IRAP Pulse — ISM Toolkit for IRAP Readiness and Assessment

Running self-test… i On every page load the tool runs a small internal fixture (2 New / 2 Updated / 1 Rescinded) through the delta engine to confirm the main comparison logic still behaves as expected. Green means the delta engine passed; red means something in the core comparison logic has broken. This does not replace validation against the current ASD workbook schema — workbook parsing, sheet detection, and column layout are not exercised here.
Your uploaded files are processed locally in your browser. They are not uploaded anywhere.
Before you start
Focus on the intent of ISM requirements, not just the letter.

A common approach when completing a System Security Plan-Annex (SSP-A) is reading each control literally and marking it Not Applicable because the wording does not seem to fit. The ISM is outcome-focused - the intent of a control is as important as the precise phrasing or whether your organisation uses the exact terminology in the requirement.

Three things to keep in mind before you start:

  • Not meeting a control is different from that control not applying. Use Not Applicable only where there is a genuine architectural or organisational reason — for example, physical security controls for a system with no on-premises footprint.
  • Even where responsibility is delegated — to a cloud provider, a managed security service, or another team — the organisation retains accountability and must be able to demonstrate how that accountability is fulfilled.
  • Board-level controls apply to every organisation regardless of size. For example, if your organisation does not have a formal board of directors — a committee, leader, or individual with right authority may fulfil the intent of executive accountability for cyber security.
About the SSP-A Generator

About the SSP-A Generator

How this tool works

Select your system's information classification, load an SSP-A template (bundled or your own upload), then download. The tool writes Not Applicable and a standard justification into every control excluded by your classification or scope. The implementation status of all other ISM controls remains as Not Assessed — for you or the IRAP assessor to update manually.

1. Inputs

  • SSP-A template: bundled (current quarter, auto-fetched) or your own ASD template
  • Classification: NC / OFFICIAL: Sensitive / PROTECTED / SECRET / TOP SECRET
  • Scope: which of the 22 ISM Guidelines apply to the assessed system

2. Process

  • Classification check: any control where the applicability column for your classification is "No" is marked Not Applicable
  • Scope check: any control under an unticked Guideline is marked Not Applicable; classification takes precedence where both apply
  • Comment written: a standard justification sentence is added to the Comments column for each marked control

3. Outputs

  • Pre-populated SSP-A (.xlsx): Updated spreadsheet with Not Applicable and justification added; all other ISM controls remain as Not Assessed without any comment
  • Principles sheet: not updated; all principles always apply
  • Info sheet: not updated; unfortunately, the tool can't always retain the format of the original file
What this tool does not do

This tool attempts to discern which ISM controls are not applicable to the assessed system. However, it cannot determine whether a control is genuinely applicable or not. You and the assessor still need to:

  • Assess every remaining control and record whether it is Implemented, Partially Implemented, Planned, or Not Implemented
  • Verify that every Not Applicable decision made here is defensible in the context of the actual system
  • Complete the Principles sheet/tab; it is not updated by this tool
  • Review and adjust scope or classification selections before finalising the SSP-A

Classification and scope selections are guiding principles — the outputs of this tool are starting points, not conclusions.

Assumptions the tool makes about the template
Assumption What goes wrong if untrue
The template follows the ASD SSP-A structure — a spreadsheet with ISM-XXXX identifiers and NC / OS / P / S / TS applicability columns. Column detection fails and the download button shows an error rather than producing an incorrect file.
Guideline names in the template match the names shown in the scope checklist exactly. Controls under mismatched Guideline names will not be marked Not Applicable even if the Guideline is unticked.
The template is blank — Implementation column values are "Not Assessed". Any cells already containing assessment decisions will be overwritten where a classification or scope exclusion applies.
Disclaimer and limitation of liability

This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. Every Not Applicable decision produced by this tool must be reviewed and confirmed against the actual system under assessment. You remain solely responsible for the accuracy and defensibility of all Not Applicable determinations and for ensuring the final SSP-A meets your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.

Security and transparency

This is a static, client-side web tool with no backend, no account, and no server-side processing. The HTML file contains the application source; bundled workbook and PDF assets and pinned JavaScript libraries are loaded as static resources. Everything runs in your browser.

  • No data leaves your machine. Your SSP-A template and all selections are processed entirely in-browser. Nothing is transmitted to any server — not even Cybernion’s. Apart from loading the pinned JavaScript libraries and the bundled SSP-A template, your uploaded files and entered data are not transmitted anywhere.
  • Third-party libraries. Four open-source JavaScript libraries are loaded at startup: xlsx-js-style v1.2.0 (Excel read/write) from jsDelivr, PDF.js v3.11.174 (PDF parsing) from Cloudflare CDN, Chart.js v4.4.4 (ISM Version Compare charts) from jsDelivr, and chartjs-plugin-datalabels v2.2.0 (chart data labels) from jsDelivr. All four are version-pinned with SHA-384 Subresource Integrity (SRI) hashes — the browser will refuse to execute any file that does not match the pinned hash. The PDF.js worker is loaded as a Web Worker (not a script tag) so browser-native SRI does not apply; the tool fetches it, verifies its SHA-384 hash in JavaScript before use, and rejects any mismatch. A fifth library, fflate v0.8.2 (a small, zero-dependency ZIP library, MIT licensed), is not loaded from any CDN — it is compiled directly into the application source at build time and used by the Create CCM tab to edit the spreadsheet losslessly, so dropdown lists and all other workbook features are preserved.
  • Vulnerability scanning. This html tool and all four JavaScript libraries were scanned against public vulnerability databases prior to release. No known vulnerabilities were identified at the versions pinned above.
  • Static resource review. The tool and its bundled assets were reviewed as static resources prior to publication. No active content, no dynamic code evaluation, and no third-party tracking scripts are present.
  • Source transparency. The application source is contained in the HTML file and can be inspected at any time in your browser’s developer tools or by opening the file in a text editor. Bundled assets (workbooks, PDF) and JavaScript libraries are separate static resources loaded at runtime.
  • Bundled file integrity. Each time the tool loads, it computes a SHA-256 hash of the bundled SSP-A template in your browser and compares it against a known-good hash embedded in the HTML at release time. A “Verified” result confirms the file served to you is byte-for-byte identical to the file tested by Cybernion. A hash mismatch blocks the template from loading — the tool will not proceed with a file it cannot verify. The expected hashes are updated in the source with each quarterly release.

If you identify a security concern, please Contact Us.

Licence and attribution

© 2026 Cybernion. All rights reserved. This tool is provided free of charge for use by security practitioners. No part of this tool may be reproduced, redistributed, or used to create derivative works without prior written permission from Cybernion. “ISM”, “IRAP” and related terms refer to work published by the Australian Signals Directorate / ACSC. This tool is an independent utility and is not endorsed by, affiliated with, or sponsored by ASD, ACSC or the Australian Government.