I'd like information about IRAP in the Cloud



AWS IRAP Compliance

Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable the customer to create more secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services through the establishment of a robust control environment and making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services and provide improved security outcomes for the Australian Government.

The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the needs of the Australian Signals Directorate (ASD) Information Security Manual (ISM).

An independent IRAP assessor examined the controls of AWS’s people, process, and technology to ensure they address the needs of the ISM. This assessment and Letter of Compliance is the basis on which a Certification Authority gains assurance to certify AWS infrastructure and provide a recommendation to the Accreditation Authority for appropriate use of the platform.

An agency accreditation is the culmination of an IRAP assessment and formal certification by the ASD operating as the Certification Authority for the Australian Government. This certification provides assurance that AWS has in place the applicable controls of the ASD’s ISM and is the immediate precursor in accrediting AWS for Australian government workloads.

This certification will remove significant burden from individual agencies or their commercial partners having to perform assessments and certifications of the cloud platform for their workloads and instead allows them to focus on their system’s accreditation processes.

AWS provides customers a wide range of security functionality to protect their data in accordance with ASD’s ISM controls, agency guidelines and policies. We are continually iterating on the security tools we provide our customers, and regularly release enhancements to existing security functionality. Additionally, we provide a wide variety of whitepapers, online documentation and security videos for our customers. Our global  whitepapers  have recommendations for securing your data that are just as applicable to Australian government AWS workloads.


How do I consume AWS ‘s IRAP security documentation and guidance?

Australian government customers can leverage our ASD certification and our independent IRAP Assessors Letter of Compliance in order to accelerate their certification and accreditation objectives.

In support of our Australian government customers, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a certified cloud services supplier. 

In particular, specific to assessing AWS infrastructure by an IRAP against ISM we provide under NDA (as required) to government organisations or their partners:

-          IRAP Report on AWS compliance to the ISM

-          ASD Certification Letter of the AWS Infrastructure platform

-          IRAP ISM Letter of Compliance

-          Control Implementation Summary

Additional reports that are available that evaluate and test controls implemented by AWS Infrastructure and which are available under NDA (as required):

-          Service Organisation Controls 1 (SOC1) Type II Report

-          Service Organisation Controls 2 (SOC2) Type II Report

-          ISO 27001 Certificate & Statement of Applicability

-          PCI Attestation of Compliance and PCI Responsibility Summary

To find out more information about the additional reports see the AWS Compliance FAQs.

To request access to AWS’ security documentation as it pertains to Australian Government customers, or contractors conducting business with the Australian government, please contact AWS Sales and Business Development or send an email to awscompliance@amazon.com.


An IRAP assessor is the only individual accredited as qualified to perform an assessment of an ICT system against the Australian Government ISM and describes areas of compliance and non-compliance, describes residual risks and remediation actions and provides recommendations to a Certification Authority on certification.

IRAP Assessment

The following documents are publicly available:

The Control Implementation Summary and IRAP Report Stage 2 are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Get started with AWS Artifact today.

Yes, AWS has been a member of the panel since the 31st of March 2015. Agencies obtain value for money in relation to cloud services and a simplified procurement process going through a pre-assessed provider and a common contractual framework. This ease of procurement enables agencies to move at the pace their mission requires to deliver services effectively to Australian citizens.

The ISM is the Australian Government Information Security Manual (ISM) published by the Australian Signals Directorate (ASD), an organisation within the Department of Defense that has a mission to protect Australian Government systems and information. 

For more about ASDs role in protecting the Australian information security http://www.asd.gov.au/about/roleinfosec.htm


Yes, AWS has been audited by an independent assessor from the Information Security Registered Assessors Program. The assessment examined the security controls of Amazon’s people, process and technology to ensure that they met the needs of the ASD 2014 ISM.

The covered AWS services that are already in scope for the IRAP Assessment can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

No, there is no increase in service costs for any region as a result of AWS’ ISM compliance.

Yes, AWS has been certified for Unclassified DLM (UD) workloads by the Australian Signals Directorate (ASD) as the Certification authority and is an inaugural member of the ASD Certified Cloud Services List (CCSL).

Agencies costs and risks are significantly reduced when relying upon the deep expertise of the ASD as the Certification Authority to determine that the residual risk of services are well understood and appropriately assessed. This creates a significantly improved security outcome for Australian government departments while also reducing their costs related to such assessments.

In October 2014 the Australian Department of Finance and Department of Communications jointly released the Australian Government Cloud Computing Policy 3.0, this mandated a “cloud first” approach for adoption of cloud services by federal government agencies. 

 Under the Australian Government’s Cloud Policy agencies now must adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for money.

 The ISM is the standard that governs the security of government Information and Communication Technology (ICT) systems. It complements the Protective Security Policy Framework (PSPF) produced by the Australian Government Attorney-General’s department. Together this provides a manual for implementing appropriate controls to operate all classifications of workloads in an ICT environment. 

 It is compliance to the ISM that is used to assess cloud service providers membership to the ASDs Certified Cloud Services List that provides the list of cloud services where ASD has acted as the certification authority. Certification is required for agencies to have workloads accredited to run on Cloud services that are procured through the Department of Finance Whole of Government Cloud Services Panel as the primary procurement vehicle for cloud services for the Australian Government.

These are individuals accredited by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program as being appropriately qualified to conduct assessments against the ASD’s control framework, the Information Security Manual (ISM)      

The IRAP assessment and ASD Certification covers the AWS Sydney region. However, AWS treats all regions equally in terms of the controls, policies and processes that are used to operate them. Agencies should assess their workloads and business needs to determine which AWS region to use.

Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.      


Contact Us