Australia IRAP overview
The Information Security Registered Assessors Program (IRAP) provides a comprehensive process for the independent assessment of a system’s security against the Australian Government Information Security Manual (ISM) requirements. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology (ICT) infrastructure intended for data storage, processing, and communication. IRAP is governed and administered by the Australian Cyber Security Centre (ACSC). It describes the mechanism for cloud services to assess security controls within their platforms and a framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian government. Endorsed IRAP assessors can provide an independent assessment of ICT security, suggest risk mitigations, and highlight residual risks.
The risk management framework used by the ACSC ISM draws from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Within this risk management framework, the identification of risks and selection of security controls can be undertaken using a variety of risk management standards, such as the ISO 31000:2018, Risk management – Guidelines. Broadly, the risk management framework used by the ISM has six steps: define the system, select security controls, implement security controls, assess security controls, authorize the system, and monitor the system.
The ACSC used to maintain the Cloud Services Certification Program (CSCP) through which cloud services were certified and featured on the Certified Cloud Services List (CCSL). However, pursuant to a review of CSCP and IRAP, ACSC ceased the CSCP and CCSL in 2020. All prior cloud services certification and re-certification letters issued by the Australian Signals Directorate (ASD) have been declared void. Following the cessation of CSCP and CCSL, ACSC and the Digital Transformation Agency (DTA) released new cloud security guidance. The new guidance instructs Commonwealth entities, cloud service providers (CSPs), and IRAP assessors how to perform a comprehensive security assessment of a CSP and its cloud services, leading to a risk-based decision on its suitability to handle an organization's data.
Azure and Australia IRAP
An IRAP assessment has been completed for the Azure in-scope services for the processing of government data in Australian regions up to and including the PROTECTED level. Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency authorization and subsequent use of these cloud services. The ACSC encourages adoption of a risk-managed approach with respect to the controls listed in the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
Through the previous Australian Government certification process, Azure was IRAP assessed and certified by the ACSC at both the Unclassified Dissemination Limiting Marker (DLM) (now OFFICIAL: Sensitive) and PROTECTED levels. This process resulted in Azure being included on the CCSL, which was used to identify cloud services that had successfully completed an IRAP assessment and were awarded certification by the ACSC. Following the closure of CCSL in July 2020, Microsoft will continue to have Azure cloud services assessed by an IRAP assessor, while agencies can continue to self-assess or procure the services of an IRAP assessor to assess their own systems deployed on Azure. Commonwealth entities remain responsible for their own assurance and risk management activities. Agencies can engage the ACSC through their normal channels for assistance with this process.
To assist customers with their authorization decisions, Microsoft makes our IRAP assessment report and supporting documents available for download from the Azure portal audit reports blade (login required). You must have an existing Azure subscription or free Azure trial account to login. Additional documents and configuration guidance for operating at the PROTECTED level are available from the Azure Australia documentation repository.
The assessment of Microsoft's services in Australia covers the four available Azure regions. For Government and critical infrastructure, we've deployed two regions designed specifically for your needs that are delivered from CDC datacenters in Canberra: Australia Central and Australia Central 2. The differences between the Australian regions are covered in detail in the Azure IRAP Assessment report.
For each assessment, Microsoft engaged an ACSC-accredited IRAP assessor who examined the security controls and processes used by Microsoft's cloud operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Australian Government Information Security Manual (ISM) controls are in place and operating effectively within our assessed services.
The IRAP assessment of Microsoft's cloud services helps provide assurance to public sector customers in government and their partners that Microsoft has appropriate and effective security controls in place for the processing, storage, and transmission of data at the PROTECTED level and below. This assessment is applicable to the majority of government, healthcare, and education data in Australia.
For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that must implement ISM PROTECTED controls, Azure has released the Azure Blueprint for Australian Government ISM PROTECTED. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.
Services in scope
Microsoft online services in scope are shown in the Azure IRAP Assessment Report:
- Azure (for detailed insight, see Microsoft Azure Compliance Offerings or Azure IRAP Assessment Report)
- Azure DevOps
- Dynamics 365 (for detailed insight, see Azure IRAP Assessment Report)
- Microsoft Cloud App Security
- Microsoft Graph
- Microsoft Intune
- Power Apps
- Power Automate (formerly Microsoft Flow)
- Power BI
Office 365 and Australia IRAP
For more information about Office 365 compliance, see Office 365 Australia IRAP documentation.
You can access audit reports and certificates in the Azure portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using the following direct link (login required):
- Azure portal audit reports blade
You must have an existing Azure subscription or free Azure trial account to download IRAP audit documents.
Alternatively, you can access Azure IRAP audit documents via the Service Trust Portal (STP) Audit Reports - GRC Assessment Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
Microsoft also maintains select IRAP audit documentation on the Service Trust Portal Regional Solutions section for Australia. Additional documents and configuration guidance for operating at the PROTECTED level are available from the Azure Australia documentation repository.
Frequently asked questions
To whom does the IRAP apply? IRAP applies to all Australian federal, state, and local government agencies that use cloud services. New Zealand government agencies require compliance with a standard similar to the Australian Government ISM, so they may also use the IRAP assessments.
Can I use Azure assessment in my organization's risk assessment and approval process? Yes. If your organization requires or is seeking an approval to operate in line with the ISM, you can use the Azure IRAP security assessment in your own risk assessment. You are, however, responsible for engaging an IRAP assessor to evaluate your implementation as deployed on Azure, and for the controls and processes within your own organization.
Where can I get the Azure IRAP audit documentation? For links to audit documentation, see Attestation documents. You must have an existing Azure subscription or free Azure trial account to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
Where do I start with my organization's own risk assessment and approval? Start with the latest IRAP update and follow links to resources provided in that article.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Australian Government Information Security Manual (ISM)
- Information Security Registered Assessor Program (IRAP)
- Certified Cloud Services List (CCSL) ended in July 2020
- ACSC and DTA cloud security guidance
- Azure Australia documentation