IRAP Preparation: Reduce Compliance Burden with Cloud
Hear from our consultants on effective ways to reduce the IRAP compliance burden
Written by: Hareen Siriwardena
23 January 2026
Reduce IRAP Anxiety and Improve System Security
Systems developed with IRAP compliance requirements in mind can be designed to greatly reduce the initial and ongoing IRAP compliance burden for already stretched engineering and GRC teams. With the right architectural decisions and the effective use of cloud services, organisations can reduce both initial and ongoing compliance overheads whilst also improving security outcomes.
This blog explores practical strategies to minimise the IRAP compliance burden, focusing on control inheritance, shared responsibilities, and selecting higher-order cloud services where possible.
Don’t Redesign the Wheel
Major cloud service providers such as Microsoft Azure, Amazon Web Services, and Google Cloud Platform have already undergone extensive IRAP assessments that cover a significant portion of their services. When you choose to deploy your system on these platforms, many foundational controls have already been documented, implemented, and independently assessed. This means your system does not need to implement or evidence these controls as long as you have correctly defined the inheritance in your SSP-A.
Examples of commonly inherited controls include:
- Compute, storage, and networking infrastructure
- Physical security
- Environmental protections.
A well-defined system authorisation boundary, combined with clear inheritance statements, can dramatically reduce the number of controls your team needs to manage and your assessor needs to evaluate.
Harness the Shared Responsibility Model
All cloud service providers (CSP) operate on a shared responsibility model, which broadly splits responsibilities between the provider and the customer. A less-advertised aspect of this shared responsibility model is that the higher up the stack you go, the compliance burden also shifts towards the CSP. The table below provides an overview of common cloud delivery models and responsibilities.
| IaaS | PaaS | SaaS | |
|---|---|---|---|
| Physical data centres | Provider | Provider | Provider |
| Host infrastructure | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider |
| Middleware | Customer | Provider | Provider |
| Application | Customer | Customer | Provider |
| Data & access control | Customer | Customer | Customer |
This means that your system, if primarily using SaaS services from a CSP, doesn’t need to worry about documenting, implementing, and evidencing the same controls that have been assessed as part of the CSP’s IRAP assessment. In addition, your IRAP assessor will not need to independently verify these controls.
If you want to leverage this amazing advantage of cloud services, you should ensure that the services your system uses have been included in the CSP’s IRAP assessment. AWS makes this relatively easy as they advertise IRAP-assessed services on their website - https://aws.amazon.com/compliance/services-in-scope/IRAP/
Elastic Compute Cloud (EC2) vs. Elastic Container Service (ECS) – A Practical AWS Example
A common point of discussion within engineering teams is whether to deploy an application directly on EC2 (IaaS) or a managed container service such as EC2 (PaaS).
When running on EC2, you do have more control, but you are responsible for:
- Operating systems and hardening
- Extensive windows hardening (if you choose to go down this path)
- Application control
- Patch management
- Vulnerability scanning
- Host-based firewalls
- Log configuration and forwarding.
Each of these responsibilities becomes a compliance requirement that must be documented, implemented, evidenced, and maintained.
When running the same application on ECS, your responsibility reduces to:
- Container image security
- Application-level logging
- IAM roles
- Cloud network segmentation and security groups
Amazon provides tooling and services (e.g. AWS Inspector) to meet most of these responsibilities. This choice materially changes the complexity of assessments and ongoing compliance efforts.
Design for Compliance from Day One
If you treat IRAP as an architectural requirement, rather than a late-stage hurdle (shift left), effective compliance is a by-product of design, and not a strain on your team.
Navi has been designed to assist organisations in effectively managing their control inheritance requirements for systems built on cloud service provider platforms. Contact us for a demonstration.