Aegis Eight

← Resources

IRAP-Style Evidence for Microsoft 365 Essentials: What Assessors Look For

What the January 2026 IRAP Quality Assurance Framework expects from Essentials evidence — and how M365 tenants can prepare timestamped, ISM-mapped proof without a full IRAP engagement.

Government suppliers, defence contractors, and critical infrastructure operators often hear IRAP long before they hear Essential Eight. The Infosec Registered Assessors Program evaluates ICT systems against the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) — a broader scope than Essentials alone.

But for many Microsoft 365 tenants, Essentials maturity is a common early question from insurers, procurement panels, and assessors reviewing cloud productivity: what is your ML2 evidence, and can you prove it is current?

This guide explains what changed in assessor expectations in 2026, what "assessor-ready" Essentials evidence looks like for M365, and where automated tooling fits — without overclaiming IRAP certification.

Scope first: this is not IRAP certification

Aegis Eight is not an IRAP assessor and does not certify systems. IRAP assessment is a formal engagement with an ASD-registered assessor, covering ISM controls, system boundaries, SSP documentation, and often months of evidence review.

What Aegis Eight does provide is continuous, hash-anchored Essentials evidence from read-only Microsoft Graph and Google Admin SDK queries — the kind of timestamped configuration proof that IRAP assessors, insurers, and internal audit teams increasingly expect before or alongside a full IRAP program.

If your customer or regulator asks for an IRAP assessment report on your SaaS boundary, you still need a registered assessor. If they ask "show me ML2 Essentials evidence for your M365 tenant dated this quarter," that is a different — and much more common — request.

What changed: IRAP Quality Assurance Framework (January 2026)

ASD's IRAP Quality Assurance Framework, published January 2026 (listed on cyber.gov.au), shifted scrutiny from findings alone toward assessor methodology and evidence provenance. In practice that means:

  • Disconnected spreadsheets with no query timestamp face greater scrutiny
  • "We reviewed the admin portal on Tuesday" without retained configuration proof is weaker than a dated API snapshot
  • Assessors are expected to show how evidence was collected, not just what they concluded

For Essentials specifically, the maturity model maps to ISM controls (ASD publishes the mapping). IRAP assessors working cloud productivity boundaries often start with MFA enforcement, privileged access structure, patch compliance on managed devices, and backup retention — the same eight strategies Essentials scores.

The commercial pressure has expanded beyond government: cyber insurers increasingly ask for Essentials proof before issuing or renewing policies. The evidence bar is converging toward timestamped, verifiable proof tied to a known framework revision.

ASD evidence tiers: Fair vs Good

The Essentials assessment process guide rates evidence quality:

TierDescription
ExcellentTesting a control with a simulated activity
GoodReviewing live configuration through the system's interface
FairReviewing a copy of configuration (reports, screenshots, API responses)
PoorPolicy or verbal statement of intent

Automated M365 collection via Microsoft Graph typically produces Fair-tier evidence by default: a point-in-time API response showing what the tenant's configuration was at query time. That is materially stronger than a self-attested checklist (Poor), especially when each finding carries:

  • queriedAt — when the API call ran
  • Endpoint — which Graph query produced the signal
  • responseHash — SHA-256 of the raw response for independent verification

Good-tier evidence — sign-in logs proving MFA enforcement, device configuration states, Conditional Access what-if results, PIM activation history — requires collectors that read applied state, not just policy existence. Aegis Eight uses Good-tier collectors on several strong controls (MFA enforcement logs, device RSoP, CA what-if, PIM activations) where Graph exposes applied state; other findings remain Fair-tier API snapshots. See our Security & Privacy whitepaper for the evidence chain commitment.

Be honest with assessors about tier. Claiming Good when you only have a policy screenshot is worse than stating Fair with a hash-anchored snapshot.

What "good enough for prep" looks like

Before a full IRAP engagement, most organisations need a baseline Essentials posture report they can hand to an assessor or insurer. Assessors typically want:

  1. Per-strategy maturity level (ML0–ML3) with the weakest-link overall score stated clearly
  2. Per-finding outcomes using ASD standardised terms (effective, ineffective, no_visibility, etc.)
  3. Evidence dated within the assessment window — recency requirements vary by insurer, tender, or assessor; many ask for proof from the last quarter
  4. Traceability — which configuration was observed, when, and whether it can be independently verified

A spreadsheet that says "MFA: Yes" fails points 3 and 4. A PDF generated from live Graph queries with timestamps and response hashes addresses all four — even at Fair tier.

For MSPs managing dozens of tenants, the repeatability problem is worse: each customer's evidence lives in a different workbook, updated on different cadences, with no central drift history. Automated per-tenant scans with retained snapshots solve the "which tenant was current as of Q2?" question without hiring another analyst.

Essentials vs full IRAP: where they overlap

QuestionEssentials assessmentFull IRAP assessment
ScopeEight mitigation strategies, ML0–ML3ISM + PSPF across system boundary
AssessorSelf, consultant, or automated toolASD-registered IRAP assessor
Typical driverInsurer, tender, boardGovernment data handling, PROTECTED systems
M365 focusConditional Access, Intune, admin roles, backup signalsSame — plus identity boundary, logging, IR plans, supplier chain
EvidenceConfiguration snapshots, policy reviewSSP, IR plan, penetration test, continuous monitoring proof

Organisations pursuing both ISO 27001 and IRAP often structure programs to reduce duplication. Essentials automation on M365 covers the cloud productivity slice efficiently; it does not replace SSP authorship or boundary definition.

MSP angle: evidence at scale without spreadsheet drift

MSPs are the operational layer for most Australian SME M365 tenants. When an insurer emails twelve clients asking for "ML2 Essentials evidence this quarter," the MSP needs:

  • The same scoring methodology across every tenant
  • Historical snapshots when a client asks "what changed between March and June?"
  • Alerts when a tenant drifts — new Global Admin, MFA regression — before the insurer notices

Manual review does not scale past a handful of tenants. Read-only API assessment with retained evidence packs and change-triggered email alerts is how MSPs keep IRAP-prep and insurer workflows repeatable without adding headcount.

Aegis Eight MSP volume pricing is contact sales — the product supports the same Essentials scan and monitoring workflow per tenant today.

Honest limits

State these clearly in any assessor or customer conversation:

  • Read-only access only — Aegis Eight never modifies tenant configuration
  • Not all signals are visible via API — some controls return no_visibility rather than a guessed score (especially on Google Workspace desktop fleets)
  • Fair tier by default for declared-configuration API snapshots; Good tier where applied-state collectors apply (MFA enforcement, device RSoP, CA what-if, PIM)
  • Not IRAP certification — evidence preparation, not assessor sign-off

Transparency builds trust with assessors. Overclaiming evidence tier or scope is the fastest way to lose credibility in an IRAP prep engagement.

Related reading

Next steps

Questions about evidence for a specific assessor or insurer request? Email [email protected].