IRAP-ready GRC: What the ASD Common Assessment Framework means for you

TL;DR

• The Australian Signals Directorate (ASD) released the IRAP Common Assessment Framework v1.0 in April 2025, standardising how ICT systems are assessed against the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF). 

• For government, defence, and critical infrastructure organisations evaluating GRC platforms, the bar is now higher, and the key question is whether your platform can operate inside the environments being assessed.
  

• 6clicks is sovereign GRC infrastructure built for where the cloud does not reach: deploy on your terms (SaaS, sovereign cloud, self-hosted, or the 6clicks GRC Appliance), run AI-native GRC workflows with Hailey, and connect into constrained stacks via agentic connectivity.
  

The Australian government just made it harder to wing your GRC platform selection. The ASD's release of the IRAP Common Assessment Framework v1.0 is a signal to every technology vendor operating in the government and defence supply chain: if your platform can't demonstrate a rigorous compliance posture, you're not in the running.

At 6clicks, we've spent years building GRC infrastructure for organisations that can't afford gaps. (critical infrastructure operators, defence primes, and regulated government agencies) What this framework codifies is something I've seen firsthand: most GRC platforms are built for commercial SaaS environments, not for the environments where Australia's most sensitive data actually lives.

Here's what the new framework means, and why it matters for how you evaluate your GRC stack.

The importance of the IRAP Common Assessment Framework

In April 2025, the ASD published the Infosec Registered Assessors Program (IRAP) Common Assessment Framework v1.0. This document standardises the methodology used to assess information and communications technology (ICT) systems (covering cloud services, gateways, and on-premises systems) against the ISM and PSPF.

This isn't a minor update. It's a codification of the assessment rigour that government agencies have been demanding informally for years. Systems handling sensitive government data must now be evaluated against a consistent, documented methodology. The rollout of the Common Assessment Framework coincided with updates to IRAP training and quality assurance processes, including the introduction of a formal Quality Assurance Framework to improve assessor development, consistency, and assessment rigour.

For any organisation in the government or defence supply chain, or any technology vendor seeking to operate in those environments, this framework changes the procurement conversation.

What does IRAP assess, and what does it mean for your GRC
platform?

IRAP assessments evaluate whether ICT systems adequately implement the controls outlined in the ISM, Australia's primary cybersecurity framework for government.

Rather than prescribing a fixed checklist, the assessment scope is defined by the system boundary and evaluates control implementation across people, processes, technology, and supporting evidence. In practice, this typically includes areas such as:

• System architecture and data flows
• Access controls and identity management
• Incident detection and response capability
• Data handling, storage, and residency
• Vendor and supply chain risk controls
• Deployment environment and hosting arrangements

For a Governance, Risk, and Compliance (GRC) platform specifically, this creates a layered challenge. The GRC tool itself must be IRAP-assessable, meaning it must be deployable in an environment that meets ISM controls. It must also be capable of managing IRAP-related compliance obligations across the broader technology estate. Most commercial GRC platforms fail on both counts.

Why cloud-first GRC platforms struggle with IRAP requirements

The vast majority of GRC platforms on the market are built as multi-tenant, cloud-hosted SaaS products. That works for commercial environments. It doesn't work when:

• Data must remain within Australia (or within a specific environment)
• The assessment environment requires physical or logical separation
• Air-gapped or restricted networks are in scope
• The platform itself must be assessed as part of the ICT estate

For government and defence organisations, cloud-first means cloud-only, and cloud-only means disqualified.

The 6clicks sovereign GRC model: Built for IRAP environments

At 6clicks, we designed our platform architecture around three deployment principles that align directly with what IRAP assessments require. Here's the model:

Layer 1: Sovereign infrastructure — deploy and localise on your
terms

We don't require you to send your data to our cloud. 6clicks can be deployed across four deployment modes:

• Hyperscaler SaaS (for commercial environments)
• Sovereign cloud (for data residency requirements)
• Self-hosted (inside your own infrastructure)
•  The 6clicks GRC Appliance (certified hardware for environments where the cloud is not an option) 

The self-hosted and certified appliance deployment options are specifically relevant for IRAP-assessed environments, where the platform must operate inside the boundary of the system being assessed.

Layer 2: GRC Core — your intelligent risk and compliance engine
(Hailey AI)

6clicks Hailey, our AI engine, is built into GRC workflows rather than bolted on as a feature. It operates entirely within your environment, processing data locally without requiring external cloud services ensuring alignment with sovereign, air-gapped, and IRAP-assessed deployments.

This means:

• Evidence is ingested, classified, and mapped to ISM controls automatically
• The GRC Knowledge Graph builds program memory across assessments, so teams don't restart from zero each cycle
• Human-in-the-loop validation is preserved. Hailey supports internal teams in drafting policies, controls, and assessment responses, with human review embedded throughout the process

Layer 3: Agentic Connectivity — connect into any tech stack or
agent

IRAP-assessed environments often include legacy systems, operational technology (OT) networks, and restricted connectivity. 6clicks supports:

• IT/OT integration for evidence collection across complex system boundaries
• A command-line interface (CLI) for restricted environments where API connectivity isn't possible
• Agent and Model Context Protocol (MCP) layers for continuous evidence monitoring and automated control validation

6clicks IRAP-readiness checklist

Use this checklist to evaluate whether your GRC platform is genuinely ready for IRAP-assessed environments:

• [ ] Flexible deployment model — Can the platform be deployed in a self-hosted or air-gapped configuration?
• [ ] Data residency controls — Does the platform support Australian data residency and sovereign cloud deployment?
• [ ] ISM control library — Is the ASD ISM pre-mapped and maintained as native content within the platform?
• [ ] PSPF alignment — Can the platform manage obligations across both ISM and PSPF in a unified view?
• [ ] Evidence ingestion and mapping — Can the platform ingest evidence from disparate sources and map it to ISM controls automatically?
• [ ] Audit trail and version control — Does the platform maintain a defensible, timestamped audit trail for assessors?
• [ ] Hub & Spoke architecture — Can the platform manage multiple assessed systems or entities from a single program view?
• [ ] OT and legacy connectivity — Does the platform support evidence collection from non-standard or restricted network environments?
• [ ] Human-in-the-loop controls — Are AI-generated outputs subject to mandatory human review and approval workflows?
• [ ] Assessor-ready reporting — Can the platform produce assessment-ready reports aligned to IRAP evidence requirements?

6clicks meets every item on this list. Most platforms on the market do not.

How 6clicks helps you operationalise the ISM and be IRAP-ready

Being IRAP-ready demands more than just passing a point-in-time assessment. It's about building a GRC program that can sustain compliance across assessment cycles, system changes, and evolving ISM requirements.

With 6clicks, government and defence organisations can:

• Deploy the platform inside their assessed environment, not as an external SaaS tool, but as a native part of their ICT estate
• Map existing controls to ISM requirements using AI and pre-built content from the 6clicks Content Library, reducing manual effort
• Use Hailey to continuously monitor evidence currency and flag controls that require refresh before the next assessment cycle
• Manage multi-entity or multi-system IRAP programs through Hub & Spoke, where each assessed system has its own workspace, but evidence and reporting roll up to the program level
• Generate assessment-ready output that assessors can actually use. Not raw data exports, but structured, auditable evidence packages

This is what GRC that works in restricted, high-security environments actually looks like in practice.

Frequently asked questions

What is the IRAP Common Assessment Framework and who does it apply to?

The IRAP Common Assessment Framework v1.0 is a document published by the Australian Signals Directorate (ASD) in April 2025. It standardises the methodology used by IRAP assessors when evaluating ICT systems including cloud services, gateways, and on-premises systems against the ISM and PSPF. It applies to any organisation seeking to have their systems assessed for handling Australian government or sensitive data, including defence contractors, critical infrastructure operators, and government agencies.

Does my GRC platform need to be IRAP-assessed to use it in a government environment?

Not necessarily, but the platform must either fall within the boundary of your IRAP-assessed system, or have its own IRAP assessment report that your agency has reviewed and accepted. If your GRC platform is a cloud-hosted SaaS product hosted by a third party, it may not meet the data handling and residency requirements of your assessed system. Platforms that support self-hosted or air-gapped deployment are far better positioned for IRAP-assessed environments.

How does the 6clicks GRC Appliance support IRAP compliance?

The 6clicks GRC Appliance is a certified hardware appliance that allows the entire 6clicks platform to run inside your own environment without any dependency on external cloud infrastructure. For IRAP-assessed systems that cannot use SaaS or external hosting, 6clicks GRC Appliance provides a deployable, assessable option that operates within your system boundary.

What ISM controls does 6clicks support out of the box?

6clicks includes a pre-built ISM content library that is maintained and updated as the ISM evolves. Controls are structured to support evidence mapping, gap analysis, and assessment-ready reporting. The platform also supports cross-mapping between ISM, PSPF, Essential Eight, and other frameworks relevant to Australian government environments.

How can I see 6clicks operating in a restricted or sovereign environment before I commit?

We're running a live webinar, GRC that works where others can't, specifically designed to show how 6clicks performs in complex, high-security environments. Join us to see the Sovereign GRC Stack in action, including self-hosted deployment, AI-native evidence collection, and Hub & Spoke program management.

Join us: GRC that works where others can't

Register for the webinar and see how 6clicks is purpose-built for the environments where other platforms fall short, including IRAP-assessed government and defence systems.