Melbourne, Australia – August 8, 2025. As the newly appointed CISO of 6clicks, a leading AI-powered Governance, Risk, and Compliance (GRC) platform, I am thrilled to announce that we have successfully completed an Information Security Registered Assessors Program (IRAP) assessment for our Australian Government instance. This rigorous independent assessment, performed by Phronesis Security Pty Ltd between May 2025 and July 2025, validates our commitment to providing a secure and compliant platform for Australian Government agencies.
The 6clicks platform is an enterprise risk, compliance, and cybersecurity software solution designed to assist users in the storage, management, and maintenance of cybersecurity GRC artifacts and assessment materials. It offers capabilities for assessment and audit, risk management, and controls and policies. For government agencies, we aim to provide assurance that the underlying services consumed and provisioned are deployed and operated securely and in a risk-appropriate manner, aligned with the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) control framework.
The assessment specifically covered our Australian Government instance, which is hosted within a dedicated environment in the Microsoft Azure Australia Central 1 region (Canberra). This instance is logically separated from our other commercial offerings. The assessment was conducted against the OFFICIAL: Sensitive classification level of the March 2025 version of the ISM.
A significant strength highlighted in the assessment is our strategic adoption of Microsoft Azure Services, which allowed for the inheritance of a substantial portion of in-scope ISM controls. These inherited controls were confirmed to be effectively implemented, leveraging Microsoft Azure’s own successful IRAP assessment at the PROTECTED classification level. Additionally, Cloudflare, which provides Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) protection for our platform, has also undergone an independent IRAP assessment at the PROTECTED classification level. We demonstrated a mature understanding of the cloud provider’s shared responsibility model, ensuring that services requiring customisation met ISM requirements.
The report further noted that we are a highly cybersecurity-conscious organisation with a mature compliance function requiring adherence to multiple security frameworks. Evidence throughout the assessment indicated that robust, secure-by-design principles had been implemented throughout the development, deployment, and ongoing management of our environment. Key strengths include:
Leveraging a serverless compute environment with Microsoft Azure services for the delivery of the platform and associated services
Extensive and comprehensive information security governance documentation and processes, supported through our ISO/IEC 27001 and ISO/IEC 42001-certified management systems
Robust and secure software development practices and lifecycle (SDLC), with ongoing security vulnerability assessment and annual penetration testing performed by independent third parties, and timely mitigation of findings
Comprehensive, centralised, and real-time monitoring and alerting of security events within the environment through tightly integrated security event monitoring services built into the Azure ecosystem, including Azure Sentinel and Azure Security Center
A robust risk management and information security culture, with all stakeholders interviewed clearly aware of their roles and responsibilities in supporting the security of the platform and wider business
No notable security incidents recorded or reported in the last 12 months
As an Australian-owned company with an Australian board and shareholders, we operate and manage our Australian Government platform from within Australia, with our team members holding Australian citizenship and relevant security clearances. This commitment to local operations further strengthens trust and reinforces our security posture for Australian Government entities. While opportunities for improvement identified in the assessment remain under ongoing review and investigation for remediation based on risk and benefit, we maintain a well-managed environment and are proactive in addressing changes that may impact security.
This successful IRAP assessment underscores our dedication to meeting the highest standards of cybersecurity and compliance for our government clients, enabling them to confidently manage their GRC needs.
For more information, please refer to the detailed 6clicks IRAP Assessment Report (PR2502008) and Authorisation Package, available upon request.
6clicks is transforming cyber risk and compliance management with its AI-powered platform, featuring the pioneering Hub & Spoke architecture tailored for federated businesses, advisors, and managed service providers (MSPs). As the first platform to introduce an AI engine specifically designed for GRC, 6clicks delivers a smarter approach to managing cyber risk and compliance. The 6clicks business model is channel-aligned, and SaaS licensing is transparent and straightforward with unlimited user access and access to frameworks. With sales and support operations presence across APAC, EMEA, and NA, and private cloud hosting options on Microsoft Azure, 6clicks equips cyber leaders and professionals to build resilient, trusted, and scalable cyber risk and compliance programs, disrupting traditional GRC solutions and setting a new standard in the industry.