IRAP-Style Evidence for Microsoft 365 Essentials: What Assessors Look For
What the January 2026 IRAP Quality Assurance Framework expects from Essentials evidence — and how M365 tenants can prepare timestamped, ISM-mapped proof without a full IRAP engagement.
Government suppliers, defence contractors, and critical infrastructure operators often hear IRAP long before they hear Essential Eight. The Infosec Registered Assessors Program evaluates ICT systems against the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) — a broader scope than Essentials alone.
But for many Microsoft 365 tenants, Essentials maturity is a common early question from insurers, procurement panels, and assessors reviewing cloud productivity: what is your ML2 evidence, and can you prove it is current?
This guide explains what changed in assessor expectations in 2026, what "assessor-ready" Essentials evidence looks like for M365, and where automated tooling fits — without overclaiming IRAP certification.
Scope first: this is not IRAP certification
Aegis Eight is not an IRAP assessor and does not certify systems. IRAP assessment is a formal engagement with an ASD-registered assessor, covering ISM controls, system boundaries, SSP documentation, and often months of evidence review.
What Aegis Eight does provide is continuous, hash-anchored Essentials evidence from read-only Microsoft Graph and Google Admin SDK queries — the kind of timestamped configuration proof that IRAP assessors, insurers, and internal audit teams increasingly expect before or alongside a full IRAP program.
If your customer or regulator asks for an IRAP assessment report on your SaaS boundary, you still need a registered assessor. If they ask "show me ML2 Essentials evidence for your M365 tenant dated this quarter," that is a different — and much more common — request.
What changed: IRAP Quality Assurance Framework (January 2026)
ASD's IRAP Quality Assurance Framework, published January 2026 (listed on cyber.gov.au), shifted scrutiny from findings alone toward assessor methodology and evidence provenance. In practice that means:
- Disconnected spreadsheets with no query timestamp face greater scrutiny
- "We reviewed the admin portal on Tuesday" without retained configuration proof is weaker than a dated API snapshot
- Assessors are expected to show how evidence was collected, not just what they concluded
For Essentials specifically, the maturity model maps to ISM controls (ASD publishes the mapping). IRAP assessors working cloud productivity boundaries often start with MFA enforcement, privileged access structure, patch compliance on managed devices, and backup retention — the same eight strategies Essentials scores.
The commercial pressure has expanded beyond government: cyber insurers increasingly ask for Essentials proof before issuing or renewing policies. The evidence bar is converging toward timestamped, verifiable proof tied to a known framework revision.
ASD evidence tiers: Fair vs Good
The Essentials assessment process guide rates evidence quality:
| Tier | Description |
|---|---|
| Excellent | Testing a control with a simulated activity |
| Good | Reviewing live configuration through the system's interface |
| Fair | Reviewing a copy of configuration (reports, screenshots, API responses) |
| Poor | Policy or verbal statement of intent |
Automated M365 collection via Microsoft Graph typically produces Fair-tier evidence by default: a point-in-time API response showing what the tenant's configuration was at query time. That is materially stronger than a self-attested checklist (Poor), especially when each finding carries:
queriedAt— when the API call ran- Endpoint — which Graph query produced the signal
responseHash— SHA-256 of the raw response for independent verification
Good-tier evidence — sign-in logs proving MFA enforcement, device configuration states, Conditional Access what-if results, PIM activation history — requires collectors that read applied state, not just policy existence. Aegis Eight uses Good-tier collectors on several strong controls (MFA enforcement logs, device RSoP, CA what-if, PIM activations) where Graph exposes applied state; other findings remain Fair-tier API snapshots. See our Security & Privacy whitepaper for the evidence chain commitment.
Be honest with assessors about tier. Claiming Good when you only have a policy screenshot is worse than stating Fair with a hash-anchored snapshot.
What "good enough for prep" looks like
Before a full IRAP engagement, most organisations need a baseline Essentials posture report they can hand to an assessor or insurer. Assessors typically want:
- Per-strategy maturity level (ML0–ML3) with the weakest-link overall score stated clearly
- Per-finding outcomes using ASD standardised terms (
effective,ineffective,no_visibility, etc.) - Evidence dated within the assessment window — recency requirements vary by insurer, tender, or assessor; many ask for proof from the last quarter
- Traceability — which configuration was observed, when, and whether it can be independently verified
A spreadsheet that says "MFA: Yes" fails points 3 and 4. A PDF generated from live Graph queries with timestamps and response hashes addresses all four — even at Fair tier.
For MSPs managing dozens of tenants, the repeatability problem is worse: each customer's evidence lives in a different workbook, updated on different cadences, with no central drift history. Automated per-tenant scans with retained snapshots solve the "which tenant was current as of Q2?" question without hiring another analyst.
Essentials vs full IRAP: where they overlap
| Question | Essentials assessment | Full IRAP assessment |
|---|---|---|
| Scope | Eight mitigation strategies, ML0–ML3 | ISM + PSPF across system boundary |
| Assessor | Self, consultant, or automated tool | ASD-registered IRAP assessor |
| Typical driver | Insurer, tender, board | Government data handling, PROTECTED systems |
| M365 focus | Conditional Access, Intune, admin roles, backup signals | Same — plus identity boundary, logging, IR plans, supplier chain |
| Evidence | Configuration snapshots, policy review | SSP, IR plan, penetration test, continuous monitoring proof |
Organisations pursuing both ISO 27001 and IRAP often structure programs to reduce duplication. Essentials automation on M365 covers the cloud productivity slice efficiently; it does not replace SSP authorship or boundary definition.
MSP angle: evidence at scale without spreadsheet drift
MSPs are the operational layer for most Australian SME M365 tenants. When an insurer emails twelve clients asking for "ML2 Essentials evidence this quarter," the MSP needs:
- The same scoring methodology across every tenant
- Historical snapshots when a client asks "what changed between March and June?"
- Alerts when a tenant drifts — new Global Admin, MFA regression — before the insurer notices
Manual review does not scale past a handful of tenants. Read-only API assessment with retained evidence packs and change-triggered email alerts is how MSPs keep IRAP-prep and insurer workflows repeatable without adding headcount.
Aegis Eight MSP volume pricing is contact sales — the product supports the same Essentials scan and monitoring workflow per tenant today.
Honest limits
State these clearly in any assessor or customer conversation:
- Read-only access only — Aegis Eight never modifies tenant configuration
- Not all signals are visible via API — some controls return
no_visibilityrather than a guessed score (especially on Google Workspace desktop fleets) - Fair tier by default for declared-configuration API snapshots; Good tier where applied-state collectors apply (MFA enforcement, device RSoP, CA what-if, PIM)
- Not IRAP certification — evidence preparation, not assessor sign-off
Transparency builds trust with assessors. Overclaiming evidence tier or scope is the fastest way to lose credibility in an IRAP prep engagement.
Related reading
- November 2023 ASD Maturity Model: What Still Catches SMEs — why old self-assessments overstate ML2
- Five Common Essentials Drifts in Microsoft 365 Tenants — configuration changes assessors find between audits
- Essential Eight Maturity Levels Explained — ML0–ML3 and the weakest-link rule
- Security & Privacy whitepaper — evidence chain, retention, and hash integrity
Next steps
- Start a free Essentials scan — assessor-ready PDF in minutes, no credit card
- Download a sample report — redacted PDF example
- Compare plans — continuous monitoring with hash-anchored evidence retention
Questions about evidence for a specific assessor or insurer request? Email [email protected].