Compliance crosswalk · IRAP
IRAP / Australian ISM (Australia) - email + domain controls, mapped to Wiredepth
Framework version: Information Security Manual, updated quarterly by ASD; assessments per the IRAP program
Who this is for. Commonwealth, state, and territory government bodies in Australia, plus the commercial cloud + SaaS providers that store, process, or transmit Australian government data. IRAP assessments by registered ASD-endorsed assessors are the standard mechanism for evaluating compliance against the Information Security Manual (ISM) at the three security classifications most commonly assessed: OFFICIAL, PROTECTED, and SECRET.
The ISM in practice. The ISM is published by the Australian Signals Directorate (ASD) and updated quarterly. Email-related controls live primarily under "Guidelines for Email" and "Guidelines for Cryptography". DMARC, DKIM, and SPF are explicit ISM requirements at OFFICIAL and above. TLS for SMTP transport is required.
How to use this page. The clauses below describe the ISM control areas most relevant to email + domain surfaces. Where ASD has published specific control numbers, they're referenced directly; in other places we paraphrase the requirement and your assessor confirms the exact ISM clause. Pair this crosswalk with your ISM Compliance Workbook (the artefact most IRAP assessments produce alongside the assessment report).
Clause-by-clause mapping
Each row maps a specific IRAPrequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
ISM Email - DMARC implementation Authentication | Email gateways and domain owners should implement DMARC with a "reject" policy on all domains, including parked / non-sending domains, to prevent spoofing. | DMARC checker scores per-domain DMARC posture against the ISM "p=reject" expectation. Spoofability checker provides a yes / maybe / no verdict on the spoof-resistance the policy actually achieves. |
ISM Email - SPF + DKIM authentication Authentication | Senders should publish SPF records authorising only legitimate sending sources. DKIM should be used to digitally sign outbound email so receivers can verify integrity + authenticity. | SPF flattener + DKIM analyser cover the per-domain authentication controls. The vendor consolidation audit identifies all authorised senders so the SPF record stays accurate as suppliers churn. |
ISM Email - Transport encryption Transport | Email servers should support TLS 1.2 or higher for both inbound + outbound SMTP. MTA-STS should be used to enforce TLS on receiving servers. | TLS protocol checker reports per-port support across submission + relay + delivery ports. MTA-STS analyser confirms the policy + the receiver behaviour. PROTECTED + SECRET workloads need TLS 1.2 minimum; assessor verifies. |
ISM Cryptography - Approved algorithms Transport | Cryptographic algorithms used to protect Australian government information must be ASD-approved. ISM specifies approved TLS cipher suites and signature algorithms. | TLS analyser reports the negotiated cipher + protocol version per scan, with detection of deprecated algorithms (TLS 1.0/1.1, RC4, 3DES) that an IRAP assessor would flag as a finding. |
ISM - System monitoring Monitoring | Systems should be monitored for security events. Logs should be retained for the period required by the system classification (typically 7 years for PROTECTED). Logs should be protected against modification + deletion. | Continuous monitoring + alert routing covers the security-events surface. Wiredepth Prove's tamper-evident audit-log chain (see /docs/verify) is the protection-against-modification control IRAP assessors look for at PROTECTED + above. |
ISM - Event logging + audit Monitoring | Audit logs should record security-relevant events, be protected from tampering, and be reviewed periodically. Audit-log integrity is an explicit ISM expectation. | Audit-log Merkle chain + public anchor at /api/v1/audit/anchors provide the tamper-evidence the ISM expects. The free public verifier lets an IRAP assessor validate the chain without trusting the tool - the property an OFFICIAL+ assessment relies on. |
ISM - Third-party service providers Inventory | Third-party service providers handling Australian government information should be assessed for security risk. Includes cloud-hosted email senders and marketing-automation providers authorised to send mail on the agency's behalf. | Vendor consolidation audit enumerates every authorised email sender. Per-vendor posture grade quantifies the risk an ISM third-party-risk assessment is designed to surface. De-authorisation guides at /docs/deauthorize cover offboarding. |
ISM - Incident response Reporting | Organisations should have an incident-response plan covering detection, reporting, response, and recovery. Significant cyber-security incidents should be reported to ASD's ACSC within the appropriate timeframe. | Incident-readiness workpaper documents the response plan + the ASD ACSC notification path. Hosted DMARC report inbox catches authentication-failure spikes that often precede a phishing-driven incident. |
ISM - DNS security Transport | DNS infrastructure supporting government services should be configured securely. DNSSEC is recommended where the domain hosts services accessed by the public. | DNSSEC + CAA + nameserver checks document the DNS-layer posture. Subdomain inventory covers the asset-management side of DNS configuration. |
ISM Cryptography - Certificate management Transport | TLS certificates should be managed across the lifecycle: issuance from an approved CA, periodic renewal, revocation when compromised. Unexpected certificates issued for the domain should be detected. | CT-log monitoring detects certificates issued for the domain that the org did not authorise. Certificate expiry tracking + revocation status checks cover the lifecycle. |
PSPF / Essential Eight alignment Reporting | IRAP-assessed systems often operate inside an organisation also bound by the Protective Security Policy Framework (PSPF) and the Essential Eight mitigation strategies. Some Essential Eight mitigations (multi-factor auth, application control) sit upstream of email surfaces. | Wiredepth's email + domain coverage is the channel-specific layer beneath the broader Essential Eight programme. Use this crosswalk for the IRAP-assessable email surface; the wider Essential Eight scope sits with the IT-security team. |
What auditors actually look at
An IRAP assessor reviewing the email + domain surface would typically request:
- The ISM Compliance Workbook entries for the email + cryptography control areas with linked implementation evidence
- Per-domain DMARC + DKIM + SPF + TLS scan output sampled across the assessment window
- The third-party email-sender register with last-assessed dates for each supplier
- Sampled audit-log entries with the published anchor head used to verify chain integrity
- Incident-response plan + sampled ACSC notification records (if applicable)
Note: ISM is updated quarterly. Verify the specific control numbering and parameter values against the ISM edition current at the time of your assessment.
Generate a IRAP-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a IRAP README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.