Utilising Cloud Providers for Hosting Online Services
Online services are hosted using cloud service providers for improved service continuity.
Plain language
Using cloud service providers to host your online services helps ensure that your business can keep running smoothly, even if something goes wrong with your local IT setup. This matters because if your services are only hosted on-site and your office loses power or internet, your customers won't be able to access what they need, which could hurt your business reputation and bottom line.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Cloud service providers are used for hosting online services.
Why it matters
If cloud hosting isn't used, outages in local IT systems may disrupt services, damaging reputation and incurring financial losses.
Operational notes
Review cloud SLAs, hosting locations and resilience (multi-AZ/region, backups) to meet availability and security needs.
Implementation tips
- System owners should collaborate with the IT team to choose a suitable cloud provider for hosting services. Start by listing out necessary features like storage, scalability, and security standards, ensuring that the provider meets the service requirements.
- IT teams should set up regular backups for services hosted in the cloud. This can be done by configuring automated backup processes within the cloud platform to ensure data is not lost or disrupted during service outages.
- Managers should conduct training sessions for staff on how to manage services in the cloud. This can involve simple workshops that show everyday operations and basic troubleshooting without needing to be an IT expert.
- Procurement teams should negotiate a service level agreement (SLA) with the cloud provider. Ensure it covers uptime guarantees, data recovery processes, and support services that meet your organisation’s needs.
- Security teams should work with the cloud provider to establish clear security controls. This can be achieved by identifying necessary security measures and confirming they align with your organisation’s requirements and best practices advised by the Australian Cyber Security Centre.
Audit / evidence tips
-
Askthe list of cloud providers your organisation uses
Goodincludes SLAs that commit to high availability and prompt support response times
-
Goodshows backups being done automatically and stored in a secure off-site location
-
Asktraining materials or a training schedule related to cloud service management
Goodincludes recent training records with attendee lists and material covered
-
Goodincludes comprehensive SLAs that match your organisation’s needs
-
Askdocumentation on security controls and risk assessments for cloud services
Goodhas documented policies aligned with best practices like those from the Australian Cyber Security Centre
Cross-framework mappings
How ISM-1437 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.30 | ISM-1437 requires online services to be hosted using cloud service providers to improve service continuity | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.