Start a conversation
§ PROGACT Cyber / PROTECTED Programme

Accreditation built in. Not bolted on. From day one.

A structured programme for organisations that need a Microsoft 365 and Azure environment capable of supporting workloads classified up to PROTECTED — delivered ready for IRAP assessment, with the artefacts and evidence already in the formats an independent assessor expects.

§ 01 · Objective

Deliver a Microsoft cloud and hybrid environment capable of supporting workloads up to PROTECTED — with accreditation artefacts, control evidence and operational readiness produced as part of delivery.

The programme is structured so that the same team who designs the environment also produces the SSP, SRMP, SoA and supporting evidence. That single team, working against a single control baseline, is what makes the difference between an 18-month accreditation ordeal and an 8–12 month delivery.

Scope boundary: the IRAP assessment itself is conducted by an independent, IRAP-endorsed assessor of your choosing. ACT Cyber's role ends at the point your environment and evidence are ready for assessment. We maintain that separation deliberately — it preserves assessor independence.

§ 02 · Method

The four phases.

Phase · 01
Assess
Security posture review. ISM control gap analysis, classification alignment, on-prem-to-cloud transition risks, audit of any existing artefacts. We tell you exactly where you stand before we move. OutputPosture report · Gap matrix · Risk snapshot
Phase · 02
Design
Accreditation-ready architecture. Control-mapped design patterns, SSP, SRMP, risk register and authority artefacts — produced concurrently, in the formats assessors expect. OutputReference architecture · SSP · SRMP · SoA draft
Phase · 03
Implement
Secure platform build. M365, Azure, identity, endpoint and collaboration deployed against pre-validated patterns. Hardened by default. Documented as-built, not reconstructed later. OutputProduction environment · Configuration baselines · Evidence set
Phase · 04
Operate
Continuous compliance. Governance, uplift and evidence collection to sustain accreditation through operational life. Who runs the operate phase — your team, ours, or a partner — depends on the engagement model. See § 05. OutputRunbooks · Evidence automation · Handover pack
Programme planning and delivery
Plate I · A programme, in flight
§ 03 · Reference Architecture

How it fits together.

A simplified view of the environment we design for clients. Every component is mapped to ISM controls, with evidence produced from configuration — not narrative.

FIG. 01 · Reference Architecture · ACT/REF-01 PROTECTED ALIGNED
▸ PROTECTED CLASSIFICATION BOUNDARY ISM ALIGNED · IRAP READY ▸ ▼ A · IDENTITY BACKBONE Entra ID · Conditional Access · Privileged Identity Management · Zero Trust ▼ B · CLOUD · MICROSOFT 365 Collaboration & Data Teams · SharePoint · Exchange Online · OneDrive Purview (DLP, Sensitivity Labels) · Defender for O365 SCH·A SCH·B SCH·C ▼ C · CLOUD · AZURE Platform & Workloads Landing Zone · Hub-and-Spoke · Private Endpoints Sentinel (SIEM) · Log Analytics · Compliance Manager SCH·B SCH·D ▼ D · MANAGED ENDPOINTS Devices & Users Intune (MDM/MAM) · Defender for Endpoint (XDR) ACSC Hardening Baselines · Compliance enforcement SCH·A ▼ E · HYBRID · ON-PREMISES Existing Estate Active Directory · Hybrid Identity · ADFS Fortinet edge · Site-to-site VPN · ExpressRoute SCH·E
▸ A

Identity Backbone

Zero Trust identity is the spine. PIM, Conditional Access, MFA enforcement — the ISM controls every other layer relies on.

▸ B

M365 Collaboration

Sensitivity labels, DLP, Teams governance and SharePoint architecture — within ISM data handling boundaries.

▸ C

Azure Platform

ISM-aligned landing zone, hub-and-spoke architecture, private endpoints, Sentinel-based SIEM. Built right the first time.

▸ D / E

Endpoints & Hybrid

Intune + Defender XDR + ACSC baselines on the device side. Hybrid identity and secure connectivity on the on-prem side.

§ 04 · Timeline

Concurrent, not sequential.

Most PROTECTED programmes run 9–12 months because accreditation is treated as a separate workstream. Ours land in 3 months — because the artefacts are produced during build, not after.

MONTHS →
36912
Without ACT Cyber
Architecture
Build
Documentation
Remediation
IRAP assessment (independent)
With ACT Cyber
Assess + Design
Build
Documentation (concurrent)
Remediation
IRAP assessment (independent)

Indicative. Timelines depend on existing estate, tenant maturity and internal governance cadence.

Documentation and delivery artefacts
Plate II · Documented as built, not after
§ 05 · Engagement Models

Three ways to run it after we build it.

The PROTECTED programme is delivered the same way every time. How you operate the environment afterwards is your call — and we don't insist on a particular model. Pick the one that fits your team's maturity and capacity.

Model · 01

Build & Go

We design, build, document and accredit-ready the environment to PROTECTED. Your team takes the keys at handover and runs it in-house from day one. No transition tail, no ongoing engagement — you own and operate.

Best for: organisations with mature internal cyber and platform teams who want a properly engineered environment without an ongoing dependency on the build team.
Model · 02

Build & Transition

We build, then walk alongside your operations team for an agreed transition period — runbook walkthroughs, training, evidence automation, escalation cover. We step out when your team is steady-state.

Best for: teams scaling up cyber capability, new to PROTECTED operations, or wanting structured uplift before assuming day-to-day ownership.
Model · 03

Build & Managed

We build, and a trusted Australian MSP partner runs day-to-day operations at PROTECTED — SOC 24/7, patching, compliance reporting, evidence collection. You get the outcome without standing up an internal operations team.

Best for: organisations preferring to outsource ongoing operations entirely, or those without the headcount to operate at PROTECTED in-house.

Mix and match. Many clients start with Build & Transition then move to Build & Go, or pair an in-house operate model with a partner-managed SOC. The build is one thing — what you do next is flexible.

Audit pressure mounting?

Fast compliance. Cost effective. Zero audit surprises. Talk to an ISM PROTECTED specialist about your programme.

Start a conversation →