OakAttest Request access

Every framework

Assess against the framework that matters.

Run an IRAP or ISM assessment against the ASD ISM and the Essential Eight Maturity Model, or pick NIST 800-53, SOC 2 or ISO 27001. Choose a framework and revision per engagement; classification and IRAP options appear only for the ISM, everything else scopes by baseline or selection.

Request access
Creating a new engagement and selecting a compliance framework

Four frameworks, one model

  • ASD ISM & Essential Eight

    Cumulative classification scoping (OFFICIAL: Sensitive, PROTECTED, SECRET), Essential Eight Maturity Model overlay, and Cloud IRAP provider-layer inheritance.

    OSCAL · ASD

  • NIST SP 800-53

    Rev 5 catalogue and baselines pulled straight from the official OSCAL source.

    OSCAL · NIST

  • SOC 2

    Trust Services Criteria imported by the client from their licensed copy via CSV.

    Client CSV

  • ISO/IEC 27001

    Annex A control set imported per tenant, scoped by Statement of Applicability.

    Client CSV

Right-sized scoping

Scoped the way each framework expects

  • Classification (cumulative) for the ISM
  • Baselines for NIST 800-53 and FedRAMP
  • Selection / Statement of Applicability for SOC 2 and ISO 27001
  • Tenant-scoped catalogues keep client-licensed content private
Scope, boundary and applicability worksheet

Aligned with the IRAP Common Assessment Framework

The ASD published the IRAP Common Assessment Framework (CAF) in 2025 to standardise how assessors evaluate systems against the ISM and the Protective Security Policy Framework (PSPF). OakAttest mirrors that lifecycle — the same six-step Risk Management Framework the ISM draws from NIST SP 800-37: define the system, select controls, implement, assess, authorise, and monitor.

  • Security assessment plan, scope and boundary captured up front
  • Assessment of both control implementation and effectiveness
  • Findings mapped to ISM controls with severity and remediation
  • Defensible, signed certification records at the end of the engagement

Glossary

ISM (Information Security Manual)
The ASD cyber security framework of controls across 22 domains, applied by classification of the data a system handles.
IRAP (Infosec Registered Assessors Program)
The ASD program under which endorsed assessors evaluate systems against the ISM and PSPF for government use.
Essential Eight Maturity Model
Eight prioritised mitigation strategies measured across maturity levels zero to three, mapped to the ISM.
PSPF (Protective Security Policy Framework)
The Australian Government policy framework for protective security that the ISM operationalises for cyber.
Statement of Applicability (SoA)
The record of which controls apply to an engagement and why — central to ISO 27001 and ISM scoping.

See OakAttest on your own engagements.

Hosted, invite-based, with Australian data residency.

Request access