Australia Information Security Registered Assessors Program (IRAP)
The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that vendors comply with the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
F5 Distributed Cloud Services have been assessed by an independent IRAP assessor against applicable ISM controls. The objective of this assessment was achieved as it was determined that the security controls implemented for the Distributed Cloud Platform are considered effective for storing, processing, and communicating information up to the PROTECTED classification level.
Protecting Australian government data from unauthorized access and disclosure remains a prime consideration when procuring and leveraging cloud services. F5 recognizes that customers rely upon the secure delivery of F5 services and the importance of having features that enable them to create secure environments. F5 enables customers to meet these objectives by prioritizing security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features. For more information, contact an F5 Account Manager who can share F5’s IRAP report.
FAQ
F5 is fully committed to complying with the privacy laws in Australia, including the Australian Privacy Principles (APPs), the Privacy Act 1988, and similar State/Territory legislation. F5’s global privacy strategy and privacy-by-design approach ensures that F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy.
How do F5 and its customers comply with the Australian Privacy Principles (APPs), the Privacy Act 1988, and similar State/Territory legislation?
The Australian Privacy Principles in the Privacy Act 1988 (APPs) and certain State/Territory legislation govern the collection, use, and disclosure of personal data by private sector organizations. F5 contractually agrees to data protection and data security obligations that meet or exceed the standards required by Australian law for use of F5’s services. Customers in Australia can lawfully use all F5 services.
How do F5 and its customers address the requirements of the Australian law regarding personal data transfers to the U.S. and other regions outside of Australia?
For select processing operations, certain F5 services allow customers to choose the location of F5 data centers. For many services, these location options include Australia.
However, Australian law does not require customers to use those data centers. It is sufficient for the customer to protect the transfer by entering into F5’s Data Protection Addendum (DPA), as supplemented by the Service-Specific Terms. This is because the DPA requires F5 to handle and secure the personal data in a manner that complies with the APPs. Its terms include protections such as limitations on use, retention limits, data security, and data breach notification, which comply with applicable law in Australia. For data collected through its services, F5 complies with its transparency obligations under the APPs as detailed in the Privacy Statements for each service. Find all service-specific Privacy Statement links on the introduction of F5’s Privacy Notice at https://www.f5.com/company/policies/privacy-notice.
Must customers in Australia require F5 to implement privacy or security measures beyond those detailed in F5’s Data Protection Addendum (DPA) and Service-Specific Terms?
No.
