Built for Australian IRAP assessment work

Evidence, scope, findings and artefacts in one defensible workspace.

OakAttest is open-source IRAP assessment software for ASD-registered assessor firms and the client organisations they assess. It keeps Information Security Manual (ISM) control work structured from organisation setup through scoping, evidence, fieldwork, findings, certification, Essential Eight assessment and ongoing compliance maintenance.

View the product See deployment model

OakAttest engagement overview showing assessment progress, status and artefact panels.

Why this matters

The Australian market does not need another generic compliance tracker.

IRAP work depends on boundaries, ISM applicability, evidence quality, client collaboration, vendor evidence, residual risk, auditability and exportable records such as System Security Plan material and SSP Annex data that can support an authorisation decision. OakAttest is shaped around those practical tasks, with self-hosted deployment as a first-class option.

Assessment boundary first

Capture system metadata, environments, service components and boundary diagrams before the engagement drifts into loose evidence collection.

ISM work stays current

Import ACSC ISM OSCAL releases, manage revisions and record applicability decisions with chapter and sub-chapter filtering.

Artefacts are exportable

Generate SSP material, certification records, Excel workbooks and boundary imagery from the same controlled engagement data.

Evidence maps faster

Analyse common Microsoft 365 and Google Workspace CSV exports to suggest ISM and Essential Eight mappings without declaring automatic compliance.

IRAP lifecycle coverage

Built around the work assessors already have to perform.

Plan

Organisation and engagement setup

Create the assessor organisation, invite colleagues, define client contacts, assign roles and establish engagement scope.

Scope

Boundary and Cloud IRAP context

Model environments, data centres, services, inherited provider controls and system boundaries for AWS, Azure or Google Cloud workloads up to PROTECTED.

Assess

Control decisions and fieldwork

Record implementation statements, assessment methods, evidence quality, limitations, Essential Eight maturity, enterprise SaaS exports, vulnerability imports and CVE or SBOM data.

Report

Findings, risk and certification

Link findings to ISM controls, record residual risk and prepare authorisation package material without losing the audit trail.

Australian cyber security fit

Purpose-built for IRAP, ISM and assessment evidence.

OakAttest is for teams looking for an open-source IRAP assessment tool, ISM compliance workspace, assessor collaboration system or self-hosted alternative to generic GRC software. It supports OFFICIAL: Sensitive and PROTECTED assessment workflows, Cloud IRAP context, Essential Eight visibility, assessment boundaries, SSP bundle exports, certification readiness checks, reassessment scheduling and audit-ready evidence history.

Product screenshots

Real application screens, not concept art.

These captures come from the app's disposable Playwright data set: organisation onboarding, administration, ISM imports, engagement scope, task ownership, dashboard notifications, findings, certification, Essential Eight, enterprise evidence guidance, assessment coverage, ongoing compliance and Burl-assisted evidence mapping.

Scope, boundary and applicability workspace — Scope, boundary and applicability

What it handles

A workspace for repeatable assessment operations.

Organisation controls Tenant roles, engagement-scoped client access, invitations, branding and IP allowlist administration.

Evidence lifecycle Requests, uploads, review decisions, enterprise platform evidence guidance, CSV mapping suggestions, generated artefact storage and append-only audit logs.

Task coordination Kanban-style engagement tasks with owners, due dates, overdue and due-today signals, dashboard notifications and collapsible engagement summaries.

Control assessment ISM applicability, CAF record fields, SSP comments, implementation statement history, evidence limitations and assessor decision history.

Essential Eight Target maturity profile, strategy-by-strategy assessment records, evidence fields, history and generated report tracking.

Security inputs Nessus, Rapid7, Qualys and generic CSV vulnerability scans, Microsoft 365 and Google Workspace CSV exports, plus CVE and SBOM workflows.

Readiness and maintenance Assessment coverage blockers, certification readiness checks, finding retests, risk acceptance and reassessment scheduling.

Outputs SSP zip bundle, PDF material, Excel workbook, boundary image and certification records.

Deployment posture

Open source, self-hostable and careful about responsibility.

OakAttest is designed for deployments where assessment material, evidence and audit history need clear ownership. It does not claim that ASD certifies, endorses or approves a system. It helps assessor firms and clients collect and structure the artefacts that inform the relevant authorisation decision under Australian Government cyber security guidance.

Stack

Next.js, PostgreSQL, Drizzle, Better Auth, S3-compatible storage and React Email.

Install

Run locally with Docker, migrate and seed the database, then start the app with npm.

Licence

AGPL-3.0-or-later, suitable for open collaboration and transparent assessment tooling.