AWS Public Sector Blog
Accelerate IRAP readiness with AWS and Wiz

Accelerate IRAP readiness with AWS and Wiz
As organisations modernise to meet the evolving expectations of the Australian Government, delivering secure, cloud-based services has become a commercial and operational necessity. This transformation brings a critical challenge: maintaining a hardened security posture while aligning to the Information Security Registered Assessors Program (IRAP) assessment requirements and priorities.
Under the Protective Security Policy Framework (PSPF), Australian Government systems must be secured at a level commensurate with the classification of the data they handle, ranging from Official to Top Secret. Rather than a static benchmark, these classifications dictate which Information security manual (ISM) controls are applicable based on a risk assessment.
The IRAP provides the independent validation necessary to ensure these chosen controls are effectively implemented. By inheriting a platform already IRAP-assessed for Protected workloads, agencies can use an established security baseline and focus their assessment efforts on their own application layer and data configurations, rather than revalidating the underlying infrastructure.
Amazon Web Services (AWS) and Wiz provide the visibility, architectural guardrails, and automated evidence collection required to streamline this journey. Through these capabilities, AWS and Wiz provide a strategic foundation that accelerates IRAP readiness activities, with reduced manual effort and greater clarity.
IRAP as a catalyst for risk-informed governance
To understand how AWS and Wiz accelerate IRAP readiness, it’s necessary to frame what IRAP requires. A common misconception is that an IRAP assessment is a pass-fail certification. It’s a risk-based assessment against the Australian Government ISM. IRAP covers a broad spectrum, including personnel and physical security, and the primary hurdle for most departments is the sheer volume of technical and operational controls that must be documented and monitored.
As manual assessment methods struggle to keep pace with cloud innovation, automated assurance becomes essential. The AWS and Wiz collaboration specifically accelerates these technical and operational layers, which are often the most complex to manage at scale. This partnership provides the real-time visibility and automated evidence collection needed to maintain a continuous compliance posture across any classification level, ensuring the technical foundation remains aligned with ISM requirements without slowing down delivery.
AWS and the Shared Responsibility Model
For organisations building a service for the Australian Government, the AWS Shared Responsibility Model becomes a starting point and force multiplier for automation. AWS manages the security of the cloud, providing infrastructure that has already been subject to IRAP assessments at the Protected level.
Deploying on AWS, service providers immediately inherit the security controls of the underlying global infrastructure. Through AWS Artifact, organisations can access IRAP summary reports and letters of compliance to provide assessors with evidence for the physical and environmental layers. Providers can shift their focus upward to security in the cloud, including the configurations, identities, and workloads where Wiz provides granular, contextual oversight.
How visibility drives risk decisions
Quantifying cloud risk is the bridge between compliance frameworks and operational confidence. In the Australian Public Sector, risk is strategically defined for all Commonwealth entities in the Resource Management Guide 211 (RMG 211) as the “effect of uncertainty on objectives.” When the objective is the successful delivery of a secure, resilient digital service, the uncertainty often stems from the complex, dynamic nature of the cloud environment. The ISM translates that risk thinking into the cybersecurity domain specifically.
The partnership between AWS and Wiz quantifies this uncertainty. By combining AWS services with Wiz’s ability to identify what they call “toxic combinations” of risk indicators, providers can present a clear risk posture to Australian government Authorising Officers (AOs). This clarity allows faster decision-making regarding whether the remaining uncertainty is acceptable in pursuit of the agency’s mission.
Hardening the modern stack (containers and serverless)
As previously discussed, using infrastructure that has already been subject to an IRAP assessment can provide a valuable starting point for service providers. However, this inheritance alone is not sufficient for a full IRAP assessment. There must also be demonstrated assurance that modern, ephemeral workloads such as Amazon Elastic Kubernetes Service (Amazon EKS) don’t inadvertently bypass established security guardrails.
AWS manages the EKS control plane, using the already IRAP-assessed AWS infrastructure, and the customer remains responsible for their worker nodes and containerised applications. Wiz provides agentless visibility into these runtime configurations, vulnerabilities, and permissions.
Because Wiz automatically detects toxic combinations, such as a container running with a high-severity vulnerability and a path to an AWS Identity and Access Management (IAM) role with elevated permissions, technical teams can remediate risks in minutes. This proactive risk management approach means that issues are resolved before they result in a control failure during a formal IRAP assessment.
Shifting security left (IaC and code repos)
Reducing the cost of market entry and long-term security maintenance by preventing noncompliant architectures from reaching production is a strategic goal for many organisations seeking IRAP assessment.
Organisations use AWS development tools, including AWS CloudFormation, Kiro integrated development environment (IDE), AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline, along with infrastructure as code (IaC) to build repeatable, secure patterns for the software development lifecycle. Wiz integrates into these continuous integration and continuous delivery (CI/CD) pipelines to enforce ISM-aligned guardrails prior to production deployment.
If a deployment script attempts to provision an Amazon Simple Storage Service (Amazon S3) bucket that is missing encryption or has public access enabled, Wiz flags this in the CI/CD pipeline. This provides proactive evidence for the IRAP assessor that controls are in place to prevent data exposure before it can occur.
Automated evidence for streamlined assessments
An effective strategy for accelerating IRAP readiness is to replace labour-intensive evidence gathering with an audit-ready posture. Automating these processes yields faster time-to-market value.
AWS provides baseline compliance data for the infrastructure layer through services such as AWS Security Hub and AWS CloudTrail. Wiz integrates with these services to deliver unified visibility and enhanced compliance analysis, normalising configuration data across the entire AWS footprint and mapping it directly to the controls defined in the ISM. By automating compliance evidence collection, organisations shorten assessment cycles and reduce the operational overhead of maintaining audit readiness.
During an IRAP assessment, instead of manual screenshots of security groups or virtual private cloud (VPC) configurations, providers can generate reports that demonstrate control effectiveness across the entire fleet simultaneously. This approach has been shown to save hundreds of hours of manual work for compliance assessments, including SOC 2 and FedRAMP, so assessors can focus on high-value risk analysis instead of data validation.
Global trend toward continuous assurance
These three use cases illustrate what is possible today. Globally, governments are already operationalising this approach at scale.
The shift away from point-in-time assessments towards continuous monitoring and mitigation of risk is gaining momentum worldwide. A notable example is the Operation StormBreaker initiative within the US government. Operation StormBreaker demonstrates the effectiveness of the Continuous Authorization to Operate (cATO) methodology to rapidly deliver secure mission services, reducing traditional deployment timeframes from 6–12 months to less than 15 minutes.
To achieve this speed to delivery, Operation StormBreaker relied upon streamlined processes and integrations, including Wiz and AWS integrations with RegScale, Harness, and others. These integrations enhanced automation and compliance reporting, and therefore teams could swiftly identify and prioritise risk remediation and demonstrate a data-centric approach to cATO compliance.
Australian service providers should draw directly on these parallels. The cATO methodology validated by Operation StormBreaker aligns closely with the continuous assurance model that IRAP-aligned organisations are building today. Adopting this mindset demonstrates to government clients that an organisation possesses the systemic maturity to manage risk every day, not only during an audit window.
Conclusion: Facilitating high-confidence risk management
The goal of any IRAP-aligned journey is to provide the foundation for innovation with confidence. By combining the IRAP-assessed infrastructure of AWS with the granular, contextual insights of Wiz, organisations transform security from a barrier to entry into competitive advantage.
Together, AWS and Wiz enable service providers to quantify their security posture, reduce the cost of compliance, and deliver secure, Protected services to the Australian Government. For details about how Wiz centralised security operations and modernised compliance, refer to the Wiz and Operation StormBreaker case study.
Ready to get started? Schedule a demo.
To learn more, visit:
- Transforming Acquisition and Development with Operation Stormbreaker – FedGov Today, August 2025
- Marine Corps Operation StormBreaker Slashes Software Delivery Timelines by 17x – GovCIO Media, July 2025
- DoD Modernization Exchange 2026: Reducing ATO burdens – Federal News Network, April 2026
- Breaking the 18-Month Barrier – Owl Cyber Defense, May 2026
- Operation StormBreaker – Government Executive, December 2025