Regular IRAP Assessment of Cloud Service Providers
Cloud service providers must undergo an IRAP review at least every 24 months.
Plain language
Cloud service providers are like companies you hire to store or manage your data online. They need to be checked by an official program called IRAP at least every two years. This is important because if they don't measure up, your data might not be as secure as you think, leading to leaks or misuse that could hurt your business or reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Outsourced cloud service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET cloud services undergo an IRAP assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
Why it matters
Without IRAP assessments at least every 24 months, cloud services may drift from ISM controls and retain undiscovered weaknesses, increasing breach risk for OFFICIAL: Sensitive to SECRET data.
Operational notes
Schedule IRAP assessments for each cloud service at least every 24 months and ensure assessors use the latest ISM release available before the assessment starts (or a later release).
Implementation tips
- The IT manager should schedule a regular IRAP assessment for their outsourced cloud service providers. Begin by contacting providers to understand their current IRAP review cycle and arrange an assessment if one isn’t already scheduled. Use a calendar or project management tool to track assessment dates and follow-ups.
- Procurement officers should ensure that new cloud service contracts require an IRAP assessment every 24 months. When drafting contracts, specify this requirement in the vendor agreement terms and confirm understanding with the provider. Include timelines and responsibilities to ensure these assessments happen without delay.
- The IT team should communicate with cloud service providers to verify that they undergo the latest ISM aligned IRAP assessments. Prepare a checklist of ISM updates and seek confirmation from providers about compliance. Keep this information documented for future audits or reviews.
- The compliance officer should review the outcomes of the IRAP assessments. Gather reports from the service provider and ensure they meet organisational security standards. If gaps are found, work proactively with the provider to address them in a timely manner.
- Management should allocate budget and resources for regular IRAP assessments as part of their annual planning. Consider potential costs and incorporate them into financial projections to avoid resource shortages when assessments are due.
Audit / evidence tips
-
Aska list of cloud service providers used by the organisation: Collect details of each provider including their current IRAP status
Goodis a complete list showing recent or upcoming IRAP reviews
-
Goodincludes clear clauses that outline this requirement
-
Askto see the latest IRAP assessment reports from cloud service providers: Examine these reports for compliance with the latest ISM guidelines
Goodis a report that shows no major security issues or a remedial plan in place
-
Goodis a well-maintained log or dashboard indicating completed and outstanding reviews
-
Goodincludes clear records of ongoing communication and issue resolution if applicable
Cross-framework mappings
How ISM-1570 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.35 | ISM-1570 requires that outsourced cloud service providers undergo an independent IRAP assessment against the latest ISM release at least ... | |
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.19 | ISM-1570 mandates periodic IRAP assessments for outsourced cloud service providers handling non-classified and classified data up to SECR... | |
| Annex A 5.21 | ISM-1570 requires regular independent IRAP assessment of cloud service providers against the ISM, ensuring an objective security evaluati... | |
| Annex A 5.22 | ISM-1570 requires outsourced cloud service providers and their relevant cloud services to undergo an IRAP assessment at least every 24 mo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.