Microsoft has published the 2026 round of independent Information Security Registered Assessors Program (IRAP) assessments for Azure, Dynamics 365 and Microsoft 365. For Australian businesses operating under government, defence-industry, or critical-infrastructure regulatory pressure, IRAP-assessed cloud services are the practical baseline for procurement.
The assessments cover the in-scope services, the controls in place, and the residual risks for both PROTECTED and OFFICIAL classifications. The reports themselves are detailed enough that they often form the spine of a customer's own Information Security Manual (ISM) compliance evidence — saving months of independent audit work for an SMB serving regulated clients.
For whedo.it clients in surveying, engineering and construction — sectors increasingly drawn into critical-infrastructure tenders — the IRAP documentation is a starting point for tender responses. Knowing the document exists, knowing where to point a procurement team at it, and knowing how to map your tenant's configuration to its findings is the practical work.