DocuSign re-assessed to IRAP ‘Protected’ status, again

Barely a day goes by without a data breach hitting the headlines. From major hacks to email scams, it seems that no-one is immune. And, with the scale and sophistication of cyber attacks growing exponentially, organisations large and small are feeling the pressure to fortify their systems and data.

But, just as the cyber criminals are getting craftier, so too are the systems designed to safeguard organisations from attack. Take the Information Security Registered Assessor Program (IRAP). Led by the Australian Cyber Security Centre (ACSC), IRAP assessors evaluate the Information Security risks associated with the use of ICT systems such as DocuSign against the Information Security Manual (ISM).

In 2019 DocuSign successfully undertook its first IRAP assessment, being assessed against the requirements to handle Official-Sensitive information. In 2021 we were assessed on the more stringent requirements to handle Protected classified information.

Well, guess what? DocuSign has just done it, again. With our IRAP status up for review two years after our last assessment, we successfully completed the reassessment. With almost 850 controls applicable to systems that deal with ‘Protected’ classified information, the assessment process is extremely thorough.

To stay one step ahead of the cyber threats, the ACSC regularly updates the ISM with new and modified controls, or measures, by which assessors evaluate system security. Since our last Protected assessment, there are 27% more controls that are applicable to our Cloud-based service.

This increase in security requirements involves a significant ongoing investment in how DocuSign securely designs, builds, tests and manages its cloud services to ensure that as the threat landscape evolves our platform is best able to meet the demands of our most critical Government customers.

Our completion of the IRAP assessment is proof of our commitment to security and trust, and demonstrates our ongoing efforts to strengthen and safeguard our systems to keep pace with the latest developments in cybersecurity.

Today, we are proudly the only eSignature provider to have our services assessed under IRAP as meeting ‘Protected’ status. It gives government agencies and any other organisations that work alongside government the peace of mind that DocuSign can securely prepare, sign and manage agreements that contain sensitive information.

Why this matters

While the evolving threat landscape continues to march forward, the original eight requirements most of our Government customers ask of us remain unchanged:

IRAP blog

The bottom line? At DocuSign, we’re not afraid to put a stake in the ground as to what a great Agreement platform needs to provide to our customers. And we continually push ourselves to meet these expectations — even the most rigorous of assessments like that set out by the ACSC. And the results? Well, they speak for themselves.

Glenn Powell head shot
Glenn Powell
Industry Lead - ANZ Public Sector