessors expect.
  • Control implementation. We implement and harden across all 22 guidelines below, mapping each control to your real stack and producing the evidence to prove it.
  • Pre-assessment. We run a mock assessment against the current ISM to surface and close gaps before the IRAP assessor arrives.
  • Through the assessment. We work alongside your IRAP assessor through Stage 1 and Stage 2, and support the authorising officer's risk-based decision.

The table below maps the ISM's 22 guidelines to the control focus within each, and to how we help you implement and evidence them.

ISM guidelines and IRAP assessment scope

Guidelines for Cyber Security Roles

PrincipleControl focusHow we help
GovernChief Information Security Officer – leadership of and accountability for the organisation's cyber security.We help you stand up the CISO function (including on a fractional basis), with clear authority, reporting lines, and an oversight rhythm the assessor can verify.
GovernSystem owners – named accountability for each system and its security posture.We define system ownership and the authorisation responsibilities each owner carries, documented for assessment.

Guidelines for Cyber Security Incidents

PrincipleControl focusHow we help
RespondManaging cyber security incidents – an incident response capability and plan.We write an ISM-aligned incident response plan, define the response team and severities, and prove the capability works with a tabletop exercise.
RespondReporting cyber security incidents – internal escalation and notification to ASD.We bake ASD/ACSC reporting triggers and timelines into your runbooks so notifications are made correctly and quickly.

Guidelines for Procurement and Outsourcing

PrincipleControl focusHow we help
GovernCyber supply chain risk management – assessing risk introduced by suppliers and components.We build supplier risk assessment and tiering aligned to the ISM, covering sub-processors and country-of-origin considerations.
GovernManaged services and cloud services – assurance over outsourced providers.We assess providers' IRAP status, document shared-responsibility boundaries, and ensure contracts carry the right security and data-sovereignty clauses.

Guidelines for Security Documentation

PrincipleControl focusHow we help
GovernDevelopment and maintenance of security documentation – a current, governed document set.We produce the full ISM documentation suite and keep it version-controlled with a defined review cycle.
GovernSystem-specific documentation – SSP, SRMP, IRP, SOPs and continuity plans.We author the System Security Plan, Security Risk Management Plan, Incident Response Plan and standard operating procedures to the structure assessors expect.

Guidelines for Physical Security

PrincipleControl focusHow we help
ProtectFacilities and systems – protecting the environments that house systems to the appropriate security zone.We map physical security zone requirements to your sites and document compliant arrangements, including data-centre attestations.
ProtectICT equipment and media – siting and protection of equipment handling sensitive data.We define siting, access and protection controls for equipment and media, scaled to the classification involved.

Guidelines for Personnel Security

PrincipleControl focusHow we help
GovernCyber security awareness training – building security competence across the workforce.We deliver role-based awareness training with completion evidence aligned to ISM expectations.
ProtectAccess to systems – clearances, need-to-know and authorisation of access.We implement need-to-know and clearance-based access controls and document the authorisation process for each system.

Guidelines for Communications Infrastructure

PrincipleControl focusHow we help
ProtectCabling infrastructure – installation and protection of cabling to the relevant standard.We assess cabling against ISM requirements for the applicable classification and document compliant installations.
ProtectEmanation security (TEMPEST) – controlling unintended emissions in higher-classification environments.We advise where emanation security applies and coordinate ASD guidance for higher-classification fit-outs.

Guidelines for Communications Systems

PrincipleControl focusHow we help
ProtectTelephony, video conferencing and IP telephony – protecting voice and conferencing channels.We secure unified-communications platforms and document call and conferencing protections for sensitive discussions.
ProtectFax machines and multifunction devices – controlling legacy data paths.We harden or retire MFD and fax paths that could leak sensitive data, and document the decision.

Guidelines for Enterprise Mobility

PrincipleControl focusHow we help
ProtectMobile device management – enforced policy on managed mobile devices.We deploy MDM with ISM-aligned policy – encryption, enrolment, app control – and document the configuration.
ProtectMobile device usage – acceptable use, including overseas travel with sensitive data.We write mobile usage and travel policies, including secure handling of devices and data when staff travel overseas.

Guidelines for Evaluated Products

PrincipleControl focusHow we help
GovernEvaluated product selection and usage – using assured products in their evaluated configuration.We help you select Common Criteria or ASD-evaluated products where required and deploy them in their evaluated configuration.

Guidelines for ICT Equipment

PrincipleControl focusHow we help
ProtectICT equipment management – controlled lifecycle for equipment handling sensitive data.We maintain an equipment register with classification handling and lifecycle controls.
ProtectSanitisation and disposal – securely retiring equipment.We implement certified sanitisation and disposal with destruction certificates, per ISM media-handling rules.

Guidelines for Media

PrincipleControl focusHow we help
ProtectMedia usage – controlling sensitive data on removable and fixed media.We define removable-media policy, encryption and registers to keep sensitive data accounted for.
ProtectMedia sanitisation, destruction and disposal – verifiable end-of-life handling.We implement ISM-compliant sanitisation and destruction procedures with retained evidence.

Guidelines for System Hardening

PrincipleControl focusHow we help
ProtectOperating system hardening – removing unneeded functionality and enforcing baselines.We apply ASD and vendor hardening guides, strip unnecessary functionality, and enforce a measured secure baseline.
ProtectApplication hardening – including the Essential Eight controls the ISM incorporates.We harden Office, browsers, PDF readers and runtimes, implementing the Essential Eight application-hardening and macro controls the ISM builds on.
ProtectAuthentication hardening – strong, phishing-resistant authentication and credential protection.We enforce phishing-resistant MFA, credential-protection technologies, and session controls across the system.
ProtectVirtualisation and server-role hardening – securing hypervisors and server functions.We harden hypervisors and server roles and document the secure configuration baseline for assessment.

Guidelines for System Management

PrincipleControl focusHow we help
ProtectSystem administration – secure, separated administration of systems.We implement separated administration with Privileged Access Workstations, just-in-time elevation, and full logging.
ProtectSystem patching – meeting ISM patch timeframes for applications and operating systems.We run a patch programme that meets ISM timeframes, mirroring the Essential Eight patch controls, with exception tracking.
ProtectData backup and restoration – protected, tested recovery.We design protected, access-controlled backups and validate them through documented restoration exercises.

Guidelines for System Monitoring

PrincipleControl focusHow we help
DetectEvent logging and monitoring – capturing, protecting and reviewing security-relevant events.We define centralised, protected logging and monitoring (SIEM or managed detection) aligned to ISM event-logging requirements.
DetectVulnerability management – vulnerability scanning and penetration testing.We run regular vulnerability scanning and coordinate penetration testing, tracking remediation to closure with evidence.

Guidelines for Software Development

PrincipleControl focusHow we help
ProtectSecure application development – security embedded across the development lifecycle.We embed secure-SDLC practices – threat modelling, secure coding standards, and testing – into your pipeline.
ProtectWeb application development – hardening internet-facing applications.We align web applications to OWASP and ISM web-hardening requirements, with security testing as a release gate.

Guidelines for Database Systems

PrincipleControl focusHow we help
ProtectDatabase servers – hardening and isolating database infrastructure.We harden and segment database servers and restrict administrative access to them.
ProtectDatabase management and content – protecting the data itself.We implement least-privilege database access, encryption of sensitive fields, and monitoring of high-value data.

Guidelines for Email

PrincipleControl focusHow we help
ProtectEmail usage – protective markings and acceptable handling of sensitive information.We set protective-marking and acceptable-use rules for email handling of sensitive information.
ProtectEmail gateways and servers – anti-spoofing, filtering and encryption.We deploy SPF, DKIM and DMARC, content filtering, and TLS to ISM standards to protect inbound and outbound mail.

Guidelines for Networking

PrincipleControl focusHow we help
ProtectNetwork design and configuration – a segmented, defensible architecture.We design segmented, defensible network architecture and document the data flows and trust boundaries for assessment.
ProtectWireless networks – securing wireless access to ISM standards.We secure wireless with strong authentication and segregation from sensitive zones.
ProtectService continuity for online services – resilience of internet-facing services.We plan DDoS resilience and availability protections for your internet-facing services.

Guidelines for Cryptography

PrincipleControl focusHow we help
ProtectCryptographic fundamentals – using ASD Approved Cryptographic Algorithms with sound key management.We ensure only ASD Approved Cryptographic Algorithms and Protocols are in use, with a documented key-management lifecycle.
ProtectTransport and protocol security – TLS, SSH, S/MIME and IPsec configured to approved parameters.We configure TLS, SSH, S/MIME and IPsec to ISM-approved parameters and retire weak protocols and ciphers.

Guidelines for Gateways

PrincipleControl focusHow we help
ProtectGateways and firewalls – controlled, logged traffic flows between networks.We design ISM-compliant gateway and firewall architecture with controlled, logged, default-deny traffic flows.
ProtectCross Domain Solutions and diodes – bridging domains of differing classification.We advise on Cross Domain Solutions and data diodes where information must move between domains of differing classification.
ProtectWeb proxies and content filtering – controlling web usage.We implement web filtering and proxy controls aligned to ISM web-usage requirements.

Guidelines for Data Transfers

PrincipleControl focusHow we help
ProtectData transfer processes – authorised, filtered movement of data between systems.We define import/export procedures, content filtering, and authorisation for moving data between systems and classifications.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.