IRAP Assessment Guide Australia: What It Takes to Build an IRAP Assessed Cloud
29 Jun 2026, by James Braunegg, CEO and Founder, Micron21
Micron21 has always believed in certifications. Anyone can claim their infrastructure is secure; the question is whether you are willing to put that claim in front of an independent expert and have it tested, control by control, against the toughest standard available. We did it with our Tier IV data centre certification through the Uptime Institute, and we have applied the same philosophy to information security.
When it comes to Australian security certification for IT services supporting government, IRAP sits at the very top. Whether you serve local councils, state government, federal departments or defence, an IRAP assessment is the pinnacle of security assessments in this country. In this guide I’ll explain what an IRAP assessment in Australia actually involves, share what we learned taking Micron21 through the process (twice), and offer practical advice for any provider or agency considering the journey, including why the name on the front of your report matters more than most people realise.
What is an IRAP assessment?
IRAP stands for the Infosec Registered Assessors Program. It is administered by the Australian Signals Directorate (ASD), the agency responsible for the Australian Government Information Security Manual (ISM). Under the program, ASD endorses experienced ICT security professionals as IRAP assessors. These assessors independently evaluate a system, platform or service against the controls in the ISM and produce a detailed report on how effectively each applicable control has been implemented.
An IRAP assessment is not a tick-box exercise. The assessor reviews your documentation, interviews your people, inspects your systems and tests whether controls are effective in design and in day-to-day operation. The output is an IRAP report and a security control matrix that government agencies use to make their own risk-based decisions about whether to consume your service and at what classification level, such as OFFICIAL: Sensitive or PROTECTED.
One point worth being precise about: IRAP assessors assess; they do not certify. Since the Certified Cloud Services List (CCSL) was retired in 2020, each agency makes its own authorisation decision based on the quality and findings of your IRAP report. That is exactly why the depth and credibility of the report, and of the person who wrote it, carries so much weight.
Why IRAP matters at every level of government
It is easy to assume IRAP is only a federal or defence concern. In practice, an IRAP assessment in Australia has become the common reference point across the whole public sector. Local councils hold ratepayer data, state governments run health and education systems, federal departments and defence handle classified information. All of them face the same question when procuring cloud and hosting services: how do we know this provider actually meets the ISM? An IRAP report is the most rigorous answer available, and increasingly it is the expected one.
Micron21 and IRAP: not our first rodeo
Micron21 is not new to IRAP. We started our first assessment in 2017 and completed it in 2018, when our VMware-based public cloud platform was IRAP assessed against the then Unclassified: DLM level (a marking since replaced by OFFICIAL: Sensitive under the reformed Protective Security Policy Framework). That assessment allowed us to provide government departments with independently assessed cloud services, hosted within our Uptime Institute certified Tier IV data centre.
Since 2018, our security maturity has moved on considerably. Today, Micron21 is actively compliant with ASD’s Essential Eight at Maturity Level 2 across our entire organisation, not just a single platform. Essential Eight ML2 is designed to defend against adversaries with more advanced tradecraft who are willing to invest real time and effort in a specific target, and applying it organisation-wide means every business function operates to the same standard.
More importantly, our mCloud platform, which provides infrastructure as a service spanning IaaS, PaaS and SaaS, along with GPU as a service, is currently undergoing an IRAP assessment for PROTECTED.
Why we are going for PROTECTED
We built mCloud to help businesses and government departments move away from the rising cost of VMware, but our ambition was always bigger than that. We also built it as a true alternative to the big overseas cloud providers, AWS, Azure and Google, because we want Micron21 to be the Australian sovereign hyperscale cloud provider: hyperscale capability, owned and operated in Australia, answering to Australian jurisdiction alone. From day one, we wanted the services we designed to meet the highest possible standard, because a cheaper or more sovereign platform is worthless to a government client if it cannot carry their security obligations. As of June 2026, we are undergoing an intensive assessment across our entire mCloud product range so we can give complete assurance to our government clients that our systems meet and exceed the ISM requirements for PROTECTED status.
So how are we achieving this? The honest answer is years of groundwork, followed by a methodical uplift. The steps below are the same ones I would recommend to any provider considering an IRAP assessment.
Step 1: Start from a real security foundation
Micron21 was already ISO 27001 certified, together with the ISO 27017, ISO 27018 and ISO 27019 extensions, and we have tightly followed key principles of information security for many years. This matters because IRAP is not a starting point; it is a proving ground. If your organisation does not already live and breathe an information security management system, with documented policies, risk registers, change control and audit history, an IRAP assessment will expose that quickly. Get the foundation right first.
Step 2: Map your documentation to the ISM controls
Our first practical step was mapping our existing documentation against the ISM controls and reviewing exactly what was missing. The ISM contains well over a thousand controls across guidelines covering everything from governance and personnel security to cryptography, networking and physical security. You cannot manage what you have not mapped.
We then forked our entire documentation set to add the required level of detail. This is a step many providers underestimate: ISO 27001 documentation and ISM documentation are related but not interchangeable. The ISM expects specificity. It is not enough to say patching occurs regularly; the assessor wants to see the defined timeframes, the tooling, the responsible roles and the evidence trail.
Step 3: Build a control mapping register
To run the process, we developed a spreadsheet mapping every ISM control to its scope, responsibility and implementation evidence. For each control we track which guideline and section it belongs to, whether it applies to our administration environment, our common cloud controls or a specific service, who owns it (provider or consumer), its implementation status, and exactly where the evidence lives in our documentation. A simplified extract looks like this:
| Identifier | Guideline / Topic | Control summary | Provider status | Evidence |
|---|---|---|---|---|
| ISM-1997 | Cyber security roles / Embedding cyber security | The board or executive committee defines clear cyber security roles and responsibilities across the organisation. | Effective | System Manual, Section 04.4 |
| ISM-1998 | Cyber security roles / Embedding cyber security | The board or executive committee ensures cyber security is integrated throughout all business functions. | Effective | System Manual, Section 04.5 |
| ISM-1999 | Cyber security roles / Embedding cyber security | The board or executive committee ensures the cyber security strategy aligns with the organisation’s strategic direction. | Effective | System Manual, Section 04.6 |
Notice that governance controls appear right at the top of the register. The ISM starts with the board of directors for a reason: if cyber security is not embedded at the executive level, nothing downstream holds together. For anyone planning their own register, an excellent free resource listing all ISM controls in a searchable format is mouat.net.au/ism/controls.
Step 4: Plan for the Hosting Certification Framework
An IRAP assessment rarely lives in isolation. For providers hosting government data, the Hosting Certification Framework (HCF), administered by the Department of Home Affairs, sets sovereignty, ownership and security requirements, and all sensitive government data and PROTECTED systems must be hosted using certified services. We made a deliberate decision to build our uplift around the 2026 version 2 of the framework, under which no applicable controls are allowed to go unmet. That meant ensuring not only that the right documentation was in place, but that our procedures, systems and applications all adhered to the same process. Documentation that does not match operational reality is the fastest way to fail an assessment, and it deserves to be.
Step 5: Choose your IRAP assessor carefully
Here is something the official guidance will not tell you directly: not all ASD-endorsed IRAP assessors are equal. Every assessor on the ASD list is qualified, but skill, depth of ISM knowledge and standing within government vary enormously, and the name on the report means everything. A federal department or defence agency reviewing your IRAP report will weigh it differently depending on who wrote it and their history of producing fair, rigorous, highly detailed assessments.
A key part of our current PROTECTED assessment was selecting an assessor who understood our technology stack and carried genuine weight within defence and government. We engaged Andrew McLarty of S2 Strategic, who in my view is the godfather of IRAP assessments in Australia, having trained the very assessors who undertook the IRAP assessments for Azure and AWS. As with our Tier IV journey, Micron21 wanted the end result to be recognised by a highly respected auditor within Commonwealth government departments, including defence.
My practical advice when selecting an assessor: ask who they have assessed, ask agencies whether they know the name, and ask to see a sanitised sample of their reporting style. A cheap, shallow report can cost you far more than it saves, because the agency consuming it will simply discount it.
Step 6: The assessment itself
Expect intensity. An IRAP assessment for PROTECTED examines design effectiveness (is the control properly specified and architected?) and operational effectiveness (is it actually working, with evidence?). Across our mCloud product range that means documentation review, architecture walkthroughs, interviews with engineers and executives, and inspection of live systems, from identity and access management through to cryptography, logging and patching cadence.
The assessment is also physically audited. The assessor walks the facility in person, inspecting hardware, cabling, processes and physical security controls, because paperwork means nothing if the racks tell a different story. This is where our facility does the talking: our data centre is not only Uptime Institute certified Tier IV, it is also SCEC Zone 4 rated, allowing us to hold workloads up to TOP SECRET. That combination of fault tolerance and physical security accreditation makes it the perfect home for a PROTECTED public and private cloud platform like mCloud. At the end of the process, the assessor produces the IRAP report and security control matrix that agencies rely on for their own authorisation decisions.
What an IRAP assessed cloud means for government buyers
If you are a council, agency or department evaluating providers, an IRAP assessed cloud gives you three things you cannot get from marketing material. First, independence: an ASD-endorsed professional has personally verified the claims. Second, transparency: the security control matrix shows you control by control what the provider does, what remains your responsibility as the consumer, and where compensating controls exist. Third, sovereignty: combined with the Hosting Certification Framework, you know where your data lives, who owns the infrastructure and which jurisdiction it answers to. At Micron21, that means Australian-owned infrastructure, in an Australian Tier IV, SCEC Zone 4 data centre, assessed against Australian standards, from a provider whose stated goal is to be the Australian sovereign hyperscale cloud: the local answer to AWS, Azure and Google for government workloads.
Frequently asked questions
What is an IRAP assessment in Australia?
An IRAP assessment is an independent security assessment of a system or cloud service against the Australian Government Information Security Manual, performed by an assessor endorsed by the Australian Signals Directorate. The result is a detailed report and control matrix that government agencies use to make risk-based authorisation decisions.
Does an IRAP assessment certify my service?
No. IRAP assessors assess rather than certify. Each government agency reviews the IRAP report and makes its own decision to authorise the service at a given classification level. This is why the rigour of the report and the reputation of the assessor matter so much.
How long does an IRAP assessment take?
It depends on scope and maturity. The assessment engagement itself typically runs over months, but the real timeline is the preparation: mapping ISM controls, uplifting documentation and remediating gaps. For a complex platform, preparing properly can take a year or more. Starting from an established ISO 27001 foundation, as we did, shortens the journey considerably.
The bottom line
An IRAP assessment is the most demanding security assessment available to IT providers in Australia, and that is precisely its value. It forced us to document better, engineer better and govern better, and it gives our government clients evidence rather than promises. Micron21 was assessed in 2018, and as of June 2026 we are deep into our PROTECTED assessment across the entire mCloud range, from IaaS, PaaS and SaaS to GPU as a service, all hosted in our Australian Tier IV, SCEC Zone 4 data centre. It is the foundation of our ambition to be the Australian sovereign hyperscale cloud provider, so that government never has to choose between sovereignty and capability again.
If your agency or business needs an IRAP assessed cloud built and operated in Australia, or you are a provider starting your own IRAP journey and want to compare notes, get in touch with the Micron21 team at micron21.com.
