Skip to main content
Compliance · Framework Comparison

IRAP vs
ISO 27001: which
one do you need?

ISO 27001 and IRAP show up together in Australian boardrooms more often every year, usually after a government tender lands on someone's desk. The honest answer to "which do we need?" is almost never one or the other, but it's rarely both at the same time either. The practical question is sequencing.

This guide breaks down what each framework actually does, where they overlap, and how to sequence investment based on who is asking for compliance, what your commercial exposure looks like, and where your current maturity sits.

Book Lighthouse Assessment → Compliance Services
CC
Cliffside Cybersecurity ISO 27001 Lead Auditor · Sydney · Est. 2014
On this page
01 / Different problems

They are not competing options.

The first thing to clear up: ISO 27001 and IRAP answer different questions. Treating them as substitutable, or worse, as competing, is the root cause of most of the wasted compliance budget we see.

ISO 27001 asks whether your organisation has a credible, governed, continuously improving management system for information security. If the answer is yes, an accredited certification body issues a certificate that is recognised globally. It does not say your technology is safe; it says your programme is sound.

IRAP asks whether a specific ICT system, operating at a specific classification, implements the controls required by the Australian Government's Information Security Manual. The output is a Security Assessment Report that the system owner hands to the authorising authority to support a risk-based decision to operate.

ISO 27001
International management-system standard. Certifies the organisation's ISMS across governance, risk, controls, and continuous improvement. 10 mandatory clauses plus 93 Annex A controls across four themes. Recognised globally across markets and sectors.
IRAP
Australian Government programme administered by the ACSC. Assesses a specific ICT system against the Information Security Manual at a target classification (OFFICIAL, PROTECTED, SECRET, TOP SECRET). Conducted by ASD-endorsed individual assessors.
What ISO 27001 does not prove
That any specific system meets Australian Government ISM control requirements. Certification can coexist with a system that would fail an IRAP assessment at PROTECTED.
What IRAP does not prove
That your organisation has a functioning ISMS. A clean IRAP report can be produced by an organisation with minimal governance; it just gets harder to sustain across re-assessments.
02 / What ISO 27001 actually is

A management-system standard, not a technical checklist.

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. Certification means an accredited body has audited your ISMS and confirmed it meets the standard's requirements. Clauses 4 to 10 cover context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A contains 93 controls across four themes (Organisational, People, Physical, Technological) that you select based on your risk assessment.

You do not implement every control in Annex A. You implement the ones your risk treatment plan justifies, and you document why you excluded the rest in your Statement of Applicability. This is one of the most audited documents in your ISMS.

ISO 27001 is deliberately non-prescriptive on technical controls. It tells you to have access control; it doesn't tell you which MFA method. This is both the strength and the limit: it forces you to think about risk, but it won't satisfy a buyer who needs a specific configuration.

Where ISO 27001 has commercial force: Enterprise procurement and tender evaluations, APRA CPS 234 management framework, supplier due diligence questionnaires, Defence Industry Security Program preferences. It is the lowest-common-denominator security credential globally.

03 / What IRAP actually is

An assessment against the ISM, not a certification.

IRAP, the Information Security Registered Assessors Program, is administered by the ACSC on behalf of the ASD. The ACSC endorses individuals (not firms) as IRAP Assessors. Those assessors review ICT systems against the Information Security Manual at a target classification and produce a Security Assessment Report.

The ISM is prescriptive. It specifies cryptographic algorithms and protocols (AACP), event classes that must be logged and reviewed, personnel security clearance requirements, data sovereignty rules, patching timeframes, and specific hardening configurations. Where ISO 27001 Annex A gives you freedom, the ISM gives you a shopping list.

Crucially, an IRAP Assessor does not grant an Authority to Operate. They produce a report. The system owner's authorising authority (typically a Chief Information Security Officer or delegated authority) reviews the SAR and makes a risk-based decision to accept, reject, or require remediation. A clean SAR is an input to that decision, not the decision itself.

Where IRAP has commercial force: Federal and state government procurement requiring PROTECTED handling, Defence primes flowing down ISM expectations, DISP membership conditions, Hosting Certification Framework alignment, and critical infrastructure supplier requirements under the SOCI Act.

04 / Where they overlap

Most of the work does double duty.

The controls overlap more than the framework language suggests. An organisation with an operating ISO 27001 ISMS enters IRAP with a large share of the evidence base already built, governance documented, and risk methodology in place.

Risk methodology
ISO 27001 Clause 6 requires a documented risk assessment and treatment methodology. IRAP assumes you have one; the ISM references risk-based decisions throughout.
Access control
ISO 27001 A.5.15, A.8.2 cover access control and privileged access. ISM has specific controls on authentication, privileged access management, and break-glass procedures that align closely.
Supplier security
ISO 27001 A.5.19 to A.5.23 address supplier relationships. IRAP requires you to assess and document third-party subprocessors that touch classified information.
Incident management
ISO 27001 A.5.24 to A.5.28 cover incident management. ISM adds specific notification obligations to the ACSC and authorising authority for security events.

What ISO 27001 will not give you is the ISM-specific specificity: approved cryptographic algorithms, personnel clearance requirements, Australian data sovereignty, prescriptive patching windows, specific audit log content, and classification-aware handling procedures. These are where IRAP readiness work concentrates once the ISMS foundations are in place.

05 / Decision framework

Which to pursue first.

The right order depends on who is asking for what, and how urgent each demand is. Use the table below as a starting point, not a substitute for a proper exposure review.

Australian Gov SaaS

IRAP is non-negotiable. If your commercial future includes selling SaaS to Commonwealth or state government at PROTECTED, you need an IRAP report. Do ISO 27001 first if the deadline allows; do them in parallel if it doesn't. See our IRAP guide for SaaS vendors.

Enterprise B2B

Start with ISO 27001. Enterprise procurement wants a globally recognised certificate. ISO 27001 streamlines supplier due diligence, unlocks regulated sector deals, and builds the foundation for IRAP if it ever becomes relevant.

Defence supply chain

Both, anchored on DISP requirements. Defence primes flow down ISM expectations and DISP membership conditions that reference ISO 27001. Sequence: ISO 27001 first, then IRAP scoped to the specific system that will handle classified information.

Critical infrastructure

ISO 27001 + SOCI alignment first. SOCI risk management programmes lean heavily on ISO 27001-style governance. IRAP becomes relevant only if you handle PROTECTED information or operate services for government customers.

APRA-regulated

ISO 27001, anchored on CPS 234. Your regulatory obligation is CPS 234. ISO 27001 is the common framework used to demonstrate it. IRAP rarely applies unless you also serve government customers directly.

Limited budget

Don't chase both without the revenue to justify it. If neither ISO 27001 nor IRAP is tied to a concrete commercial outcome, fix your controls first and certify later. Compliance without a buyer produces expensive paperwork.

06 / Sequencing

ISO 27001 first, then IRAP. Usually.

For most organisations that ultimately need both, the efficient sequence is ISO 27001 first, then IRAP. The ISMS, policy suite, risk register, Statement of Applicability, and evidence discipline built for ISO 27001 are all reused in IRAP readiness. Reversing the order, or trying to parallelise aggressively, usually costs more and takes longer than doing them in sequence.

  • Months 1 to 6: ISO 27001 gap assessment, ISMS design, policy suite, risk methodology, Statement of Applicability. Technology-led approaches (Vanta, Cybereen) can compress this to 12 to 24 weeks for modern cloud-native organisations.
  • Months 6 to 9: ISO 27001 Stage 1 and Stage 2 certification audits. Certification issued.
  • Months 6 to 12 (overlapping): IRAP readiness gap assessment, scoping, ISM-specific uplift (cryptography, logging, personnel, sovereignty, evidence), pre-assessment dry run.
  • Months 12 to 15: Engage an ASD-endorsed IRAP Assessor. Stage 1 design review, remediation, Stage 2 implementation review.
  • Months 15 to 18: Security Assessment Report delivered. Authorising authority decision. Authority to Operate in hand.

Organisations with existing security maturity and dedicated engineering capacity can compress these timelines. Organisations without either tend to discover that compressed timelines produce compressed outcomes.

The final point worth making: neither framework is a finish line. ISO 27001 requires annual surveillance audits and triennial recertification. IRAP reports typically refresh every 24 months. If you treat either as a one-off, you end up paying twice when renewal comes due.

Frequently asked questions.

Is IRAP a replacement for ISO 27001?
No. They solve different problems. ISO 27001 certifies an Information Security Management System: how you govern, assess, and improve security across the organisation. IRAP assesses a specific ICT system against the Australian Government's Information Security Manual for use at a given classification. ISO 27001 is portable across markets. IRAP is required to sell into Australian Government at PROTECTED and above.
Does ISO 27001 certification satisfy any IRAP requirements?
Not formally, but practically, yes. An operating ISO 27001 ISMS produces many of the artefacts an IRAP assessor will ask for: risk methodology, policy suite, asset register, Statement of Applicability, evidence base, internal audit records, and management review minutes. Organisations with ISO 27001 typically enter IRAP readiness 3 to 6 months ahead of those without.
If we only need one, which should we do?
If your commercial future depends on selling SaaS, cloud, or professional services to Australian Government at PROTECTED, do IRAP. If you want a portable, globally recognised security credential that accelerates enterprise B2B sales and supplier due diligence, do ISO 27001. If you need both, do ISO 27001 first unless the IRAP deadline is already immovable.
How much overlap is there between IRAP and ISO 27001 controls?
Significant overlap at the control level: access management, cryptography, incident response, supplier security, vulnerability management, logging, and backups all appear in both. The material difference is specificity. ISO 27001 Annex A controls let you choose how. ISM controls, which IRAP assesses against, prescribe specific configurations, cryptographic algorithms, data handling rules, and personnel requirements. ISO 27001 gets you most of the shape. IRAP tightens the specifics.
Can one team run both programmes in parallel?
Yes, if the team is resourced for it. Running them in parallel saves time by building evidence and governance structures that both frameworks can use. It requires a programme manager who understands both, and it concentrates risk: a late slip in the common foundations delays both milestones. Most mid-market organisations sequence them (ISO 27001 first, IRAP second) rather than parallelise.

Related insights

Deeper reading on this topic.

IRAP for SaaS Vendors

What PROTECTED means for your architecture, realistic cost and timeline, and the traps that catch SaaS specifically.

Explore →
ISO 27001 Certification Guide

The honest pre-certification roadmap: gap analysis, ISMS scoping, Statement of Applicability, and common mistakes.

Explore →
ISO 27001 vs Essential Eight

The other common framework comparison Australian boards ask about.

Explore →

Not sure which
to start with?

Book a Lighthouse Assessment. We'll map your current controls against ISO 27001 and the ISM, look at your commercial exposure, and recommend the right sequence for your organisation.

Book Lighthouse Assessment →All compliance services

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation