IRAP—the Information Security Registered Assessors
Program—provides a framework for assessing the
implementation and effectiveness of an organization’s
security controls against the Australian government’s
security requirements, as outlined in the Information Manual
(ISM) and Protective Security Policy Framework (PSPF). IRAP
was created by the Australian Cyber Security Center (ASCS)
which is a part of the Australian Signals Directorate (ASD).
Previously, IRAP certification meant an organization would
be listed on the ASD's Cloud Services List (CCSL). In July
2020, the ACSC deprecated the CCSL and concurrently released
the Cloud Security Guidance package.
This guidance provides organizations, cloud service
providers (CSPs), and IRAP assessors with a framework on how
to perform a comprehensive assessment of CSPs in order to
make a risk-informed decision about their suitability to
handle organizations’ data.
An independent third-party assessor evaluated Google Cloud
Platform and Google Workspace against OFFICIAL and PROTECTED
ISM controls, and found both to be strongly aligned with
PROTECTED level control requirements. These requirements
include guidelines for cyber security roles, detecting and
managing cyber security incidents, physical and personnel
security, system hardening, networking, and cryptography.
The evaluation was performed based on the ACSC’s updated
IRAP framework, outlined in the Cloud Security Guidance
IRAP certification not only provides a path for our
customers to work with the Australian government, it also
opens the door for Australian federal, state, and local
government agencies to store data and run workloads on GCP
and Google Workspace.
IRAP reports may be requested via the
Compliance Reports Manager.
Potential customers can reach out to
for more information.