Key Points

  • Cellebrite has committed to an IRAP assessment for Guardian, its cloud-based evidence management platform, starting H1 2026.
  • The assessment will be conducted by CyberCX, an ASD-endorsed IRAP assessor.
  • IRAP is an independent evaluation — not a government certification or endorsement.
  • CyberCX completed an ISM gap assessment of Guardian in December 2025.
  • Deliverables include a Cloud Controls Matrix, a Cloud Security Assessment Report, and control recommendations to support agency authorisation processes.

Cellebrite has formally committed to an IRAP assessment for Guardian, our cloud-based digital evidence management platform. The assessment will be conducted by CyberCX, an Australian Signals Directorate (ASD)-endorsed assessor, beginning in the first half of 2026. For Australian law enforcement, defence and national security agencies evaluating cloud-enabled investigative tools, here is what that means in practice.

Why Australian Agencies Require IRAP-Assessed Cloud Platforms

Australian law enforcement, defence and national security agencies face a real operational tension. They need modern, cloud-enabled platforms to accelerate digital investigations and keep pace with caseloads that are growing in both volume and complexity. But they also operate under some of the most extracting data security requirements in the world.

Moving investigative workflows to the cloud only works if agencies can trust that the platform and can document that verification for internal authorisation processes. That is precisely what the IRAP assessment process is designed to support.

As digital evidence platforms increasingly move to the cloud, Australian agencies are placing greater emphasis on independent security assessments such as IRAP to validate security controls and support internal risk decisions.

What IRAP Assessment Means — and What It Does Not

IRAP stands for the Infosec Registered Assessors Program. It’s administered by the Australian Signals Directorate through the Australian Cyber Security Centre (ACSC). The program provides a structured framework for independent security professionals to assess whether a platform’s controls align with the Australian Government’s Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF).

A critical worth stating clearly: IRAP is not a certification or an accreditation issued by the government. It’s an independent assessment. The ASD does not certify, endorse, or register systems through this process. What IRAP does produce is a rigorous, documented evaluation that government agencies can use to make informed risk decisions about whether to authorise a platform for their environment.

That distinction matters. Cellebrite is not claiming a government endorsement. We are committing to the independent scrutiny that Australian agencies require to begin their own authorisation processes.

Guardian and the Evidence Management Problem It Solves

Guardian exists to solve a specific problem: investigators across agencies need to manage, review and collaborate on digital evidence without the bottlenecks that come with siloed, on-premise infrastructure. When a forensic examiner extracts data from a device, that evidence needs to move through review, analysis and prosecution workflows. Guardian is built to make that process faster and more reliable.

Digital evidence volumes are increasing rapidly across Australian investigations. Mobile devices, cloud services, messaging platforms and IoT devices all generate data that investigators must review and manage.

Without modern evidence management platforms, agencies often face:

  • forensic lab backlogs
  • delays in evidence review
  • fragmented collaboration between investigators and prosecutors

Platforms like Guardian are designed to help agencies manage this growing digital evidence workload while maintaining evidentiary integrity.

But speed means nothing if agencies can’t trust the security posture of the platform handling their most sensitive case data.

The IRAP assessment is how we demonstrate that Guardian’s security controls hold up to independent scrutiny under the frameworks Australian agencies actually use.

Data Sovereignty and Sensitive Investigative Data

For many Australian agencies, cloud adoption is closely tied to questions of data sovereignty and jurisdictional control.

Guardian is designed with these considerations in mind, supporting deployment models that align with Australian government expectations for handling sensitive investigative data.

This includes:

  • secure cloud environments aligned with government security frameworks
  • strong access controls and audit logging
  • evidence integrity protections and full chain-of-custody tracking

These capabilities are essential to enabling agencies to maintain operational control while benefiting from modern cloud-based investigative workflows.

Assessment Scope and Timeline

CyberCX completed an ISM gap assessment in December 2025, identifying where Guardian’s controls currently stand relative to the ISM baseline. The full IRAP assessment begins in early 2026, following the ACSC’s Cloud Security Assessment and Authorisation Framework.

The assessment will produce three key deliverables:

  • A Cloud Controls Matrix documenting Guardian’s control coverage
  • A Cloud Security Assessment Report evaluating control effectiveness
  • Specific recommendations for strengthening control implementation

These deliverables give government agencies the documented evidence they need to conduct their own authorisation processes.

Helping Agencies Accelerate Their Own Authorisation Process

Even with an IRAP assessment completed, each Australian agency still conducts its own internal authorisation process before adopting a cloud platform.

To support this process, Cellebrite is working to ensure Guardian provides the documentation and architectural transparency agencies need, including:

  • security architecture documentation aligned with ISM expectations
  • data handling and sovereignty controls
  • auditability and chain-of-custody protections for digital evidence
  • operational guidance to support agency risk assessments

By preparing these materials early in the IRAP process, Cellebrite aims to help agencies begin evaluating Guardian sooner rather than waiting for the final assessment outcome.

Why CyberCX

CyberCX is one of Australia’s most established IRAP assessment providers. Their team has assessed cloud platforms for major global technology vendors and maintains deep expertise in both the ISM and the PSPF. Engaging CyberCX was a deliberate choice to ensure the assessment carries weight with the Australian agencies we serve.

 Cellebrite’s Long-Term Commitment to the Australian Market

Our customers are seeking cloud-enabled investigative capabilities, but they rightly require confidence that solutions meet the highest standards of security, governance, and compliance. This commitment reflects our long-term investment in Australia and in the agencies that protect its communities.

This initiative is part of how Cellebrite operates globally: meeting the specific regulatory and security requirements of each market we serve, rather than expecting agencies to accept a one-size-fits-all approach. Australian investigators face unique data sovereignty requirements and threat environments. The IRAP assessment process respects that specificity.

We’ll share further updates as the assessment progresses in 2026.

Exploring Guardian During the IRAP Process

Many Australian agencies begin evaluating cloud platforms while security assessments are underway so they can move faster once the assessment concludes.

If your agency is currently exploring cloud-based digital evidence management, the Cellebrite ANZ team can provide:

  • architecture briefings
  • security documentation discussions
  • early product demonstrations

This allows agencies to understand how Guardian fits into their investigative workflows and authorisation requirements.

Want to learn more about Guardian’s security architecture or discuss how it fits your agency’s authorisation requirements?

Contact our ANZ team or request a demonstration.

Frequently Asked Questions

What is an IRAP assessment? IRAP (Infosec Registered Assessors Program) is a framework administered by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It enables independent security professionals to assess whether a platform’s controls align with the Australian Government’s Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF).

Is IRAP a government certification? No. IRAP is an independent assessment, not a certification or accreditation issued by the government. The ASD does not certify or endorse systems through this process. The assessment produces documented evidence that agencies use to make their own risk-based authorisation decisions.

Who is conducting Cellebrite’s IRAP assessment? CyberCX, an ASD-endorsed IRAP assessor with extensive experience assessing cloud platforms for major global technology vendors.

What will the IRAP assessment cover? The assessment follows the ACSC’s Cloud Security Assessment and Authorisation Framework and will evaluate Guardian’s controls against the ISM baseline. It will produce a Cloud Controls Matrix, a Cloud Security Assessment Report, and specific control recommendations.

When will the assessment be complete? The full IRAP assessment begins in the first half of 2026. CyberCX completed a preparatory ISM gap assessment in December 2025.

What is Cellebrite Guardian? Guardian is Cellebrite’s cloud-based digital evidence management platform. It enables investigators to manage, review, and collaborate on digital evidence across agencies — with a documented chain of custody at every step.

What does this mean for Australian agencies evaluating Guardian? The assessment will produce the independent, documented security evaluation that Australian government agencies need to begin their own authorisation processes for Guardian.

Share this post