Cyberly Blog

Reading time: 4-5 minutes

Many US SaaS and PaaS vendors enter the Australian Government market with strong security credentials already in place. They may have completed SOC 2, achieved FedRAMP authorisation, maintained ISO 27001 certification, or built mature internal security programs.

That work matters. It gives you a valuable starting point.

However, vendors are often surprised when their first IRAP assessment does not map neatly to SOC 2 or FedRAMP.

IRAP assesses evidence against the Australian Government’s Information Security Manual, or ISM, the agreed assessment boundary, and the specific Australian Government use case. Existing evidence may be useful, but it may need to be reinterpreted, supplemented or tested against different expectations.

Some vendors also find that IRAP evidence collection can involve more direct walkthroughs, implementation demonstrations, interviews, and review of how controls operate in the assessed environment. This can make IRAP feel closer to a practical implementation review than a traditional audit.

IRAP is not a penetration test. It is also not simply a policy review. It is an evidence-based security assessment against the ISM.

For US vendors, the key point is this:

SOC 2 and FedRAMP evidence can be very useful for IRAP, but they are not a complete substitute for IRAP-specific evidence.

Why IRAP feels different

If you are a US SaaS or PaaS vendor, you may already have strong SOC 2 or FedRAMP evidence. That is valuable — but it does not always translate neatly into IRAP.

IRAP still requires the assessor to consider whether the evidence demonstrates implementation of the relevant ISM controls. The assessor needs to ask:

• Does this evidence apply to the exact system in scope?

• Does it apply to the relevant environment, tenant, region or deployment model?

• Does it show how the control is implemented, not just described?

• Does it show the process operating in practice?

• Does it cover connected systems or administrative pathways?

• Does it address the relevant ISM control intent?

• Is the evidence current enough?

• Are there gaps between the prior audit scope and the IRAP assessment boundary?

In some cases, existing SOC 2 or FedRAMP evidence will be enough. In other cases, the assessor may need additional evidence that controls are actually implemented and operating in the assessed environment.

That may include evidence such as:

• live walkthroughs of systems or processes

• observed implementation of security controls

• evidence from actual tools, consoles or platforms

• operational records showing the process is followed

• tickets showing real change, incident or access management activity

• access reviews showing actual review and follow-up

• vulnerability records showing detection, triage and remediation

• backup or recovery evidence showing testing and outcomes

• logging and monitoring evidence showing alerts, review and response

• interviews with system owners, engineers or process owners

This is why IRAP can sometimes feel more like a practical implementation review than a traditional audit. It is not a penetration test, but it does require evidence that security controls are real, operating and relevant to the assessed system.

What US vendors should do before starting IRAP

The best way to reduce friction is to prepare before the formal assessment begins.

A practical readiness process should include:

1. Map existing evidence to the ISM

Start by identifying which SOC 2, FedRAMP or ISO 27001 evidence may support ISM controls.

This helps avoid duplicated effort and shows where existing compliance work can be reused.

2. Identify IRAP-specific evidence gaps

Do not assume your existing reports will answer every IRAP question.

Look for areas where you may need system-specific evidence, technical configuration evidence, screenshots, exports, logs, tickets or operational records.

3. Define the assessment boundary early

Confirm what service, environment, infrastructure, integrations and support systems are in scope.

For SaaS and PaaS vendors, this is especially important because the product may rely on multiple cloud services, corporate systems, administrative pathways and third-party components.

4. Prepare architecture and data flow diagrams

Clear diagrams reduce confusion.

At minimum, prepare diagrams showing:

system components

customer data flows

administrative access paths

network boundaries

third-party integrations

logging and monitoring flows

hosting and support locations

5. Confirm access and evidence collection pathways

Before the assessment starts, confirm who can provide evidence, who can access systems, and who can explain technical configurations.

Many delays occur because the right people are not available or the organisation does not know where evidence is stored.

6. Treat IRAP as evidence-based, not document-based

Policies and procedures matter, but they are usually not enough by themselves.

A strong IRAP evidence pack should show both:

what the organisation says it does; and

how the system is actually configured, operated and monitored.

The commercial value of preparing properly

For US vendors, IRAP is often linked to Australian Government sales, procurement, customer assurance and market entry.

A rushed or poorly prepared assessment can create problems:

• delays in customer onboarding

• repeated evidence requests

• unclear findings

• disputes about scope

• avoidable remediation work

• reports that are less useful to relying customers

A well-prepared assessment is different.

It gives your team a clearer path through the process, reduces avoidable rework, and gives Australian Government customers a clearer view of your security posture.

This matters because an IRAP report is not an ASD endorsement, certification, or guarantee that a system is “secure”. Customers still need to review the report and make their own risk-based decision.

That is why the quality of the assessment and the quality of the evidence matter. A clear, well-evidenced IRAP report gives customers greater confidence in the product, helps them understand residual risk, and supports faster, more informed procurement and onboarding decisions.