Skip to main content
Compliance · IRAP Pillar

IRAP for
Australian SaaS
vendors: the honest
readiness guide.

IRAP is usually the point where a SaaS vendor's security programme meets the Information Security Manual for the first time. It is also where a lot of otherwise strong SaaS platforms discover that being secure and being ISM-compliant at PROTECTED are not the same thing.

This guide is written for product, engineering, and security leaders at Australian SaaS vendors who either have a government deal on the line or are planning one. It covers what PROTECTED actually requires of your stack, what the programme realistically costs and takes, the traps that catch SaaS specifically, and how to sequence the work so the assessment is the last step, not the first.

Book Lighthouse Assessment → IRAP Readiness Services
CC
Cliffside Cybersecurity ISO 27001 Lead Auditor · Sydney · Est. 2014
On this page
01 / Why IRAP matters for SaaS

IRAP is the gate into Australian Government SaaS spend.

Australian Government technology spend is significant, and an increasing share of it flows to SaaS. Commonwealth and state agencies have moved workloads away from on-premise systems and into managed services: collaboration, CRM, ITSM, analytics, identity, and more recently AI and automation tooling. Whenever those workloads touch PROTECTED data, the buying agency is bound by the Information Security Manual, and that forces a very specific set of expectations back onto the vendor.

The practical result: most Commonwealth and state tender documents for PROTECTED-touching SaaS now list a current IRAP report as a mandatory evaluation criterion. Not "desirable", not "preferred"; mandatory. Vendors without one are disqualified at shortlist.

The flow-down is expanding too. Defence primes, DISP members, and critical infrastructure operators under the SOCI Act increasingly pass IRAP expectations down to their SaaS suppliers. If you sell to a Defence integrator, an energy utility, or a Commonwealth-owned entity, you may need a PROTECTED IRAP report even if no agency signed your contract directly.

The commercial case is simple: without a current PROTECTED IRAP report, there is a tier of Australian Government SaaS revenue you cannot access. For some vendors that's a minor constraint. For SaaS companies targeting Australian Government as a core vertical, it's existential.

02 / What PROTECTED actually means for your stack

ISM controls are specific, prescriptive, and unforgiving.

PROTECTED is not a posture. It is a set of concrete ISM control requirements that apply to every component in scope: your application, your infrastructure, your identity plane, your logging, your support processes, and the people who can touch production. If you've been through SOC 2, ISO 27001, or HIPAA, the shape will feel familiar; the specifics are stricter and often awkwardly Australian.

The areas that catch SaaS vendors most often:

Data sovereignty
PROTECTED data generally must be stored, processed, and supported from within Australia. Offshore support, cross-region replication, or third-party subprocessors in non-AU regions create hard problems. Most SaaS architectures leak somewhere.
Cryptography (AACP)
The ISM references ASD-approved algorithms and protocols. Default TLS configs, KMS settings, and at-rest encryption are often outside the approved set for at least one control, particularly for legacy or hybrid components.
Personnel clearances
Staff with privileged access to PROTECTED systems typically need an Australian Government security clearance. Offshore engineers, SRE rotations from the US or EU, and third-party contractors are where most SaaS teams run into process gaps.
Logging and monitoring
ISM specifies event classes that must be captured, retained for defined periods, and reviewed. Most SaaS platforms log plenty of application events but miss auth, privileged activity, and configuration-change telemetry, or cannot prove human review.
Change and patch
Patching windows are shorter and more prescriptive than most SaaS release processes are built for. Emergency patch pipelines and change records are scrutinised; "we deploy continuously" is not an answer an assessor can accept.
Incident reporting
Obligations to notify the authorising authority of security events are specific and fast. Most SaaS incident response runbooks need a dedicated government notification path that doesn't exist by default.

Each of these areas tends to produce multiple findings in a first-time assessment. None of them are technically hard in isolation. Collectively, they're six months of engineering work that doesn't show up on your product roadmap.

03 / What it realistically costs and takes

Most SaaS vendors underestimate by at least 2x on both dimensions.

Budget expectations for IRAP are distorted by the assessor fee being the only public number. The formal assessment is typically $80,000 to $250,000 for a PROTECTED SaaS system, depending on complexity and assessor firm. That's the visible line item. It is rarely the largest one.

9–18
months end-to-end for most SaaS vendors, from decision to Security Assessment Report in hand.
$300k–$800k
realistic total programme cost including readiness, assessment, remediation, and internal engineering.
4–12
weeks for the formal IRAP assessment itself, depending on scope and responsiveness.

The largest hidden cost is internal engineering time. Logging uplift, cryptography changes, identity rework, and the evidence base take serious senior engineering effort. Organisations that try to absorb it on top of product velocity tend to slip the timeline; those that carve out a dedicated squad usually land on schedule.

The second-largest hidden cost is the gap between Stage 1 and Stage 2. Findings from the design review must be remediated before the implementation review, usually in 6 to 12 weeks. Every week you're remediating is a week the assessor's clock is running and your engineers aren't building features.

04 / SaaS-specific pitfalls

The traps that don't show up in generic IRAP guidance.

Generic IRAP advice assumes a single-tenant, largely static system. Modern SaaS architecture is multi-tenant, rapidly deployed, and heavily dependent on third-party services. That combination creates failure modes the ISM and most assessors haven't fully modernised around.

  • Multi-tenant isolation: Demonstrating that government and non-government tenants don't share plane, keys, or data is a recurring source of findings. Shared control planes, shared KMS keys, and cross-tenant admin tooling are hard to justify. Many SaaS vendors end up carving off a dedicated "gov cloud" environment to simplify the scope.
  • Third-party subprocessors: Every Stripe, Twilio, Datadog, OpenAI, and Salesforce integration is a potential sovereignty and assessment issue. Each subprocessor needs to be mapped, assessed, and either brought in-scope, replaced, or explicitly excluded with a risk narrative the authorising authority will accept.
  • Continuous deployment: Daily deploys are a feature commercially and a headache for ISM change-management controls. The fix is usually not slowing deployment; it's structuring change records, approvals, and evidence so they satisfy the control without throttling the release pipeline.
  • Offshore SRE rotations: 24/7 support handed between US, EU, and APAC SRE teams works beautifully until the ISM asks who had access to production at 3am Canberra time. Personnel controls, MFA hardware key management, and privileged access workflows often need a clean-sheet redesign.
  • AI features: LLM inference on customer data, RAG pipelines, model fine-tuning on government content. These create data-flow and sovereignty issues the ISM wasn't written for but that assessors are increasingly scrutinising. Expect to have to explicitly scope AI features in or out.
  • Report ageing: IRAP reports are typically refreshed every 24 months. Fast-moving SaaS products drift quickly from the assessed baseline. Without a delta-assessment and change-governance discipline, your PROTECTED authority can lapse well before the formal re-assessment date.
05 / Sequencing the work

Do ISO 27001 first. Usually.

There's no formal dependency between ISO 27001 and IRAP, but in practice the ordering matters. ISO 27001 forces you to build the governance structures, risk methodology, policy suite, asset register, and evidence discipline that an IRAP assessment will demand anyway. SaaS vendors who arrive at IRAP without an ISMS usually spend the first third of the programme building one anyway, just less deliberately.

A realistic sequence for most SaaS vendors:

  • Months 1 to 6: Stand up an ISO 27001 ISMS. Gap assessment, policy suite, risk register, Statement of Applicability, internal audit. Pursue certification or operate the ISMS in parallel with IRAP readiness.
  • Months 4 to 9: IRAP readiness gap assessment against ISM controls. Scope the system, choose classification target, identify architectural changes, prioritise the remediation roadmap.
  • Months 6 to 12: Engineering uplift. Logging, cryptography, identity, evidence collection, change governance, personnel processes. This is where most of the budget goes.
  • Months 12 to 15: Pre-assessment dry run. Engage an ASD-endorsed IRAP Assessor for Stage 1. Remediate findings.
  • Months 15 to 18: Stage 2 implementation review. Security Assessment Report delivered. Authorising authority decision on the Authority to Operate.

Compressing this is possible for vendors with a mature security posture and deep engineering bench. Compressing it aggressively with neither tends to produce an assessment that reveals the gaps rather than closes them.

06 / How Cliffside helps

We get you ready. We don't do the assessment.

Cliffside is not an ASD-endorsed IRAP assessor firm. The ACSC endorses individual assessors, and we don't currently hold endorsed assessors on staff. What we do is the 90% of the programme that isn't the assessment: readiness, remediation, evidence construction, authorising authority liaison, and ongoing ISM alignment.

Our consultants have been ISO 27001 Lead Auditors since 2008, deliver Essential Eight assessments to Maturity Level 3, and have run security programmes for Commonwealth and state government clients. Most of our SaaS IRAP engagements start with a Lighthouse Assessment to map current controls against both ISO 27001 and the ISM, and honestly tell you whether your 9-month deadline is realistic.

When you're ready for the formal IRAP assessment, we help you shortlist and engage an ASD-endorsed assessor, brief them properly, and manage the assessment on your side. See our IRAP readiness and pre-assessment services for the full scope.

Frequently asked questions.

Do Australian SaaS vendors actually need IRAP?
If you want to sell SaaS to Australian Government agencies at PROTECTED classification, yes. Most Commonwealth and state government tenders require a current IRAP report covering the specific system the agency will use. If your target market is only commercial or OFFICIAL-only, you may not need a full IRAP assessment, but you'll likely still need to demonstrate ISM alignment. Check the tender requirements before committing to an assessment.
How much does IRAP cost a SaaS vendor end-to-end?
For a mid-sized SaaS platform pursuing PROTECTED, the realistic total programme cost sits between $300,000 and $800,000 over 9 to 18 months. That includes readiness consulting, engineering uplift, tooling, the formal IRAP assessment itself (typically $80,000 to $250,000), and remediation between stages. The assessor invoice is usually the smaller line item. Budget for the whole programme, not just the assessment.
Is ISO 27001 a prerequisite for IRAP?
No, ISO 27001 is not formally required for IRAP. In practice, though, SaaS vendors with an operating ISO 27001 ISMS enter an IRAP assessment 3 to 6 months ahead. The governance structures, risk assessment methodology, policy suite, and evidence base built for ISO 27001 map directly to many ISM controls. We recommend most SaaS vendors achieve ISO 27001 certification first unless there's a commercial reason to compress the timeline.
Can we do IRAP on just part of our SaaS platform?
Yes, and this is usually the right strategy. Most SaaS vendors scope IRAP to a specific offering or tenant architecture that serves government customers, not the entire platform. The smaller the scope, the faster and cheaper the assessment. The risk is scope drift: if your architecture doesn't cleanly separate government workloads, the assessor will keep finding dependencies that drag more of your system into scope.
What happens if our SaaS IRAP report has major findings?
Findings are expected. The assessor documents compliant, partially compliant, and non-compliant controls, and the authorising authority decides whether the residual risk is acceptable. A report with clearly documented compensating controls and a remediation roadmap is often acceptable; a report with fundamental architectural gaps rarely is. This is why readiness work matters: the goal is to arrive at Stage 2 with findings the authority can reasonably accept.

Related insights

Deeper reading on this topic.

IRAP vs ISO 27001

A decision framework for Australian organisations weighing an ISMS certification, an IRAP assessment, or both.

Explore →
ISO 27001 Certification Guide

The honest pre-certification roadmap. Most IRAP-bound SaaS vendors start here.

Explore →
Cybersecurity for Government

Strategic perspective on selling into Australian federal, state, and local government.

Explore →

Serious about an
Australian Government deal?

Book a Lighthouse Assessment. We'll map your SaaS platform against the ISM, honestly assess your IRAP readiness, and tell you whether your commercial deadline is realistic.

Book Lighthouse Assessment →IRAP Readiness Services

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation