How to Choose IRAP-Certified Web Hosting in Australia: A Compliance Checklist

What Is IRAP-Certified Web Hosting and Why It Matters in Australia

IRAP-certified web hosting in Australia ensures your organisation meets the Australian Cyber Security Centre (ACSC) Essential Eight controls and aligns with the Privacy Act’s Australian Privacy Principles (APPs). If your business handles sensitive customer data, operates in financial services under APRA CPS 234, or stores classified government information, IRAP certification is non-negotiable. IRAP (Information Security Registered Assessors Program) provides third-party verification that your hosting provider has implemented security controls validated against the NIST Cybersecurity Framework and Australian standards.

Step 1: Verify IRAP Registration and Certification Status

Before signing any contract, confirm the provider holds active IRAP certification. Check the ACSC Register of Certified Security Assessors and Approved Testing Facilities to validate the assessor’s credentials. Request the provider’s certification letter, renewal date, and scope of assessment. Key points to verify:

• Certification scope: Does it cover Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or both?
• Data classification level: Confirm the provider’s certification covers your required ASD IRAP level (Unclassified, Protected, or Classified).
• Assessment currency: IRAP certifications remain valid for three years; request proof of the latest assessment date.
• Audit trail: Ask for non-disclosure-compliant summaries of their most recent ACSC assessor findings.

Step 2: Align with ACSC Essential Eight and Privacy Act APPs

IRAP-certified providers must demonstrate compliance with the ACSC’s Essential Eight maturity model across application whitelisting, patching, configuration management, MFA, user privilege limitation, DNS filtering, Windows event logging, and backup integrity. Cross-reference the provider’s compliance documentation against your Privacy Act obligations under APPs 1.2 (open and transparent management), 1.3 (collection of solicited personal information), and 13.1 (security of personal information).

• Encryption in transit and at rest: Verify AES-256 or stronger encryption for data stored in ap-southeast-2 (Sydney/Melbourne) regions.
• Access controls: Confirm role-based access control (RBAC), multi-factor authentication (MFA) enforced for all admin access, and activity logging retained for 90+ days.
• Incident response: Obtain the provider’s Incident Response Plan and Notification Timeline (typically 72 hours under Privacy Act).
• Subcontractor vetting: Request the supplier’s third-party risk matrix to confirm all sub-processors are also IRAP-assessed or meet equivalent standards.

Step 3: Confirm APRA CPS 234 and Financial Services Compliance

If you’re in banking, insurance, or superannuation, APRA CPS 234 mandates outsourced service providers—including hosting—undergo cyber security resilience assessments. Your IRAP-certified provider must:

• Provide annual attestation letters confirming compliance with CPS 234 outsourcing principles.
• Allow APRA-authorised auditors to access security assessment reports without unreasonable delay.
• Maintain Australian data residency in ap-southeast-2 to satisfy APRA’s jurisdictional requirements.
• Offer Service Level Agreements (SLAs) with defined recovery time objectives (RTO) and recovery point objectives (RPO) aligned to APRA’s resilience expectations.

Step 4: Evaluate Data Residency and Sovereignty in ap-southeast-2

Australian compliance frameworks prioritise data stored within Australian borders. Confirm your IRAP-certified hosting provider:

• Operates data centres exclusively in ap-southeast-2 regions (AWS Sydney, Azure Australia East, or equivalent local providers like Aussie Broadband or Macquarie Cloud).
• Stores encryption keys and cryptographic material within Australia to prevent overseas access.
• Has no automated data replication to non-Australian regions unless explicitly contractually authorised by your organisation.
• Provides transparency via quarterly Data Residency Audit Reports.

Step 5: Review Service Level Agreements and Liability Clauses

IRAP certification alone doesn’t guarantee business continuity. Audit the SLA for:

• Uptime guarantees: Minimum 99.95% (4.4 hours downtime per month) with defined credits for non-compliance.
• Breach notification: Explicit commitment to notify your organisation within 30 days of discovering a security incident (Privacy Act requirement).
• Audit rights: Your right to conduct security audits, penetration tests, and request SOC 2 Type II reports annually.
• Termination and data return: Clause confirming data deletion or return within 30 days of contract termination in certified-secure format.

Step 6: Assess Ongoing Compliance and Audit Readiness

IRAP certification is not a one-time checkbox. Partner with providers committed to continuous improvement:

• Quarterly compliance reviews: Providers should offer quarterly briefings on Essential Eight maturity progression and remediation timelines.
• Vulnerability management: Request their patch management schedule (OS, application, firmware) with published SLAs.
• Staff security training: Verify mandatory annual ACSC-aligned training and background checks for all personnel with access to your infrastructure.
• Disaster recovery testing: Confirm annual DR exercises with auditor validation and incident playbooks signed off by your CISO.

Step 7: Compare Australian IRAP-Certified Providers

Techtweek Infotech, as an AWS Advanced Consulting Partner with 24/7 follow-the-sun Australian support, works with clients across APRA-regulated institutions, healthcare, and government to navigate IRAP compliance. We recommend comparing shortlisted providers on:

• IRAP certification maturity level and assessor reputation (ACSC-registered Big Four firms vs. smaller assessors).
• Local support footprint: Tier 1 support in Australian time zones with ACSC-cleared staff.
• AWS or Microsoft Azure partnership tier: Advanced Partners typically access priority security updates and compliance tooling.
• Cost transparency: Compliance overhead (DLP, SIEM, forensic readiness) should be itemised separately from hosting fees.

Checklist Summary: Your IRAP Hosting Decision Framework

• ☐ Verify active IRAP certification on ACSC Register; confirm scope (IaaS/PaaS) and ASD IRAP level.
• ☐ Obtain signed Essential Eight maturity assessment and Privacy Act APP compliance statement.
• ☐ If APRA-regulated: Request CPS 234 attestation letter and APRA audit access clause.
• ☐ Confirm ap-southeast-2 data residency, encryption key storage in Australia, no unauthorised replication.
• ☐ Review SLA for 99.95%+ uptime, 30-day breach notification, audit rights, data return clause.
• ☐ Schedule quarterly compliance briefings; verify patch management SLA and annual DR testing.
• ☐ Shortlist 2–3 providers; compare certification maturity, local support, and partnership tier (AWS/Azure Advanced).
• ☐ Finalise contract with legal review of liability caps, termination data deletion, and subcontractor vetting schedules.

Choosing IRAP-certified web hosting in Australia requires diligence beyond marketing claims. By following this seven-step checklist, you’ll select a partner aligned with ACSC Essential Eight, Privacy Act APPs, and APRA CPS 234—reducing compliance risk and strengthening your cyber resilience posture in ap-southeast-2.

Frequently Asked Questions

What is the difference between IRAP certification and ISO 27001?

IRAP is Australia-specific, assessed against ACSC Essential Eight and ASD ISM controls; ISO 27001 is international. IRAP is mandatory for Australian government suppliers and APRA-regulated entities; ISO 27001 is broader but less tailored to Privacy Act APPs and APRA CPS 234.

How often must my IRAP-certified host re-certify?

IRAP certifications are valid for three years. Providers must undergo reassessment before expiry. Many maintain continuous improvement through annual gap assessments or quarterly self-audits to address Essential Eight maturity gaps between full certifications.

Can I use a non-IRAP host if I’m not government or APRA-regulated?

Legally, no. Privacy Act APPs apply to all Australian organisations handling personal information. IRAP-certified hosting strengthens your Privacy Act compliance. Non-IRAP hosts expose you to reputational and legal risk if a breach occurs and you cannot demonstrate reasonable security measures.

Does IRAP certification guarantee my data is breach-proof?

No. IRAP validates that security controls are implemented to ACSC standards, not that breaches are impossible. It demonstrates due diligence and reduces risk. You remain responsible for configuring your applications securely and monitoring access logs for suspicious activity.

What should I look for in an SLA with an IRAP-certified provider?

Prioritise 99.95%+ uptime guarantees, 30-day breach notification SLA, annual audit rights, annual DR testing validation, and explicit data residency in ap-southeast-2 with no overseas replication without consent.

By Sahil Dubey — Cloud, DevOps & Compliance Architect

Read the full guide: Web & Domain Hosting in Australia.