Australian Government Information Security Registered Assessor Program (IRAP)

The Information Security Registered Assessor Program (IRAP) provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it.

IRAP overview

The Information Security Registered Assessors Program (IRAP) is governed and administered by the Australian Cyber Security Centre (ACSC). IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian government. Endorsed IRAP assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. IRAP provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it.

  • In 2014, Azure was launched as the first IRAP-assessed cloud service in Australia, hosted from datacenters in Melbourne and Sydney. These two datacenters give Australian customers control over where their customer data is stored, while also providing enhanced data durability in there are disasters through backups at both locations.
  • In early 2015, Office 365 became the first cloud productivity service to complete this assessment.
  • In April 2015, the ASD announced the CCSL certification of both Azure and Office 365, and in November 2015, of Dynamics 365.
  • In June 2017, ASD announced the recertification of Microsoft Azure and Office 365 for a greatly expanded set of services.
  • In April 2018, the ACSC announced the certification of Azure and Office 365 at the PROTECTED classification. Microsoft is the first and only public cloud provider to achieve this level of certification.
  • In September 2019, Microsoft's updated IRAP assessment scope expanded to include 113 services at the PROTECTED classification.
  • In December 2020, Microsoft released two incremental IRAP assessments for Azure and Office 365. These reports utilized the new guidance post the cessation of the Certified Cloud Services List (CCSL). The reports contain both an assessment of Microsoft as a Cloud Service Provider (CSP) and other services that are incremental to the 2019 reports across Azure, Dynamics, and Office 365.

Microsoft and IRAP

In December 2020, Microsoft completed two incremental Azure & Dynamics and Office 365 assessments. These assessments added more services assessed to the classification level of PROTECTED. Moreover, these assessments were conducted under the new, post CCSL Cloud Security Guidance as outlined in the Anatomy of a Cloud Assessment and Authorisation guidance from the ACSC.

For each assessment, Microsoft engaged an ACSC-accredited IRAP assessor who examined the security controls and processes used by Microsoft's IT operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Australian Government Information Security Manual (ISM) controls are in place and fully effective within our assessed services.

The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2. Within this risk management framework, the identification of risks and selection of security controls can be undertaken using various risk management standards, such as International Organization for Standardization (ISO) 31000:2018, Risk management - Guidelines. Broadly, the risk management framework used by the ISM has six steps:

  • Define the system
  • Select security controls
  • Implement security controls
  • Assess security controls
  • Authorize the system
  • Monitor the system

As always, additional compensating controls can be implemented on a risk-managed basis by individual agencies prior to agency authorization and subsequent use of these cloud services.

The IRAP assessment of Microsoft's services and cloud operations helps provide assurance to public sector customers in government and their partners that Microsoft has appropriate and effective security controls in place for the processing, storage, and transmission of data classified up to and including the level of PROTECTED. This assessment includes most government, healthcare, and education data in Australia.

Microsoft in-scope cloud platforms & services

Azure, Dynamics 365, and IRAP

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure IRAP offering.

Office 365 and IRAP

Office 365 cloud environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 cloud environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Exchange Online, Exchange Online Protection, Forms, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, OneDrive for Business, Planner, SharePoint Online, Skype for Business, Whiteboard, Yammer

Frequently asked questions

To whom does the IRAP apply?

IRAP applies to all Australian federal, state, and local government agencies that use cloud services. New Zealand government agencies require compliance with a standard similar to the Australian Government ISM, so they may also use the IRAP assessments.

Can I use Microsoft's compliance in my organization's risk assessment and approval process?

Yes. If your organization requires or is seeking an approval to operate in line with the ISM, you can use the IRAP security assessments of Azure, Dynamics 365, Microsoft Managed Desktop, and Office 365 in your risk assessment. You are, however, responsible for engaging an assessor to evaluate your implementation as deployed on Microsoft's platforms, and for the controls and processes within your own organization.

Where do I start with my organization's own risk assessment and approval to operate?

It is recommended that you read the Cloud Security Assessments guidance from the ACSC.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources