Cyber security compliance, explained

Plain English guides related to IRAP, Essential Eight, ISO 27001 and 42001, SOC 2 and vCISO.

Browse by framework

Essential Eight (10)

Virtual CISO (8)

Start here: the six framework guides

The pillar guide for each framework, the best place to begin.

IRAPThe complete Australian guide Essential EightThe complete Australian guide ISO 27001The complete Australian guide ISO 42001AI management systems guide SOC 2The complete guide for tech companies Virtual CISOThe complete Australian guide

Latest Guides

Entity Assessor vs IRAP Assessor: What’s the Difference?

Not every ISM assessment needs an IRAP assessor. When your own assessors can do the work, when an independent IRAP assessor is…

June 21, 2026
IRAP and the Hosting Certification Framework: How They Fit Together

The Hosting Certification Framework certifies the provider; IRAP assesses the system against the ISM. What each covers, the three HCF levels, and…

June 21, 2026
How Often Do You Need an IRAP Assessment? The 24 Month Rule Explained

There is no annual IRAP cycle. The working rule is the 24 month limit in PSPF requirement 0109, with a material change…

June 21, 2026
IRAP vs FedRAMP: What’s the Difference and Which Do You Need?

IRAP and FedRAMP are the cloud security regimes of two different governments. What each assesses against, who runs it, which you need,…

June 21, 2026
ISM June 2026 Changes: The New AI Controls Explained

The ISM June 2026 update adds four AI controls and broadens a cryptography rule. What changed, who it applies to, and whether…

June 21, 2026
What Classification Does Your Government Cloud Need?

The classification of a government cloud is set by the owning agency, not the provider. What OFFICIAL: Sensitive, PROTECTED and SECRET mean…

June 21, 2026
IRAP for SaaS and Cloud Providers: What You Need to Know

IRAP for SaaS and cloud providers explained: what the assessment covers, how the shared responsibility model works, which classification to choose, and…

June 21, 2026
Australian Government Information Classifications: OFFICIAL to SECRET

Australian Government information classifications run from OFFICIAL to SECRET. Who sets the level, what each means, and what changes in an IRAP…

June 21, 2026
Essential Eight vs ISM vs IRAP: How the Three Fit Together

The Essential Eight, the ISM and IRAP are not rival choices. They are three layers of one ASD system, and which you…

June 21, 2026
What Is the ISM? The Australian Government Information Security Manual Explained

The Information Security Manual (ISM) is the ASD catalogue of cyber security controls that Australian government systems, and IRAP assessments, are measured…

June 21, 2026
Essential Eight Maturity Levels (ML0 to ML3) Explained

ASD's Essential Eight maturity model has four levels. What ML0 to ML3 mean, why your weakest strategy sets the score, and which…

June 21, 2026
Essential Eight Assessment Cost in Australia

What an Essential Eight assessment costs in Australia, what drives the price, and why reaching Maturity Level Two is the larger spend.

June 21, 2026