Australia IRAP overview
The Infosec Registered Assessors Program (IRAP) provides a comprehensive process for the independent assessment of a system’s security against the Australian Government Information Security Manual (ISM) requirements. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology (ICT) infrastructure intended for data storage, processing, and communication. IRAP is governed and administered by the Australian Cyber Security Centre (ACSC). It describes the mechanism for cloud services to assess security controls within their platforms and a framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian government. Endorsed IRAP assessors can provide an independent assessment of ICT security, suggest risk mitigations, and highlight residual risks.
The risk management framework used by the ACSC ISM draws from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Within this risk management framework, the identification of risks and selection of security controls can be undertaken using various risk management standards, such as the ISO 31000:2018, Risk management – Guidelines. Broadly, the risk management framework used by the ISM has six steps: define the system, select security controls, implement security controls, assess security controls, authorize the system, and monitor the system.
The ACSC used to maintain the Cloud Services Certification Program (CSCP) through which cloud services were certified and featured on the Certified Cloud Services List (CCSL). However, pursuant to a review of CSCP and IRAP, ACSC ceased the CSCP and CCSL in 2020. All prior cloud services certification and re-certification letters issued by the Australian Signals Directorate (ASD) were declared void. Following the cessation of CSCP and CCSL, ACSC and the Digital Transformation Agency (DTA) released new cloud security guidance. The new guidance instructs Commonwealth entities, cloud service providers (CSPs), and IRAP assessors how to perform a comprehensive security assessment of a CSP and its cloud services, leading to a risk-based decision on its suitability to handle an organization's data.
Azure and Australia IRAP
An IRAP assessment has been completed for the Azure in-scope services for the processing of government data in Australian regions up to and including the PROTECTED level. Extra compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency authorization and subsequent use of these cloud services. The ACSC encourages adoption of a risk-managed approach with respect to the controls listed in the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF).
Through the previous Australian Government certification process, Azure was IRAP assessed and certified by the ACSC at both the Unclassified Dissemination Limiting Marker (DLM), now OFFICIAL: Sensitive, and PROTECTED levels. This process resulted in Azure being included on the CCSL, which was used to identify cloud services that had successfully completed an IRAP assessment and were awarded certification by the ACSC. Following the closure of CCSL in July 2020, Microsoft will continue to have Azure cloud services assessed by an IRAP assessor, while agencies can continue to self-assess or procure the services of an IRAP assessor to assess their own systems deployed on Azure. Commonwealth entities remain responsible for their own assurance and risk management activities. Agencies can engage the ACSC through their normal channels for assistance with this process.
To assist you with your own authorization decisions, Microsoft makes the Azure IRAP assessment report and supporting documents available for download, as explained in Attestation documents.
The assessment of Microsoft's services in Australia covers the four available Azure regions. For Government and critical infrastructure, we've deployed two regions designed specifically for your needs that are delivered from CDC datacenters in Canberra: Australia Central and Australia Central 2. The differences between the Australian regions are covered in detail in the Azure IRAP Assessment report.
For each assessment, Microsoft engaged an ACSC-accredited IRAP assessor who examined the security controls and processes used by Microsoft's cloud operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Australian Government ISM controls are in place and operating effectively within our assessed services.
The IRAP assessment of Microsoft's cloud services helps provide assurance to public sector customers and their partners that Microsoft has appropriate and effective security controls in place for the processing, storage, and transmission of data at the PROTECTED level and below. This assessment is applicable to most government, healthcare, and education data in Australia.
For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative for ISM PROTECTED, which maps to ISM PROTECTED compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each ISM PROTECTED control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
Services in scope
For a list of Microsoft online services in audit scope, see the Azure IRAP Assessment Report.
Office 365 and Australia IRAP
For more information about Office 365 compliance, see Office 365 Australia IRAP documentation.
- You can access Azure IRAP audit documents from the Service Trust Portal (STP) Australia IRAP section. You must sign in to access audit reports on the STP. For more information, see Get started with Microsoft Service Trust Portal.
- Extra documentation and guidance is available from the STP Australia regional resources section.
Frequently asked questions
To whom does the IRAP apply? IRAP applies to all Australian federal, state, and local government agencies that use cloud services. New Zealand government agencies require compliance with a standard similar to the Australian Government ISM, so they may also use the IRAP assessments.
Can I use Azure assessment in my organization's risk assessment and approval process? Yes. If your organization requires or is seeking an approval to operate in line with the ISM, you can use the Azure IRAP security assessment in your own risk assessment. You are, however, responsible for engaging an IRAP assessor to evaluate your implementation as deployed on Azure, and for the controls and processes within your own organization.
Where can I get the Azure IRAP audit documentation? For links to audit documentation, see Attestation documents. You must have an existing Azure subscription or free Azure trial account to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
Where do I start with my organization's own risk assessment and approval? Start with the latest IRAP update and follow links to resources provided in that article.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Australian Government Information Security Manual (ISM)
- Infosec Registered Assessor Program (IRAP)
- Certified Cloud Services List (CCSL) ended in July 2020
- ACSC and DTA cloud security guidance