The Hosting Certification Framework and IRAP answer different questions. The Hosting Certification Framework, run by the Department of Home Affairs, certifies a hosting provider’s ownership, control and supply chain. IRAP independently assesses a specific system against the Information Security Manual. A PROTECTED government workload in commercial cloud usually needs both.

Is the Hosting Certification Framework the same as IRAP?

No. They are run by different bodies, measure different things, and neither replaces the other. The Hosting Certification Framework certifies the provider: who owns and controls the facility, the supply chain behind it, and whether the Australian Government can rely on where its data sits. IRAP looks inside a system and tests it against the Information Security Manual. One is about the host, the other about what is hosted.

Providers and buyers blur the two constantly. Being IRAP assessed does not make a data centre HCF certified, and an HCF certificate says nothing about whether your system meets the ISM. It also helps to remember that IRAP is an assessment, not a certification, with no pass mark, while HCF certification is a status the provider holds.

What does the Hosting Certification Framework certify?

It certifies hosting providers so government customers can source hosting that meets enhanced privacy, sovereignty and security requirements. It is run by the Department of Home Affairs, which took over the Framework from the Digital Transformation Agency on 1 May 2023. The focus is ownership, control, operations and supply chain, not the technical build of one system.

The Framework grew out of the Whole of Government Hosting Strategy of March 2019 and was released in March 2021 to put that strategy into practice. It currently applies to two kinds of provider: data centre providers and cloud service providers. Under the Framework, all sensitive government data, whole of government systems and systems classified PROTECTED must be hosted using certified services. It supports the Protective Security Policy Framework and the ISM rather than standing apart from them.

What are the three certification levels?

There are three levels, and the one you need depends on the government customer’s risk profile and the classification of the data. Certified Strategic is the highest; only providers that let government specify ownership and control conditions qualify, and it carries increased security controls for high risk profiles. Certified Assured guards against a change of ownership or control through financial penalties that cap the Commonwealth’s transition costs if the provider’s profile changes. Uncertified offers minimal protection and suits non sensitive data.

Level	What it gives	Typical use
Certified Strategic	Highest assurance; government can specify ownership and control conditions; increased security controls	High risk profiles, or data the customer judges needs extra protection
Certified Assured	Financial penalties guard against a change of ownership or control, minimising the Commonwealth’s transition costs	Low risk profile with sensitive data that does not need additional protection
Uncertified	Minimal protections	Non sensitive data, or where the customer’s risk assessment allows it

The level is a risk decision the government customer makes against the classification of the data, not a badge the provider picks off a shelf.

When do you need HCF certification, and when do you need IRAP?

It depends on whether the question is about the host or the system. If you host sensitive government data, a whole of government system, or a system classified PROTECTED, the hosting must sit with a certified provider under the Hosting Certification Framework. That requirement lands on the provider’s status.

IRAP is triggered by the system itself. Outsourced IT and cloud services holding OFFICIAL: Sensitive, PROTECTED or SECRET data must be IRAP assessed against the ISM under the PSPF, and reassessed within 24 months under requirement 0109. For a PROTECTED workload in commercial cloud you generally meet both: the provider holds the right HCF certification and your system carries a current IRAP assessment. Miss either and an agency cannot stand the system up.

	Hosting Certification Framework	IRAP
What it assesses	The provider: ownership, control, operations, supply chain	A specific system against the ISM
Run by	Department of Home Affairs	An ASD endorsed IRAP assessor (program run by ASD)
Basis	Whole of Government Hosting Strategy; supports the PSPF and ISM	The Information Security Manual, under the PSPF
Scope	Certified Strategic, Certified Assured, Uncertified	OFFICIAL: Sensitive, PROTECTED, SECRET
What you get	A certification of the provider	An assessment report and control matrix; no certification, no pass mark
Who it lands on	The hosting provider	The system owner

How do the two fit together in practice?

In a real procurement they run on separate tracks and meet at the agency’s decision. The provider earns and maintains its HCF certification with Home Affairs, including Conditional and Annual Certification Reviews and a duty to declare a Relevant Change such as a shift in ownership, board, key personnel or subcontractors. Separately, your system is scoped, prepared and assessed against the ISM by an IRAP assessor, and the report goes to the agency’s authorising officer.

Where teams trip is assuming a hyperscaler’s HCF certification, or its IRAP assessed infrastructure, covers their own system. It does not. The provider’s certification and infrastructure assessment stop at the infrastructure line; your configuration, application logic and data handling are a separate IRAP scope. Both sit under the PSPF, and both are conditions an authorising officer weighs before granting authority to operate. The full IRAP guide walks through the system side of that decision.

What is changing with the Hosting Certification Framework?

The Framework is being reformed. From 3 November 2025 the Department paused HCF certification registration for prospective providers and for certified providers seeking a supplementary assessment, until the reforms are complete; existing certified providers are not affected. A reform commonly referred to as HCF 2.0 is under consultation with buyers and providers.

The direction follows the same goal that created the Framework: keeping government data under controls the Government can see and rely on as ownership and supply chains shift. Treat the certification pause and the level definitions as live. Confirm the current position on hostingcertification.gov.au before you scope a hosting arrangement, and book an IRAP assessment for the system itself in parallel.

Frequently asked questions

Is the Hosting Certification Framework a certification when IRAP is not?

The HCF does certify the provider against the Framework. IRAP is an assessment of a system against the ISM, not a certification, and there is no pass mark. They are different instruments doing different jobs.

Who runs the Hosting Certification Framework?

The Department of Home Affairs. Responsibility for the Framework transferred from the Digital Transformation Agency to Home Affairs on 1 May 2023.

Does HCF certification mean my system is IRAP assessed?

No. HCF certification covers the provider’s ownership, control and supply chain. Your system still needs its own IRAP assessment against the ISM.

Do I need both HCF and IRAP for a PROTECTED workload?

Generally yes. The hosting must sit with a certified provider, and the system must be IRAP assessed against the ISM and reassessed within 24 months under PSPF requirement 0109.

Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us. We aren’t always chasing a transaction.

Sources:

Last updated: 21 June, 2026

IRAP and the Hosting Certification Framework: How They Fit Together