If your cloud isn't built for IRAP, you'll pay for it twice.
PROTECTED-aligned Microsoft 365 and Azure delivery — with the SSP, SRMP and control evidence produced alongside the build, not retrofitted to it. For Commonwealth agencies, their industry partners, and Australia's regulated sectors.
An Australian specialist firm.
- 100%Australian owned and operated. AGSVA-cleared personnel.
- M365
AzureDesigned, built and documented to ISM & Essential 8 — up to PROTECTED. - HybridPROTECTED extends from cloud to on-premises — no weak links.
- ISMSGRC consulting and complete custom ISMSs aligned to ISO/IEC 27001.
- ArchCyber security architecture for cloud, hybrid and regulated environments.
- AdvisoryIndependent technical and strategic cyber advisory.
- IRAPWe prepare you for assessment. The assessor stays independent.
Anyone can say they "deliver secure M365." We design in what assessors look for — so you don't waste months fixing gaps later.
Deliberately narrow practice: Microsoft 365, Azure and hybrid, engineered to the ISM PROTECTED baseline and Essential Eight. The accreditation package — SSP, SRMP, SoA, risk register, control evidence — is produced alongside the build, in the formats IRAP assessors expect.
Frameworks we build to.
ISM
Australian Government Information Security Manual — every configuration traces back to an ISM control.
E8
ACSC Essential Eight Maturity Model — implemented by platform configuration, not documentation alone.
PSPF
Protective Security Policy Framework — informs information handling and governance patterns.
ISO 27001
International information security management standard — our ISMS designs are ISO/IEC 27001 conformant.
NIST
NIST Cybersecurity Framework — used where hybrid or US-aligned control mapping is required.
Why ACT Cyber.
Built for the assessor in the room.
Every artefact is produced in the format IRAP assessors expect — SSP, SRMP, SoA — concurrently with build, not retrofitted afterwards.
Controls satisfied by the platform.
ISM and Essential Eight controls met by Microsoft platform configuration and operational practice — not documentation alone.
AGSVA-cleared, end to end.
Australian-owned, AGSVA-cleared personnel operating under Australian jurisdiction. No offshore touch, no outsourced accountability.
Cloud to on-premises, one baseline.
We extend PROTECTED compliance from Azure and M365 into your on-prem estate — no weak links between cloud and legacy.
Delivered. Assessed. Authorised.
The Principal Consultant has personally led the delivery of multiple Microsoft 365 and Azure environments to PROTECTED across a career spanning Commonwealth and regulated sector engagements — including environments that received Authority to Operate (ATO) from the Department of Defence at the PROTECTED classification level.
ACT Cyber is currently engaged as Security Architect on a major Commonwealth whole-of-government PROTECTED programme, delivered through a prime delivery partner.
Defence ATO at PROTECTED.
PROTECTED Authority to Operate received from the Department of Defence on Microsoft cloud environments designed and delivered by the Principal Consultant.
A career portfolio.
A career portfolio of Microsoft 365 and Azure environments designed and built to the ISM PROTECTED control baseline across Commonwealth and regulated sector clients.
WofG PROTECTED · Security Architect.
ACT Cyber is engaged as Security Architect on a Commonwealth whole-of-government PROTECTED programme spanning multiple agencies including Defence — delivered through a prime delivery partner.
Sanitised delivery references available under partner pack arrangements.
The Microsoft stack — configured for regulated workloads.
We work across the full Microsoft security and productivity stack, configured to the ISM control baseline.
Audit pressure mounting?
Talk to an ISM PROTECTED specialist. Fast compliance, cost-effective delivery, zero audit surprises.