Built for compliance from day one

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative that provides high-quality information and communications technology (ICT) security assessment services to government and industry. IRAP assessors independently evaluate whether a system's security controls meet the requirements of the Australian Government Information Security Manual (ISM).

ShieldBox has been independently assessed by an ASD-endorsed IRAP assessor. Our email platform has been assessed against the ISM controls applicable to cloud email hosting at the PROTECTED classification level. Assessment documentation is available to government agencies and regulated entities on request by contacting compliance@shieldbox.com.au.

Key ISM control families covered in ShieldBox's IRAP assessment include: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Risk Assessment (RA), System and Communications Protection (SC), and System and Information Integrity (SI).

The Protective Security Policy Framework (PSPF) is the Australian Government's overarching security framework. ShieldBox supports PSPF compliance by providing an email platform capable of handling documents and communications at OFFICIAL and OFFICIAL: Sensitive classifications, with a pathway to PROTECTED. All data handling meets PSPF information security requirements.

Australian Government agencies (APS, state/territory), entities handling government-classified information, defence industry suppliers, intelligence community contractors, and any organisation required to demonstrate compliance with the ISM or PSPF.

The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APPs) that govern how organisations collect, use, disclose, and store personal information. ShieldBox is fully compliant with all 13 APPs, with particular focus on APP 8 (cross-border disclosure) — we guarantee your data never leaves Australia.

APP 8 requires that before disclosing personal information to overseas recipients, an organisation must take reasonable steps to ensure the overseas recipient will not breach the APPs. The most robust way to comply with APP 8 is to never transfer personal information offshore in the first place — which is exactly what ShieldBox does. All data is stored and processed exclusively in Australia.

The Australian Government is implementing reforms to the Privacy Act 1988 following the 2022 review. Key changes include: mandatory privacy impact assessments for high-risk activities, strengthened individual rights (right to erasure, right to object to targeting), direct right of action, and increased penalties up to $50 million. ShieldBox's architecture is designed to meet these enhanced requirements.

The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for privacy and freedom of information. The OAIC can conduct investigations, accept privacy complaints, and issue determinations. Since the 2022 breaches, OAIC enforcement has significantly increased. Using Australian-hosted infrastructure eliminates a major category of APP 8 risk.

Healthcare providers handling My Health Record data must ensure that record system operators meet specific security requirements under the My Health Records Act 2012 and related rules. ShieldBox's IRAP-assessed infrastructure provides a compliant foundation for healthcare organisations communicating clinical information.

APRA Prudential Standard CPS 234 requires APRA-regulated entities to maintain information security capabilities to protect information assets. ShieldBox provides APRA-regulated financial institutions with an email infrastructure that demonstrates alignment with CPS 234's requirements for information security management.