AWS Advanced Tier PartnerISO 9001:2015 CertifiedISO 27001:2022 Certified
Book Free Review →
For Vendors Selling to Australian Government

IRAP-Ready AWS Architectures, From Concept to PROTECTED-Aligned

Build an IRAP-PROTECTED-aligned AWS workload using only the 168 IRAP-assessed services. Essential Eight Maturity Level 2+ baseline. Pre-IRAP-assessment readiness, with the documentation an IRAP assessor expects.

Book Free IRAP Review →Download IRAP-AWS Reference
AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
Google Cloud Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
IRAP · ISM168 Services

Government procurement asks first: are you IRAP-ready?

168
Services Assessed
ML2+
Essential Eight
12
Weeks Typical
Strategic
Hosting Cert
AWS holds 168 IRAP-PROTECTED-assessed services across Sydney and Melbourne, broadest of any cloud provider.— AWS IRAP Assessment 2025 H1
AWS Region
Sydney + Melbourne
The Problem We Solve

Government contracts demand IRAP. Most teams don't know where to start.

01, ELIGIBLE SERVICES

We need IRAP assessment to win government contracts but don't know which AWS services we can use.

Only the 168 IRAP-PROTECTED-assessed AWS services qualify. Using non-assessed services breaks the assessment scope. Most teams don't have an explicit catalogue.

02, ESSENTIAL EIGHT MATURITY

Essential Eight Maturity Level 2 is required by procurement, we're at ML1 and don't know how to get to ML2.

ML2 requires application control, patch automation, MFA universally, and restricted admin privileges. Most teams have parts but not all eight mitigations at ML2 simultaneously.

03, ASSESSMENT READINESS

The IRAP documentation pack is dense and we don't have a CISO who's been through assessment before.

ISM controls evidence, ASD-aligned configuration, and the Consumer Guide-format documentation an IRAP assessor expects are a significant uplift from typical SaaS security posture.

What You'll Get

From IRAP-aware to assessment-ready, in three streams.

Stream A · Assessment

Scope of Work

  • AWS service inventory vs IRAP-eligible catalogue (168 services)
  • ISM controls mapping for your workload
  • Essential Eight maturity uplift assessment
  • Pre-IRAP-assessment readiness gap analysis
  • ASD-aligned reference architecture review
Stream B · Deliverables

Deliverables

  • IRAP-aligned AWS reference architecture
  • ISM controls evidence pack (assessor-ready)
  • Essential Eight ML2 implementation plan
  • AWS Audit Manager IRAP framework deployment
  • Pre-assessment readiness checklist + walkthrough
  • IRAP assessor introduction (we partner with several certified IRAP assessors)
Stream C · Timeline

Timeline

  • Assessment: 4 weeks
  • Implementation: 8-12 weeks (scope-dependent)
  • IRAP assessment booking: ~6-12 weeks lead time (assessor-managed)
  • Founder + AWS-certified engineer throughout
  • Annual IRAP refresh option
  • Compatible with existing ISO 27001 evidence
Past Engagement Outcomes

What IRAP-ready architecture delivers

Outcomes from engagements with Australian SaaS, FinTech, and HealthTech providers preparing for IRAP-PROTECTED assessment to win Australian government contracts.

168
IRAP-eligible services in catalogue
ML2
Essential Eight baseline achieved
100%
ISM controls mapped to evidence
0
Non-eligible services in scope
Built on Certified Foundations

Built for ASD ISM and ACSC Essential Eight.

AWS Advanced TierISO/IEC 27001:2022ISO 9001:2015IRAP-Aware

Our ISO 27001:2022 Annex A controls map to ~75% of ISM controls. We deploy AWS Audit Manager with the IRAP framework, Identity Center for access control, Systems Manager for patching automation, and WAF + Inspector for application hardening, covering all 8 Essential Eight mitigations to ML2.

Mini Case Study

How an Australian SaaS achieved IRAP-PROTECTED-ready in 12 weeks

A B2B SaaS provider in Sydney was losing federal government deals to competitors with IRAP assessment. Their leadership had budgeted 18 months and over six figures to achieve assessment-readiness. They engaged us to compress the timeline.

We started with a 4-week assessment mapping their existing AWS architecture to ISM controls and Essential Eight requirements. The gap analysis identified 23 specific changes: 12 in identity/access (Identity Center, IAM Access Analyzer), 6 in patching (Systems Manager Patch Manager), 3 in application control, and 2 in backup architecture.

Implementation ran 8 weeks. We deployed Audit Manager with a custom IRAP framework, automated patch management, configured WAF with managed rules, and produced the Consumer Guide-format documentation IRAP assessors expect. We introduced them to a certified IRAP assessor for the actual assessment booking. Total elapsed time from engagement start to IRAP-ready: 12 weeks.

We expected 18 months. HAZERCLOUD got us assessment-ready in 12 weeks. The IRAP assessor we worked with said our documentation was the cleanest she'd seen this year.— CISO · Sydney B2B SaaS (anonymized)

Outcomes

Time to IRAP-ready12 wks
Essential Eight ML achievedML2
ISM controls automated75%
Assessment cost saved~40%
Government deals unlocked3
Read the full case study
Engagement Options

Two phases. Pre-assessment cost-clarity. Practitioner-led.

Most engagements split foundation + implementation. IRAP assessment fees (paid to the certified IRAP assessor) are separate. Most clients save significantly vs equivalent Australian boutique pricing.

Stage 01

IRAP-Readiness Assessment

  • AWS service inventory vs IRAP-eligible (168 services)
  • ISM controls mapping for your workload
  • Essential Eight maturity baseline assessment
  • Pre-assessment readiness gap analysis
  • ASD-aligned reference architecture review
Start with assessment →
Stage 02

IRAP Implementation + Assessment Prep

  • IRAP-aligned AWS reference architecture deployment
  • Essential Eight ML2 across all 8 mitigations
  • ISM evidence framework in Audit Manager
  • Consumer Guide-format documentation pack
  • IRAP assessor introduction + booking support
  • Annual IRAP refresh option
Book scoping call →
FAQ

IRAP questions Australian SaaS founders ask first.

ISM vs Essential Eight? PROTECTED vs OFFICIAL: Sensitive? Australian-resident-only personnel requirements? Book a call and we'll work through your specific situation.

Book Free IRAP Review →
What's the difference between IRAP, Essential Eight, and ISM?+
ISM (Information Security Manual) is the control framework, what controls are required. Essential Eight is a baseline subset of mitigations published by ASD. IRAP (Information Security Registered Assessors Program) is the assessment program, independent assessors evaluate your environment against ISM controls. You implement Essential Eight + ISM controls, then an IRAP assessor validates.
Can we use AWS services that aren't on the IRAP-assessed list?+
You can use them, but they're outside your IRAP assessment boundary. For PROTECTED data, only IRAP-eligible services should be in scope. Most teams architect a tiered approach: PROTECTED workloads use only the 168 assessed services; non-PROTECTED workloads use the full AWS catalogue. We map this boundary explicitly.
How long does an actual IRAP assessment take?+
From booking the assessor to receiving the assessment report: typically 6-12 weeks. Lead time to book a certified IRAP assessor is currently 2-3 months, start that process early. Our pre-assessment readiness work happens in parallel with the assessor scheduling.
What's the difference between PROTECTED and OFFICIAL: Sensitive classifications?+
OFFICIAL: Sensitive is the entry-level classification for routine government data with confidentiality requirements. PROTECTED is one level higher, covering more sensitive government information. Most enterprise SaaS targeting government goes for PROTECTED. Higher classifications (SECRET, TOP SECRET) require sovereign cloud and Australian-resident-only personnel.
Do we need Australian-resident personnel for IRAP-PROTECTED workloads?+
PROTECTED workloads typically don't require Australian-resident-only personnel, that's a higher-classification requirement. However, individual government departments can specify Australian-resident-only requirements in procurement. Our delivery model (India-resident AWS-certified engineers) is acceptable for most PROTECTED commercial workloads, but not for the highest-classification government contracts.
How does ISO 27001:2022 map to ISM controls?+
ISO 27001:2022 covers ~75% of ISM controls. The remaining ~25% is mostly ISM-specific (e.g., classification handling, ASD-specific cryptographic standards, Australian-government-specific incident reporting). We map your existing ISO evidence to ISM controls so you don't duplicate work, typically saves 4-6 weeks of evidence collection.
Jobin Joseph, Founder & CTO of HAZERCLOUD
Jobin Joseph
Founder & CTO
AWS SA ProDevOps ProSecurity+2
Verify on Credly ↗
Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions
Architecture sign-off: before any work begins
Weekly review: I'm on every call, every week
Material decisions: go through me first
Deliverable sign-off: my signature, my reputation
30 days post-handoff: direct line to me
Read more about Jobin and the engagement model
IRAP
Ready to win Australian government deals?

30 minutes with our founder. One IRAP gap identified.

We'll review your AWS architecture against IRAP-PROTECTED requirements, identify the most critical missing piece (typically Essential Eight ML2 gaps or non-eligible service usage), and tell you what assessment-readiness actually costs and how long it takes.

Book Free IRAP Review →Download IRAP-AWS Reference

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder