LastPass has completed the Information Security Registered Assessors Program (IRAP) assessment at the PROTECTED level in Australia.
The IRAP framework is governed by the Australian Cyber Security Centre (ACSC) and is designed to ensure that cloud services adhere to the security standards outlined in the Australian Government Information Security Manual (ISM). An independent assessor conducts the evaluation, measuring how closely a company’s processes and infrastructure align to the requirements for handling sensitive, regulated data relevant to government agencies and certain industries.
By achieving PROTECTED status through this assessment, LastPass is able to offer its cloud-based identity and access management platform for use by Australian Government agencies and organisations operating under heightened regulatory scrutiny. This includes sectors such as finance, healthcare, and critical infrastructure, where compliance with national standards is mandatory for handling classified and sensitive data.
The completion of the IRAP process reflects LastPass’ continued focus on aligning its systems to local security expectations. The company sees this as critical in Australia, where organisations operate under frameworks such as APRA CPS 234, the anticipated updates to the Security of Critical Infrastructure (SOCI) Act, and the Federal Government’s 2023–2030 Cyber Security Strategy, all of which set high expectations for security resilience and data protection.
“Undergoing the IRAP assessment has sharpened our visibility and governance posture across systems and validated the strength of our overall security program,” said Mario Platt, CISO at LastPass. “This reinforces our ability to meet evolving regulatory requirements while reassuring organisations and individuals that our security approach is both proactive and globally aligned.”
This IRAP outcome enables LastPass to directly support Australian Government customers and their partners who require identity and access management solutions proven to have robust controls in place. In addition, LastPass is positioning itself for greater involvement with regulated industries that must demonstrate compliance with Australia’s most recognised cybersecurity framework as a condition of operation.
The successful assessment also grants enterprise customers greater assurance that their data will be managed in accordance with national standards and that LastPass remains attentive to government-defined best practices. According to the company, achieving IRAP PROTECTED status is part of a wider commitment to ongoing security, transparency, and compliance measures across its global business.
LastPass’ security investments in recent years are reflected in its Secure Access Experiences framework, which aims to combine features such as visibility, credential hygiene, and enhanced access controls. The company presents this framework as a response to the demand from organisations for flexible, policy-driven security management that goes beyond simple password protection. LastPass says that Secure Access Experiences are offered in its Business Max package, combining tools like SaaS Monitoring and SaaS Protect. These enable businesses to obtain a consolidated view of application usage, credentials, and access activities, supporting policy enforcement and credential management.
Organisations can access the IRAP assessment report and other certifications, such as ISO 27001 and SOC2, via the LastPass Trust Centre, together with relevant policies and security documentation. This initiative is part of the company’s transparency strategy and intended to increase customer confidence in its compliance with established standards.
By completing IRAP at the PROTECTED level, LastPass underlines its intention to expand its presence within Australia’s public sector and regulated industries, addressing the requirements of agencies and enterprise customers handling sensitive information. The company states that this assessment supplements its broader global initiatives designed to maintain high levels of trust, safety, and security for all users.