Keeping Atlassian’s IRAP assessment aligned with the latest ISM

Atlassian has completed an IRAP assessment for Jira, Jira Service Management, and Confluence Cloud at the PROTECTED classification in March 2025. This was an important milestone for us as we aim to meet the requirements of highly regulated customers in our cloud offering. Many of you in the Australian public sector may be wondering what happens next as the Australian Government Information Security Manual (ISM) continues to evolve.

The ISM is updated frequently, with new or revised controls introduced on a regular basis. Without a structured, repeatable approach, there is a real risk that any assessment can quickly become out of date.

To address this, Atlassian has established an ongoing IRAP retainer program with our external assessor so that our IRAP posture stays aligned with the latest ISM requirements, not just the version in place at the time of the original assessment. This is a sustained, high‑effort program: each ISM update can introduce new requirements, change the interpretation of existing ones, or expand the number of controls that need to be assessed within a defined timeline, all of which require active engagement from product, security, and compliance teams alongside our external IRAP assessor.

How the IRAP retainer work

Under the retainer, Atlassian and our assessor kick off the process at every ISM release:

1. ISM update review
   For every new ISM release, we jointly review the changes and identify which new or updated controls are relevant to Jira, Jira Service Management, and Confluence at PROTECTED level.

2. Scoping and impact analysis
   We map those changes to our existing control set, determine how many controls are impacted, and assess whether they require design changes, additional evidence, or new implementation work.

3. Formal addendum issued by the assessor
   After testing and evidence review, the assessor issues an addendum letter confirming how the latest ISM version is addressed for the in‑scope products.

This process means customers don’t just see a static report from last assessment, but a living picture of how we keep pace with ongoing ISM changes.

What this means for customer

This program represents a significant, continuous investment rather than a one‑off audit exercise:

• Atlassian continues to meet your requirements even as ISM changes are made, meaning you can confidently migrate to Atlassian cloud

• Independent assessors give you extra assurance

• Overall, we’re committed to meeting robust security needs

Looking ahead

Atlassian will keep refining this program as needed so that our IRAP posture remains current, independently validated, and clearly documented. Our goal is to give customers confidence that Atlassian’s cloud products continue to align with the latest Australian government security expectations over time, not just at a single assessment date, and that this ongoing work continues to enable and expand how our government customers can use Atlassian Cloud.

For details on the IRAP Report, Assessment Letter and Addendum letter, please refer: IRAP | Atlassian