Insights
Short notes on what changed in the ISM, what we saw in IRAP and panel work, and what it means for Australian Government cyber teams. Mostly short reads. Occasionally something longer when a control family shifts or a panel re-opens.
Latest articles
- Methodology notes 21 May 2026 400 words
Five mistakes SaaS vendors make on the road to IRAP
Patterns we see slow SaaS vendors pursuing IRAP: confusing IaaS endorsement with system certification, mistaking the Essential Eight for the ISM, late SSP authoring, reflexive ML2, and evidence.
- Methodology notes 20 May 2026 397 words
Glossary: Authorising Officer vs System Owner
The Authorising Officer accepts risk; the system owner manages the system. Engagements that drift hardest in IRAP are usually the ones that never settled the distinction.
- Methodology notes 19 May 2026 412 words
PROTECTED doesn't mean encrypted-by-default
PROTECTED is a handling classification, not a cryptographic specification. Conflating the two leads vendors to over-claim on encryption and under-invest on the controls that actually carry the load.
- Methodology notes 18 May 2026 446 words
Anatomy of an artefact — evidence, three ways
An IRAP assessor does not look at evidence as a single artefact. Design, state, and behaviour each answer a different question, and a complete pack carries all three.
- Methodology notes 17 May 2026 412 words
Glossary — OFFICIAL:Sensitive, and what the colon actually means
OFFICIAL:Sensitive is not a classification above OFFICIAL — it's a marking that travels with information needing extra care. The colon does real work.
- Methodology notes 16 May 2026 461 words
Three patterns that delay an IRAP Stage 2
Stage 2 of an IRAP engagement usually doesn't slip for technical reasons. Three preventable patterns account for most of the delay we see.
- Methodology notes 15 May 2026 435 words
Anatomy of an artefact — what an SSP Annex A should actually contain
The controls implementation matrix is the spine of an IRAP engagement. Here's what belongs in each row — and what an assessor reads it for.
- Methodology notes 14 May 2026 357 words
IRAP isn't a pass/fail — and that confuses people
Why an IRAP report is a structured opinion rather than a verdict — and why fixating on a 'pass' is the wrong incentive for vendors and agencies alike.
- Methodology notes 13 May 2026 312 words
Insights launched — here's how it works
We've launched a daily Insights stream of short, source-cited notes on Australian Government cyber. How it works, what to expect, and how to opt out.
Get Insights by email
Short notes when something material moves. Sent within an hour of publishing. Different list to our quarterly digest — pick one or both.
Articles in this section are produced by TrustedZone's news automation against an allowlist of Australian Government and ACSC sources. Each article carries a watermark and a one-click rollback link. Material errors should be flagged at harry@trustedzone.com.au.