--- name: IRAP Evidence Trail description: Reorganises governance documents into ISM-mapped evidence folders for a 2026 IRAP QA Framework assessment, indexed by control and gap-flagged. --- # IRAP Evidence Trail > **TL;DR:** This skill takes an ad-hoc set of governance documents and reorganises them into the ISM-mapped folder structure an IRAP assessor expects, with each artefact timestamped, indexed by control, and missing families flagged as gaps. ## How does the IRAP Evidence Trail skill structure an ISM evidence pack? This skill takes a flat or ad-hoc set of governance documents and reorganises them into the Information Security Manual (ISM) mapped folder structure that an IRAP-PICTA assessor expects. Each artefact is timestamped and indexed by control family, and ISM families with no evidence are flagged as gaps. It is built for the 2026 IRAP QA Framework, the assessor-led model, and frames the documentation for a modern Microsoft 365 cloud tenant. ## When should you run this skill? - "Organise IRAP evidence trail" - "Build ISM evidence pack" - "Prepare for an IRAP assessment" - "Restructure our security documents by ISM family" ## Target folder structure ```text IRAP-Evidence-/ 00-INDEX.md 01-Governance/ 02-Personnel-Security/ 03-Communications-Security/ 04-Information-Technology-Security/ 05-Network-Security/ 06-Cryptography/ 07-Application-Security/ 08-Cloud-Computing-Security/ 09-Enterprise-Mobility/ 10-Incident-Management/ ``` ## How this skill works, step by step 1. Confirm the assessment cycle name (e.g. "2026-Q3 IRAP") 2. Read each existing document and tag it with the most appropriate ISM family 3. Move documents into the target structure (or copy with original linked back) 4. Create `00-INDEX.md` listing every artefact: file path, ISM family, control references where known, last modified date 5. Flag gaps: ISM families with zero artefacts get a "GAP — needs evidence" row in the index 6. Produce a one-page summary for the assessor's pre-read ## Output format - File system reorganisation (or copies) in the target structure - `00-INDEX.md` as the master cross-reference - Summary table at the end of the run ## Scope and safety This skill does NOT: - Author missing evidence (gaps are flagged, not filled) - Make IRAP assessment decisions - Modify the original documents — moves or copies only ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Reorganising governance documents into an ISM-mapped evidence pack (file and document handling) | Any Microsoft 365 plan that provides the document storage being assessed (for example Microsoft 365 Business Standard or E3) | | Aligning the evidence pack with Microsoft Purview compliance posture for IRAP | Microsoft 365 E3, with Microsoft 365 E5 Compliance for the full Purview governance feature set | ### Least-privilege roles - Compliance Administrator (read) in the Microsoft Purview portal, to review compliance posture that informs the evidence pack - Global Reader, for read-only visibility of tenant governance configuration ### Microsoft Graph permissions (read-only) - This skill reorganises existing governance documents on the file system and does not call Microsoft Graph. Compliance context is reviewed through the Microsoft Purview portal rather than Graph scopes, so no application or delegated Graph permissions are required. ## Sources and compliance - Designed for the 2026 IRAP QA Framework — the assessor-led model - Maps artefacts to ISM control families - Pair with the E8 Evidence Packager skill for the data-repository portion of the evidence pack - Reference: [https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/irap](https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/irap) - Output in Australian English