Improve IRAP Assessments by Better Documenting ISM Controls
Learn how to document ISM controls in a SSP-A for IRAP assessments and internal system authorisations, reduce duplication, and reuse system controls effectively.
Written by: Hareen Siriwardena
30 January 2026
There are many ways to approach the creation of a System Security Plan (SSP). Some approaches are effective, while others introduce unnecessary complexity, duplication and audit discovery. As IRAP assessors, we regularly review System Security Plan Annexes (SSP-A) and see a wide range of practices, from well-structured control documentation to approaches that make assessment and ongoing maintenance significantly harder.
In most cases, we recommend starting with the SSP-A and using the long-form System Security Plan to provide supporting context, explanations, and evidence.
How to Document ISM Controls in an SSP-A
When documenting ISM controls within an SSP-A, it is important to describe the system control (i.e. EntraID, Tenable Vulnerability Scanner, Microsoft Defender, Palo Alto NGFW) that satisfies the ISM control, rather than answering with a simple yes/no or restating the ISM control text.
This approach clearly shows:
- Where the control is implemented
- How the control operates and how it meets the respective ISM control
- What evidence an IRAP assessor should review
This is the primary purpose of the SSP-A and is critical for both IRAP assessments, internal system authorisation and ongoing artefact management.
One System Control Can Meet Multiple ISM Controls
A common mistake when documenting control compliance is treating each ISM control as unique. In practice, a single system control often satisfies multiple ISM requirements.
A common example is Microsoft Entra ID, which is frequently used to meet multiple ISM access control and authentication requirements, including:
- ISM-1173 – Multi-factor authentication for privileged users
- ISM-0974 – Multi-factor authentication for unprivileged users
- ISM-1404 – Disabling unprivileged access after 45 days of inactivity
- ISM-1649 – Just-in-time administration for systems
By documenting Entra ID once and describing how it satisfies each applicable ISM control, organisations can create a clear, consistent, and defensible SSP-A.
Reducing Duplication in SSP and ISM Control Documentation
When SSPs are managed using spreadsheets or static documents, control descriptions are often duplicated, drift over time, and become difficult to maintain, especially as ISM versions change or systems evolve.
Documenting controls in a reusable and linkable manner significantly reduces:
- Control duplication
- Inconsistent descriptions
- Discovery during assessments and audits
- Improve your IRAP assessment report
- Ongoing SSP maintenance effort
This approach improves audit readiness and reduces the cost and effort of future IRAP assessments.
Improving SSP-A Creation and Maintenance with Navi
Navi supports this best-practice approach by allowing system controls to be linked to multiple ISM controls, while refining a single control description as additional requirements are mapped. This results in a cleaner SSP-A, reduced documentation maintenance overhead, and documentation that scales as systems and ISM requirements change.
Ultimately better SSP-As, lead to better IRAP Reports which allows you to put your best foot forward with security teams that review them as part of procurement, third-party risk assessments or internal system authorisation activities.
If you want to see how modern SSP-As can be created and maintained without spreadsheets, feel free to reach out for a demo.