IRAP Certified Assessors · NV1 Cleared Advisors · PROTECTED-capable

Government & Defence Security Advisory

IRAP. Essential Eight.
Advisory that meets the actual standard.

Government security advisory requires practitioners who understand the ISM, the Essential Eight maturity model and the IRAP assessment process from the inside — not from a vendor's compliance checklist. Our government practice includes cleared, IRAP-certified assessors with direct Commonwealth and state agency experience, based in Canberra and Sydney.

Book a Government Briefing Compliance & Risk Service

Regulatory Frameworks

ASD Essential EightML0–ML3 assessment & uplift programme

IRAP AssessmentOFFICIAL · OFFICIAL: Sensitive · PROTECTED

Australian Government ISMInformation Security Manual controls

PSPFProtective Security Policy Framework

SOCI ActCritical infrastructure risk management

Privacy Act & NDBGovernment personal data obligations

The Landscape

Australian government systems are among
the most targeted in the world

The 2023 ASD Cyber Threat Report identified Australian government agencies as primary targets for state-sponsored adversaries — particularly those from China, Russia, Iran and North Korea. The motivation ranges from intelligence collection and policy insight to pre-positioning for disruption of critical government services.

The Essential Eight was designed precisely for this environment. It defines the baseline security controls that, implemented to the required maturity level, mitigate the most common attack vectors used against Australian government networks. The challenge is that many agencies believe they are further along the maturity model than their controls actually demonstrate.

IRAP assessment — required for systems handling OFFICIAL: Sensitive and PROTECTED data — provides the independent technical assurance that agencies and their authorising officers need before a system can be approved to operate. It is not a compliance exercise. It is a technical security assessment conducted by certified practitioners against the requirements of the ISM.

Understand your actual Essential Eight maturity level — not your self-assessed level
Prepare systems for IRAP assessment with a realistic gap closure programme
Build evidence packages that satisfy authorising officer requirements
Meet SOCI Act obligations for critical infrastructure assets
Navigate ministerial and SES-level security briefing requirements

Threat Actors Targeting Australian Government

🇨🇳

State-Sponsored — Intelligence Collection

Persistent campaigns targeting policy agencies, defence contractors and research institutions. Focus on long-term access and data exfiltration rather than disruption — often undetected for months.

Highest threat to Commonwealth agencies

🦠

Ransomware — Disruption & Financial

Criminal groups increasingly targeting state and local government — attracted by legacy systems, limited security resources and the political pressure to restore services quickly. Average ransom demand to government targets: $4.2M.

High threat to state and local government

🎣

Spear Phishing — Credential Harvest

Targeted phishing campaigns against ministerial offices, SES officers and defence contractors — seeking credentials for privileged access to classified systems and supply chain entry points.

Consistent across all government tiers

🔗

Supply Chain Compromise

Adversaries targeting government technology suppliers to gain indirect access to agency networks. The most significant government breaches in Australia over the last five years have involved supply chain entry vectors.

Growing threat — ACSC advisory 2024

ASD Essential Eight

What the maturity model actually
requires at each level

The Essential Eight Maturity Model is frequently misunderstood. Many agencies self-assess at Maturity Level 2 or 3 without implementing the controls those levels actually require. Understanding the real gap between your self-assessment and your actual maturity is the first step to closing it.

Maturity Level	What it actually means	Who it applies to	Common gap we find
ML0	Controls are not implemented or are implemented ineffectively. The organisation is significantly exposed to common threat vectors.	No formal requirement, but represents unacceptable risk for any government entity	Often the actual state of entities that believe they are at ML1
ML1	Controls mitigate opportunistic adversaries using commodity tools. Assumes attackers are not targeting the specific organisation.	Baseline for most Commonwealth entities under the PSPF	Patch management and user application hardening controls consistently below stated maturity
ML2	Controls mitigate adversaries willing to invest more effort. Includes controls that address targeted attacks using standard techniques.	Required for entities handling OFFICIAL: Sensitive data and most Cabinet agencies	MFA implementation is frequently partial — protecting external systems but not internal privileged access
ML3	Controls mitigate sophisticated adversaries with significant resources. Addresses supply chain and zero-day exploitation techniques.	Required for entities handling PROTECTED data and national security systems	Application control and macro hardening at ML3 is rarely fully implemented — most gaps exist in legacy system exemptions

The Eight Mitigation Strategies

Strategy 1

Application Control

Prevent execution of unapproved programs, scripts and libraries. One of the highest-effort controls — and most frequently found partially implemented.

Strategy 2

Patch Applications

Apply security patches within defined timeframes based on vulnerability criticality. Patch velocity is the most commonly tested control in IRAP assessments.

Strategy 3

Configure Microsoft Office Macro Settings

Block macros from the internet, allow only signed macros. A persistent entry vector that remains enabled in many government environments.

Strategy 4

User Application Hardening

Harden web browsers, PDF viewers and other user applications. Often implemented on managed devices but missed on legacy or shared workstations.

Strategy 5

Restrict Admin Privileges

Limit administrative privileges to those who require them for specific tasks. Privileged access management is consistently the biggest gap at ML2 and ML3.

Strategy 6

Patch Operating Systems

Apply OS patches within defined timeframes. Legacy operating systems in government environments create persistent vulnerabilities that are difficult to remediate.

Strategy 7

Multi-Factor Authentication

Require MFA for all remote access, privileged accounts and sensitive systems. Partial MFA implementation — protecting some systems but not others — is extremely common.

Strategy 8

Regular Backups

Back up important data, software and configuration settings. Test restoration. Backup integrity is frequently assumed but rarely verified — particularly for configuration data.

IRAP Assessment

What an IRAP assessment
actually involves

IRAP is not a compliance checklist or a self-certification exercise. It is a structured technical security assessment conducted by ASD-authorised assessors against the requirements of the Australian Government Information Security Manual — and it is required for any system approved to handle sensitive or classified government data.

System Scoping & Boundary Definition

We work with your team to define the assessment boundary — the system components, data flows, user access paths and third-party connections that fall within scope. Getting this right prevents scope creep and ensures the assessment addresses the risks that actually matter to your authorising officer.

ISM Control Assessment

Our IRAP-certified assessors evaluate your system against the applicable ISM controls — testing not just documentation but implementation effectiveness. We use a combination of technical testing, configuration review, interview and documentation analysis to produce a complete, evidence-backed assessment.

Risk Assessment & Statement of Applicability

We produce a risk assessment documenting the residual risks associated with any controls that are not fully implemented — and a Statement of Applicability that the authorising officer uses to make the risk acceptance decision. We write these documents in the format authorising officers expect.

Assessment Report Delivery

We deliver a complete IRAP assessment report — findings, evidence, risk ratings and recommendations — formatted to ASD's assessment report template. We present findings to your security team and support the authorising officer briefing with documentation prepared for that audience.

Remediation & Re-assessment Support

For findings that require remediation before authority to operate can be granted, we support your team through the remediation process and conduct a targeted re-assessment of the affected controls — avoiding a full re-assessment where possible to reduce time and cost.

Classification Levels We Assess

OFFICIAL Most government business. Low sensitivity — loss would cause limited damage. IRAP assessment optional but increasingly expected.

OFFICIAL: Sensitive Sensitive government information where disclosure could have moderate impact. IRAP assessment typically required for system approval.

PROTECTED Highly sensitive information where disclosure could cause serious harm to national interest. Mandatory IRAP assessment. NV1 clearance required for our assessors.

What Makes a Good IRAP Assessor

Not all IRAP assessors are equal. The quality of an assessment is determined by the technical depth of the assessors and their familiarity with government operating environments — not by their certification alone.

Our assessors have operated in Commonwealth agency environments — they understand the constraints of legacy systems, the complexity of multi-agency data sharing arrangements and the practical challenges of implementing ISM controls in a government operational context.

Discuss an IRAP Assessment →

Services for Government & Defence

What we deliver to Commonwealth
agencies, defence and state government

Our government practice is built around the specific frameworks, classification requirements and operational constraints that government entities face. All government engagements are delivered by Australian-based advisors — cleared where the work requires it.

🏅

IRAP Assessments

Formal IRAP assessments of systems handling OFFICIAL through PROTECTED data — conducted by ASD-authorised, NV1-cleared assessors. We manage the full assessment lifecycle including risk acceptance documentation and authority to operate support.

View Compliance Service ↗

📋

Essential Eight Assessment & Uplift

A structured maturity assessment against all eight strategies across ML0 to ML3 — delivered with a gap analysis, evidence pack and phased uplift programme that prioritises the gaps most likely to attract ASD scrutiny.

View Gap Analysis ↗

🧭

vCISO Advisory

Strategic security leadership for agencies between CISOs or building their security capability. Our government vCISOs hold current clearances, understand the PSPF governance requirements and have direct ASD engagement experience.

View vCISO Service ↗

⚙️

SOC Optimisation

Government SOCs face unique constraints — legacy systems, complex multi-agency data sharing arrangements and staff with high clearance requirements. We optimise around those constraints rather than recommending solutions designed for commercial environments.

View SOC Optimisation ↗

🛡️

Threat Intelligence & Detection

We operationalise threat intelligence relevant to government threat actors — including the state-sponsored adversaries and supply chain attack vectors that the ASD identifies as highest priority for Commonwealth agencies.

View Detection Service ↗

⚡

SOCI Act Advisory

For government entities operating critical infrastructure assets — we design and implement the risk management programmes, sector security plans and incident notification frameworks required under the Security of Critical Infrastructure Act.

View Compliance Service ↗

Case Study — Government

Commonwealth agency achieves Essential Eight Maturity Level 3 — ahead of ASD deadline

A mid-sized Commonwealth agency engaged GadgetAccess following an ASD advisory that identified significant gaps between their self-assessed ML2 maturity and their actual control implementation. They faced a 12-month window to demonstrate ML3 across all eight strategies before a scheduled ASD review.

We conducted an independent baseline assessment, identified the 14 specific control gaps preventing ML3 achievement, and built a phased remediation programme that prioritised by risk and implementation complexity. The agency achieved ML3 across all strategies within the required timeframe.

Discuss a Similar Engagement →

ML3achieved

All eight Essential Eight strategies implemented to Maturity Level 3 — independently verified ahead of the ASD review deadline.

14gaps closed

Specific control gaps identified between self-assessed and actual maturity — all remediated within the 12-month programme window.

0findings

No material findings raised by the ASD review — a result the agency's CISO described as exceeding their expectations given the starting position.

We thought we were at ML2. GadgetAccess showed us we were actually at ML1 in three of the eight strategies — and that our self-assessment methodology had been masking it. That honest assessment, delivered early, is what gave us enough time to fix it before ASD came knocking.

— CISO, Commonwealth Government Agency · Canberra

Other Sectors

We also work with

Government & Defence Advisory

Cleared. Certified. Based in Canberra.

Our government practice advisors hold current NV1 clearances, IRAP certification and direct Commonwealth agency experience. We don't parachute commercial consultants into government engagements — we deploy practitioners who understand the environment.

Book a Government Briefing IRAP & Essential Eight Service

All government engagements delivered by Australian-based, cleared advisors. Typical first response within one business day.

IRAP. Essential Eight.Advisory that meets the actual standard.