Australian Government Information Security Manual (ISM) Compliance

Organisations that wish to do business with the Australian Federal Government must have a compliance assessment conducted by an accredited Information Security Registered Assessors Program (IRAP) assessor. The assessment process is complex and time-consuming, but the benefits from a sales perspective are many. By completing the assessment, companies can attest to the appropriateness and effectiveness of the system’s security controls and their compliance posture so that agencies can determine if the risk of using the system to process their data is at an acceptable level. Companies that have undergone an IRAP assessment demonstrate to their clients that they take cybersecurity seriously and have taken proactive steps to comply with ISM requirements, as the Australian government requires. This helps win new business and provides a valuable boost to their reputation.

There are currently only a limited number of certified assessors in Australia. This can make it difficult to find someone to assess your security controls. Lucky for you, 38North partners with several certified IRAP assessors with a long history of helping companies achieve Australia’s highest levels of security compliance. Collaboratively, we can help ensure that you document your best compliance posture to agency customers. Trust Us to Get You There.

38North logo

38North and IRAP-Certified Partners Are Your Expert Advisors

38North is recognized as an expert cybersecurity organisation. Partnering with certified in-country IRAP assessors, we prepare organisations to tackle the IRAP compliance assessment process— working side-by-side with them throughout the full process.

A little or a lot, we can provide guidance — or help with documentation development, gap analyses, and security engineering — to help you achieve ISM compliance.

The IRAP Compliance Assessment Process

The Australian IRAP compliance assessment process is deceptively long and complex, with updates to the Information Security Manual (ISM) being published by the Australian Cyber Security Centre (ACSC) on a quarterly basis. The applicant and the assessor determine the size and scope of the assessment, meaning there can be a great deal of variability. Fortunately, 38North is an established cloud security compliance advisory firm — providing expert guidance and support — to help you define your boundary and ensure that your compliance posture is clear when undergoing an IRAP assessment. No matter where you are in your IRAP compliance assessment process, 38North can make it easier. ‌Talk with one of our IRAP experts.

IRAP Assessment Challenges

Undergoing an IRAP assessment can be a challenging process due to the complexity and rigor of the security requirements, as well as the quarterly updates to the ISM. Overall, these challenges can cause delays and increased costs in pursuing Australian Federal customers and contracts.

38North IRAP Services

38North can help you demonstrate ISM compliance, no matter where you are in the process.

Boundary Scoping

We start by helping you understand what data you have that must be protected . This lets us know what assets are in scope, and excludes those that aren’t.


Our workshops get you started — with control requirement training and consulting. We also help by using Australian Federal Government practices to design systems and approaches that will withstand IRAP assessments.

ISM Requirements Gap Analysis

Gap analyses help cloud providers and contractors understand what they need to do to comply with the ISM. Our gap analysis will find your gaps against the requirements and deliver a prioritized roadmap of actions required to close compliance gaps.

ISM Advisory Support

38North’s senior security advisors can help you design, deploy, document and maintain a scalable security approach that meets your desired ISM compliance level.

What do I need for my IRAP compliance assessment?

The IRAP assessor will request documentation and artifacts that show the appropriateness and effectiveness of the system’s security controls. This includes policies, procedures, and samplings of artifacts to show procedures are being followed in a consistent and repeatable manner. 38North advisors can work with your teams and help with developing this documentation, in preparation for assessment.

Typically, you should be prepared to present the following documentation, as a baseline:

  • System Overview Document (SOD)
  • Security Risk Management Plan (SRMP)
  • Incident Response Plan (IRP)
  • Media Management Policy (MMP) User Access Management (UAM) Plan
  • Vulnerability and Patch Management Plan (VPM)
  • Audit and Accountability Policy (AAP)
  • Cryptographic Key Management Plan (CKM)
  • System Security Plan (SSP) – including all chapters
  • Statement of Applicability (SOA)
  • Business Impact Level Assessment (BIL) template
  • Configuration Management Plan (CMP)

What do I need for my IRAP authorisation package?

The system owner will compile an Authorisation Package to submit to the authorising authority. In addition to the Security Assessment Report, it should contain:

  • System Security Plan (SSP)
  • Incident Response Plan (IRP)
  • Continuous Monitoring Plan (CMP)
  • Plan Of Action And Milestones (POA&M)
Two people shaking hands at a meeting with package and cloud icon overlay

Your IRAP Compliance Assessment Starts Here

Book an initial IRAP conversation with one of our Australian cloud security experts today and we’ll help you achieve your goal of IRAP compliance — and stronger security.

Contact Us

(Please do not provide additional PII in this box)
This field is for validation purposes and should be left unchanged.