​TechnologyOne clarifies IRAP certification about dedication to 'continuous improvement'

The certification TechnologyOne received from IRAP does not give it an automatic green light to provide the Australian government with a SaaS solution, rather it is a way of showing customers it is serious about continuous improvement and ticking as many compliance boxes as possible.

Earlier this month, TechnologyOne announced its enterprise software-as-a-service (SaaS) solution had been certified to the highest standard by the federal government.

The Australian Securities Exchange (ASX)-listed company said it was the first and only company in the country to receive the certification from the government's Information Security Registered Assessors Program (IRAP), an initiative from the Australian Signals Directorate (ASD).

The IRAP certification does not immediately promote TechnologyOne to be certified to the highest standard by the federal government itself, rather the company has been certified to the highest standard under the IRAP criteria.

IRAP certification comprises of two stages of audit, based on a risk assessment model. The first identifies security deficiencies which the system owner rectifies or mitigates and the second audit assesses the residual compliance.

According to Iain Rouse, group director of cloud, research, and development at TechnologyOne, obtaining IRAP certification is a way the company can show it is serious about continuous improvement.

Rouse told ZDNet that moving through the IRAP process was the result of requests from customers asking TechnologyOne to obtain the certification.

"We've got customers in New Zealand government, in Australian government, and state government around the country, and they're really excited that IRAP is a way of describing a really mature security practice," he explained.

"It's based around this idea of continuous improvement. It's not a once off or surveillance audit. The security standard was very good for all of our customers."

Rouse also said there's more to it than simply checking a box on a request for tender.

"The reason we like IRAP is because it is based on a risk assessment process, which actually improves security for both us and our customers, and it gives us a bit of an edge, with that edge us delivering a more robust and more secure cloud platform," Rouse said.

"IRAP is the first standard we've seen globally that actually forces the vendor to maintain a continuous improvement posture to always improve, to seek reaccreditation ... from our perspective it's a really good way of being open and honest."

Although IRAP recommended TechnologyOne be on the ASD's radar, the tick from IRAP doesn't give the Brisbane-based company credit towards appearing on the ASD's Certified Cloud Services List.

The certification from IRAP also does not allow TechnologyOne to provide government entities with services in and of itself.

"Every provider who is dealing with government should be on this list," Rouse added.

"We have got unclassified DLM up to sensitive. That is what all of our customers have said we must have, so if there's any ambiguity, we have not obtained protected.

"We've been through year-long independent audits and those independent auditors have written to us and said they're recommending you be certified, and that was the base of us then seeking to talk about it to promote the fact that: 'Hey, security is something you all should talk about together'."