Canberra · ACT · Commonwealth Government & Defence
Canberra's compliance requirements are distinct. Federal government procurement, Defence contracts, and PSPF obligations mean ISO 27001 alone often isn't enough — and IRAP without ISO 27001 leaves commercial procurement gaps. We deliver both, together.
More than any other Australian city, Canberra's compliance requirements are shaped by government frameworks. Most Canberra technology businesses need to navigate at least two overlapping systems.
Commonwealth agencies procure technology under the Digital Sourcing Framework and PSPF. Suppliers are expected to demonstrate Essential Eight ML2 as a baseline, with IRAP assessments required for systems handling PROTECTED information. ISO 27001 is increasingly asked for alongside these frameworks as assurance for security management over and above point-in-time technical controls.
Canberra's defence contractor community — from large primes to specialist SMEs — must hold DISP membership and maintain ISM-aligned security programmes. Essential Eight ML2 is the standard technical baseline. For contractors handling foreign military sales or classified information, ML3 and IRAP assessment are required. We deliver DISP readiness, ISM alignment, and Essential Eight uplift as a combined programme.
APS agencies and the GovTech sector in Canberra face the same PSPF and Essential Eight requirements as other Commonwealth entities. Technology suppliers to APS agencies — particularly those delivering SaaS, cloud platforms, or managed services — must demonstrate security maturity that matches the agency's risk appetite. ISO 27001 plus Essential Eight is the standard combination.
Canberra SaaS companies building for whole-of-government markets face a distinctive requirement set: Essential Eight for ASD alignment, ISO 27001 for enterprise commercial customers, and potentially IRAP for systems accessing government data classified above OFFICIAL. Getting all three from a single control set is achievable — and significantly cheaper than three sequential programmes.
Canberra businesses often need to navigate all three. They're not duplicates — they serve different purposes and different audiences.
| Framework | Purpose | Who asks for it |
|---|---|---|
| Essential Eight ML2 | ASD technical security controls — patching, MFA, backups, application control, and four others. Demonstrates baseline cyber hygiene. | Commonwealth agencies, PSPF-obligated entities, defence primes |
| IRAP Assessment | Independent assessment of a specific system against the ISM. Required for systems processing PROTECTED or above information. | Commonwealth agencies where data is PROTECTED or above |
| DISP Membership | Defence Industry Security Program — demonstrates capability to protect Australian Government information in defence contracts. | Defence primes, Defence contractors, CASG procurements |
| ISO 27001 | International standard for information security management systems. Produces an internationally recognised certificate from an accredited body. | Enterprise customers (AU & international), cyber insurers, boards, commercial procurement |
Most Canberra technology businesses need Essential Eight + ISO 27001 as a baseline, with IRAP and DISP added where Defence or PROTECTED-system work is in scope. We deliver combined programmes that use a single control set and evidence base for all applicable frameworks — significantly reducing cost and effort versus running them separately.
Defence Industry Security Program membership, ISM alignment, and IRAP assessment readiness. The most Canberra-specific service we deliver. We prepare your system documentation, security plan, and IRAP evidence pack for independent assessor review.
Learn more →ASD Essential Eight maturity uplift. Commonwealth baseline is ML2. Defence and high-risk systems require ML3. Delivered using Intune, Defender, and Entra — tools already included in your Microsoft 365 licence.
Learn more →Full ISMS build and Stage 1/Stage 2 audit support for Canberra technology businesses. Satisfies commercial enterprise procurement requirements that IRAP and Essential Eight don't cover. Often combined with Essential Eight in a single engagement.
Learn more →AI Management System for Canberra businesses building GovTech AI products. The Australian Government's AI Safety Standard and emerging APS AI policy expectations align closely with ISO 42001's requirements.
Learn more →Privacy Information Management System aligned to the Privacy Act 1988 and Australian Privacy Principles. Relevant for Canberra businesses handling APS employee data, citizen data, or sensitive government information.
Learn more →NIST CSF implementation for Canberra businesses with US Government customers, Five Eyes partners, or US parent companies requiring NIST-aligned security programmes alongside Australian frameworks.
Learn more →Yes, if your system processes information classified at PROTECTED or above. ISO 27001 satisfies commercial enterprise procurement. IRAP is required specifically for government classified systems. The two are complementary — ISO 27001 covers the management system, IRAP assesses the specific system against the ISM.
ML2 is the baseline for most Commonwealth systems under current PSPF guidance. ML3 is required for systems with higher risk classifications. We assess your specific obligation and deliver uplift to the required level — not a level higher than necessary.
Yes — and this is one of our most common Canberra engagements. The control overlap is substantial: most Essential Eight controls map directly to ISO 27001 Annex A controls. A combined engagement delivers both from a single control set and evidence base, saving 30–40% versus sequential programmes.
IRAP readiness (preparing system security documentation, SSSP, and evidence for an independent IRAP assessor) typically takes 6–10 weeks depending on system complexity and current documentation maturity. The IRAP assessment itself is conducted by an independent assessor — we prepare you for it, not conduct it.
We also work with clients in
A free 30-minute call covers which frameworks apply to your situation, what the fastest path looks like, and a fixed-price estimate. IRAP, Essential Eight, ISO 27001, or all three — we'll tell you what's actually required.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
