Home » Capabilities


<time datetime='2023-03-08 00:00:00 +0000 UTC'>March 8, 2023</time>&nbsp;·&nbsp;4 min&nbsp;·&nbsp;Arjen Lentz

ISM IRAP Australia Mitigation Risk Framework

The Australian Information Security Manual (ISM) as maintained by the Australian Cyber Security Centre (ACSC) is a very detailed and comprehensive document.

Whereas ISO 27001 is a framework for (part of) an organisation, the ISM focuses on a specific System (Software/Hardware/Service Solutions).


The ISM forms the basis for the InfoSec Registered Assessors Program (IRAP). Systems built for the Australian Government and its various Agencies require IRAP certification to be allowed to operate.

Australian Defence’s ICT Accreditation processes (ICTA, PICTA) align fairly closely with IRAP.

IRAP assessors are trained, and operate under very strict guidelines.

The foundations of IRAP documentation is the System Security Policy (SSP) with its Statement of Applicability (SoA) Annex, and Security Risk Management Program (SRMP). A substantial number of other documents and processes are involved.

This is just to make it clear that IRAP is not a walk in the park.

However, if your organisation already works within the ISO 27001 framework, IRAP is much easier to work with and many documents can be re-used or adapted. The reverse is also true - if you build a System and get it IRAP accredited, you’ll be able to use (some of) that work for ISO 27001 within your organisation. And in any case, the understanding of the frameworks in your organisation will develop - that too is valuable.

Risk Based Approach

ISM and IRAP work according to a risk-based approach. Risk is assessed through likelihood and impact, after which appropriate mitigations can be adopted. Every system is different. It is no use spending an inordinate amount of time pondering over one threat scenario, when there are other more likely threats ones lurking un-assessed.

Just like ISO 27001, each Control is also an opportunity. And if you happen (or are able) to comply with a Control (e.g. fully implement it), that’s great. It is possible - even to a very high degree, we know this from experience. It just depends on the System Environment we’re dealing with.


IRAP assessors work in the following stages:

  • Stage 0: Ready?. Sometimes IRAP assessors offer this option, to help you see if you’re ready for Stage 1.
  • Stage 1: Documentation. Review of the SoA, SSP, SRMP and related documents.
  • Stage 2: “Show Me”. Verification. For example, you’ve documented that you use certain cryptographic keys of this length? The assessor will now ask you to show them, including how and when they are rotated.

There are feedback cycles for each Stage.

The IRAP assessor’s final Report on Stages 1 and 2 will contain a recommendation for accreditation, for review before certification. Renewal is required every two years.

Which ISM Revision for Our IRAP

ISM Updates are currently published every three months.

IRAP requires that the ISM used is the most recent available at Stage 1. Of course documentation takes time; and if an ISM changes some things, it could even have on-flowing effects into architecture. This brings us back to the fact that ISM/IRAP are risk based, not absolute.

In any case, it is good to aim for the most recent ISM, previous can be ok, but old will just not be accepted.

How Serious is IRAP

We’ve explained how it works, and hopefully impressed upon you that IRAP is by no means a paper tiger - at least not any more. IRAP assessors have to be strict, and the “show me” (Stage 2) means you (and we, if you take us on board) will need to have done all the necessary homework.

Organisations don’t get brownie-points simply for trying, which is entirely fair because much is at stake. If there are threats, malicious actors won’t care about an organisation’s priorities or reasons for certain design decisions. They will make use of any exploitable vulnerability as suits their objectives.

We need ISM/IRAP for a System

Ok great, let’s talk! But let’s set your expectations: you’re not going to be completing this journey within a few months. It is a major undertaking, and not just in terms of documentation.

We have experience in guiding an organisation through the entire process of achieving IRAP certification on complex Systems. We also partner with specialised GRC (Governance, Risk and Compliance) companies to help you meet your documentation needs, which can speed things up.

Security Clearance

We have people with up to NV1 (Negative Vetting 1) Security Clearance. You may require this for us to work with you on for instance a Defence contract.

Contact Us to discuss your needs in detail.