Question 1

What is ISMAP and when is it required?

Accepted Answer

ISMAP (Information System Security Management and Assessment Program) is Japan's government cloud security assessment framework. It is required for cloud service providers that want to be listed on the ISMAP Cloud Service List, which Japanese government agencies use as a pre-approved vendor registry. If your cloud service is used by Japanese government organizations, ISMAP listing is effectively mandatory. The framework covers governance, risk management, technical controls, and operational processes, with significant overlap with ISO 27001 and SOC 2.

Question 2

What is IRAP and how does it relate to the Australian government?

Accepted Answer

IRAP (Information Security Registered Assessors Program) is managed by the Australian Signals Directorate (ASD) and is the assessment framework for the Australian government's Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). Cloud service providers seeking to serve Australian government agencies typically need an IRAP assessment at the PROTECTED level. The assessment covers security controls aligned to the ISM, and results are published on the ASD's Certified Cloud Services List.

Question 3

How much of our existing ISO 27001 or SOC 2 program can we reuse?

Accepted Answer

Typically 60-80% of controls map directly. International government frameworks are built on the same security fundamentals: access control, encryption, incident response, change management, logging, and vendor oversight. The gaps are usually framework-specific documentation requirements, local data residency obligations, government-specific incident reporting timelines, and assessment process differences. We quantify the exact delta during our gap assessment so you know precisely what work remains.

Question 4

Do we need local presence or local assessors for these frameworks?

Accepted Answer

Requirements vary by framework. IRAP assessments must be conducted by ASD-endorsed assessors. ISMAP requires assessment by registered audit firms recognized by the ISMAP governing body. ENS certification requires accredited auditors recognized by Spain's CCN (National Cryptologic Centre). We coordinate with the appropriate local assessors in each jurisdiction and manage the engagement on your behalf, similar to how we manage audit processes for other frameworks through our Audit and Assurance service.

International Government Frameworks

Who This Is For

What You Get

Frequently Asked Questions

Strengthen Your International Government Frameworks Compliance with Penetration Testing

Ready to Get Started?