Australian Government information classifications run from OFFICIAL through OFFICIAL: Sensitive, PROTECTED and SECRET to TOP SECRET, set by the damage a compromise would cause. The owning agency sets the level, not the provider. For IRAP, the ISM control set is the same at OFFICIAL: Sensitive and PROTECTED; SECRET adds physical, personnel and network controls.
What are the Australian Government information classifications?
A classification is not a label you pick to look careful. It is the output of a harm test the government calls the business impact level: how much damage a compromise of the information would do to the national interest, to organisations, or to individuals. Set the harm, and the marking follows.
There are two sensitivity markings and three security classifications. UNOFFICIAL covers information that is not part of official duties. OFFICIAL is the routine level for most government work. OFFICIAL: Sensitive sits above it. Above that line the information is security classified: PROTECTED, then SECRET, then TOP SECRET. Each step up means a higher impact level and stricter handling, storage, access and disposal under the Protective Security Policy Framework.
What does each classification mean?
The marking tells a reader two things at once: how sensitive the information is, and how much protection it must carry. The damage descriptors are deliberately blunt.
| Marking | What it covers | Harm if compromised |
|---|---|---|
| OFFICIAL | Routine government information, low business impact | No or insignificant damage |
| OFFICIAL: Sensitive | Sensitive information needing limited distribution | Limited damage to the national interest, organisations or individuals |
| PROTECTED | Valuable, sensitive information | Damage to the national interest, organisations or individuals |
| SECRET | Very valuable, sensitive information | Serious damage to the national interest |
| TOP SECRET | The most sensitive national security information | Exceptionally grave damage to the national interest |
Who sets the classification, and why it decides your scope?
The agency that owns the information sets the classification. Not the provider, not the assessor. This catches cloud and SaaS teams who assume they can self select a lower level to keep the assessment small. You cannot. If a system will hold an agency’s PROTECTED data, it is a PROTECTED system, whatever you would prefer.
It matters because the classification drives everything downstream: the ISM controls in scope, the clearances your people need, and the assessment boundary. Confirm the level in writing with the agency before you scope, and check whether you even need an IRAP assessment in the first place. Guessing high wastes money. Guessing low means a reassessment.
How does the classification change an IRAP assessment?
Here is the part most providers get wrong. Moving from OFFICIAL: Sensitive to PROTECTED does not change the ISM control set. It is the same set of controls at both levels. What changes is the physical security of where the system runs, the personnel clearances of the people who operate it, and the network it connects to.
The real jump is into SECRET. SECRET adds further physical, personnel and network controls on top, and the bar for clearances rises. So the gap in cost and time between PROTECTED and SECRET is wider than the gap from OFFICIAL: Sensitive to PROTECTED, even though both look like a single rung on the ladder. An IRAP assessment measures whichever set applies against the Information Security Manual, and the classification is what selects that set. The complete IRAP guide walks the rest of the process.
What about TOP SECRET and caveats?
Two things sit outside the usual cloud path. TOP SECRET systems are handled inside accredited government environments, not assessed through the commercial cloud route that covers OFFICIAL: Sensitive to SECRET. If your roadmap mentions TOP SECRET, that is a different conversation and a different environment.
Caveats are the second. A caveat is an extra warning of special handling stacked on top of a classification, and it is mandatory where it applies. Caveats attach to PROTECTED or higher; they cannot be applied to OFFICIAL or OFFICIAL: Sensitive. One older marking, the NATIONAL CABINET caveat, is being phased out as National Cabinet is no longer a committee of Cabinet. For cloud and SaaS providers, the classification and any caveat together decide what an IRAP assessment of your service must cover.
Frequently asked questions
No. The agency that owns the information sets the level under the PSPF business impact levels. Confirm it in writing before you scope the system.
No. The ISM control set is the same at both. What differs is physical security, personnel clearances and network obligations.
No. TOP SECRET is handled inside accredited government environments, not the commercial cloud IRAP route that covers OFFICIAL: Sensitive to SECRET.
Within 24 months under PSPF requirement 0109, against the latest ISM at the time of assessment.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Protective Security Policy Framework, sensitive and classified information, PSPF Annual Release 2024
- Security classifications and protective markings, Australian Government Style Manual, 2026
- Information Security Manual (ISM), ASD, June 2026
Last updated: 21 June, 2026