DocuSign completes 'Protected' level IRAP Assessment for DocuSign eSignature

Security and trust are fundamental to what we do here at DocuSign. They form the bedrock of our entire Agreement Cloud offering – without them, we simply wouldn’t exist. Every day, we continue to innovate and strengthen our security credentials in order to ensure the highest levels of trust with our customers.

So, when the opportunity arose to increase our security assessment for government agencies and regulated industries in Australia, we seized it.

In September 2021, we completed an independent assessment of DocuSign eSignature as part of the Infosec Registered Assessors Program (IRAP). In short, IRAP evaluates DocuSign’s security against the stringent requirements spelt out in the Australian Government’s Information Security Manual (ISM).  

Our goal with this assessment was to increase our security classification from ‘Official Sensitive’ (which we gained in May 2019) to ‘Protected’. We’re delighted to announce that we’ve completed our assessment against this higher security classification. 

“This improved security rating is great news for public sector organisations and the companies that interact with them, providing additional confidence in our solution for both government agencies and regulated industries,” said Nick Slater, Regional Vice President of Public Sector at DocuSign. “It demonstrates our commitment to security and data protection in Australia.”

Ticking off over 800 security controls

Completion of this ‘Protected’ review means that DocuSign eSignature has been evaluated against a comprehensive list of over 800 security controls, providing government agencies the ability to assess its security and its capabilities to meet their requirements to ensure critical data is protected.

While the IRAP assessment process is designed for Federal Government agencies to help them assess the risk profile of cloud service providers before engaging their services, it’s a really useful benchmark for any other organisation with rigorous security needs. 

“We’ll often get asked by State and Local government agencies, as well as companies from heavily-regulated industries like finance and insurance, whether we’ve been IRAP assessed and to what level. The fact that we’re now ‘Protected’ really demonstrates that we have the procedures and infrastructure in place to mitigate security risks for our customers,” said Adam Maloney, Director of Solutions Engineering at DocuSign. 

‘Protected’ status delivers more than peace of mind

By being assessed at "Protected" classification, not only can DocuSign’s public sector customers confidently use our eSignature solution with their sensitive documents and data, it helps to streamline their systems and processes. 

It makes a big difference for agencies that mainly deal with ‘Official’-level data. If they only have a small component of ‘Protected’-level data, the last thing they want is to run two separate eSignature solutions. Now, they can use the one platform for all, keeping all their data in the one place for simplified management and storage. 

DocuSign’s here for the public sector 

Across Australia and New Zealand, over 240 public sector organisations already use DocuSign for secure signing of agreements. Our new ‘Protected’ classification will open the door to more government agencies who are keen to leverage the benefits of an eSignature solution. 

DocuSign has established a Public Sector team, headed up by Nick Slater to continue to bring the right level of focus and engagement with this vital industry sector. “We’re looking forward to building out our services for the public sector – it is an important market for us, not just with eSignature but also the broader DocuSign Agreement Cloud,” he said. 

To learn more about our IRAP assessment, check out our trust centre.