Short answer: ISO 27001 certifies your information security management system against an international standard. IRAP assesses one specific system against the Australian Government’s Information Security Manual. One ends in a certificate, the other in a report with no pass mark. If you sell cloud or SaaS to government, ISO 27001 helps you prepare, but it does not replace IRAP.
Many providers reach for ISO 27001 first because it is recognised everywhere, then find a government tender asking for IRAP. The two overlap enough to be confused, yet they answer different questions for different buyers. This compares what each one is, where they meet, and how to choose.
What is the difference between IRAP and ISO 27001?
They are not two grades of the same thing. ISO 27001 is an international standard. An accredited certification body audits your information security management system, the ISMS, and if it conforms you hold a certificate recognised worldwide. The subject is the management system: how you govern security, run risk and improve across the organisation.
IRAP is different in kind. An ASD endorsed assessor examines one specific system against the controls in the Information Security Manual and writes a report on its strengths, weaknesses and residual risks. One system, one Australian control set, one purpose: to help a government authorising officer decide whether to let that system operate.
The outcome is the cleanest tell. ISO 27001 gives you a certificate. IRAP gives you a report. There is no IRAP certificate and no pass mark, because the decision to accept the residual risk belongs to the authorising officer, not the assessor and not ASD. ASD stopped certifying systems in 2020.
How do IRAP and ISO 27001 compare at a glance?
The table below sets the two side by side. For the wider picture, see the complete guide to IRAP assessment.
| IRAP | ISO 27001 | |
|---|---|---|
| Owner | Australian Signals Directorate | International Organization for Standardization |
| What is assessed | A specific system against the ISM | Your information security management system |
| Geography | Australia, government context | International |
| Outcome | An assessment report and control matrix | A certificate |
| Pass or fail | No, the agency makes a risk based decision | Yes, you conform or you do not |
| Who decides | The government authorising officer | An accredited certification body |
| Typical trigger | Selling cloud or SaaS to government | Customer and market expectation, global trust |
| Validity | Reassess within 24 months for cloud providers | Three year cycle with surveillance audits |
Where do IRAP and ISO 27001 overlap?
More than people expect, which is why one gets mistaken for the other. Access control, cryptography, logging, incident response, supplier management and risk management appear in both. Industry estimates put the control intent overlap at around 60 to 70 per cent, though treat that as indicative, not a measured figure. If you run a mature ISMS you already hold the documentation discipline and evidence habit an IRAP assessment leans on.
That overlap is genuine preparation. It does not make the two equivalent. The ISM is more prescriptive than ISO 27001 Annex A, it is revised through the year, and it carries Australian Government requirements ISO 27001 never touches, from personnel clearances to network obligations by classification. IRAP also goes deep on one system, where ISO 27001 certifies a management system across a scope you define.
Which one does your business need?
Decide on the buyer and the data, not the brand.
- If you sell, or want to sell, cloud or SaaS that stores, processes or transmits Australian Government information at OFFICIAL: Sensitive or above, you will almost certainly need an IRAP assessment, because the Protective Security Policy Framework requires outsourced IT and cloud services holding government data to be IRAP assessed against the ISM before an agency uses them
- If your aim is international trust, enterprise procurement confidence or a recognised baseline customers everywhere understand, ISO 27001 is the certification to hold
- If you need both, common for SaaS vendors selling to government and the wider market, build the ISO 27001 management system first and use it as the foundation for IRAP
A short test: a government agency handing you PROTECTED data points to IRAP; a global enterprise wanting assurance points to ISO 27001. Many providers need both.
Can you reuse ISO 27001 work for IRAP?
In part, yes. Your Statement of Applicability, risk assessment, policies and evidence repository all cut the preparation effort for IRAP, and a working management system means the assessor waits less on documentation, which is where most IRAP cost sits. What you cannot do is swap the certificate for the assessment. The IRAP assessment still runs, against the ISM, on your specific system, and the agency still makes its own authorisation decision. A certificate is not an authorisation.
If you are weighing the two for a government deal, Cybernion provides independent IRAP assessments and readiness.
Frequently asked questions
No. ISO 27001 ends in a certificate. IRAP ends in an assessment report. ASD ceased certification in 2020, and an IRAP assessor does not certify, accredit or approve a system. The authorising officer in the consuming agency makes the risk based decision to operate.
Often, yes. ISO 27001 serves international and enterprise customers, while IRAP is what lets you sell into Australian Government at higher classifications. They answer to different buyers and reinforce each other.
It can. The control overlap and the documentation maturity of a working management system reduce IRAP preparation effort, which is where most IRAP cost sits. It does not remove the assessment itself.
If you are starting from scratch and need both, ISO 27001 first is usually the smoother path. It builds the management system and evidence discipline an IRAP assessment then draws on.
Usually not on its own for systems handling government data at OFFICIAL: Sensitive and above. The PSPF points to IRAP assessment for outsourced IT and cloud services, so ISO 27001 alone will rarely satisfy that requirement.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Infosec Registered Assessors Program (IRAP), ASD, cyber.gov.au, 2026
- Protective Security Policy Framework, protectivesecurity.gov.au, 2024
- Information Security Manual, cyber.gov.au, June 2026
- ISO/IEC 27001:2022, iso.org, 2022
- Control overlap figure is an indicative industry estimate, not a measured value
Last updated: 21 June, 2026