The Essential Eight, the ISM and IRAP are not three choices to weigh against each other. They are three layers of one ASD system. The ISM is the full control catalogue. The Essential Eight is its most effective subset, a baseline. IRAP is the independent assessment of a system against the ISM.
Are the Essential Eight, the ISM and IRAP three options to choose between?
No. They sit at different levels, so picking one against the others is the wrong question. The ISM is the catalogue of controls. The Essential Eight is a small, high value subset of that catalogue. IRAP is the act of assessing a system against the ISM. One is a document, one is a slice of that document, one is an assessment. Line them up as rival products and the budget goes to the wrong place.
What is the ISM, and what does it cover?
The Information Security Manual is ASD’s cyber security framework. It holds hundreds of controls across governance, personnel security, physical security, system hardening, network security and incident response, applied through your own risk management framework rather than as a fixed checklist. ASD updates it through the year; the June 2026 release added AI application controls and renamed data protection to cryptographic protection. Both the Essential Eight and an IRAP assessment point back to it. The ISM is the source. The other two are ways of using it.
What is the Essential Eight, and how does it relate to the ISM?
The Essential Eight is eight prioritised mitigation strategies ASD derives from the ISM’s Strategies to Mitigate Cyber Security Incidents: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups. Maturity runs across four levels, ML0 to ML3, and the weakest strategy sets your level. Non corporate Commonwealth entities must reach Maturity Level Two across all eight, in force since 1 July 2022. Reaching that level is a baseline, not full ISM compliance: the eight cover a targeted slice, the ISM covers far more. The strategies and the maturity model have not changed since the November 2023 update, though ASD is now consulting on an evolution to a new Essentials series, still grounded in the ISM, with submissions open until 12 July 2026. How the Essential Eight maps onto the ISM sets out the overlap in detail.
What is IRAP, and where does it sit?
IRAP, the Infosec Registered Assessors Program, is run by ASD. An IRAP assessor independently assesses a specific system against the ISM and produces a report and a control matrix. It is not a certification, there is no pass mark, and ASD ceased certifying systems in 2020; the consuming agency’s authorising officer makes the decision to operate. Under the PSPF, outsourced IT and cloud services holding government information at OFFICIAL: Sensitive, PROTECTED or SECRET must be IRAP assessed against the ISM and reassessed within 24 months (Table 21 and requirement 0109). So IRAP is the assessment mechanism for the ISM. The Essential Eight is a slice of the same ISM. Different jobs, one source.
| Aspect | Essential Eight | ISM | IRAP |
|---|---|---|---|
| What it is | Eight prioritised mitigation strategies | ASD’s full cyber security control catalogue | Independent assessment of a system against the ISM |
| Scope | A baseline subset of the ISM | Governance, personnel, physical and technical controls | One system’s controls, point in time |
| Assessed or certified | Maturity assessed ML0 to ML3, no certificate | The reference set, not assessed as a whole | Assessor reports against the ISM, not a certification |
| Primarily for | Any organisation wanting a baseline; Commonwealth entities to ML2 | Anyone protecting systems to ASD guidance | Cloud and SaaS holding government data at OFFICIAL: Sensitive and above |
| Mandate | PSPF: non corporate Commonwealth entities to ML2 since 1 July 2022 | Applied through your own risk framework | PSPF Table 21 and requirement 0109; reassess within 24 months |
Which one does your organisation actually need?
It depends on the buyer and the data, not on preference. A non corporate Commonwealth entity has to meet the Essential Eight at Maturity Level Two as a floor, then look to the wider ISM for anything its risk assessment demands. A company selling cloud or SaaS to government that will hold information at OFFICIAL: Sensitive or above needs an IRAP assessment of that system against the ISM, however mature its Essential Eight is. Most organisations meet the Essential Eight first, because it is the cheapest uplift with the highest return, then take on the ISM and IRAP when a government buyer requires it. The ISM sits under both. Start there and the other two stop looking like competing standards.
The Essential Eight guide and the IRAP guide walk through each in full.
Frequently asked questions
Yes. ASD derives the Essential Eight from the ISM’s Strategies to Mitigate Cyber Security Incidents and publishes a mapping between the eight strategies and ISM controls.
No. The Essential Eight is a targeted baseline. The ISM holds hundreds of controls across governance, personnel, physical, network and incident response that the eight do not touch.
No. IRAP is an independent assessment of a system against the ISM. There is no pass mark and no certificate; the consuming agency’s authorising officer makes the decision to operate.
They answer different questions. The Essential Eight is a baseline you can self assess or have assessed. IRAP is required for outsourced IT and cloud services holding government data at OFFICIAL: Sensitive and above.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Information Security Manual, Australian Signals Directorate, June 2026
- Essential Eight explained, Australian Signals Directorate, 2026
- Essential Eight maturity model, Australian Signals Directorate, November 2023
- Consultation on evolution of the Essential Eight, Australian Signals Directorate, June 2026
- Infosec Registered Assessors Program (IRAP), Australian Signals Directorate, 2026
- Protective Security Policy Framework, Department of Home Affairs, 2024
Last updated: 21 June, 2026