Ensure High Availability by Using CDNs
Use CDNs to keep websites running smoothly and available when needed.
Plain language
This control is about using Content Delivery Networks (CDNs) to make sure your website stays available even during high traffic, such as a big sale or a school online enrolment period. If you don't use CDNs and your website can't handle the traffic, it could crash, leading to missed sales or frustrated parents who can't enrol their children, which can harm your business or institution's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Where a high availability requirement exists for website hosting, CDNs that cache websites are used.
Why it matters
Without a caching CDN, traffic spikes or upstream issues can cause website unavailability and degraded performance for users.
Operational notes
Review CDN caching rules and origin health, and monitor CDN hit rates/latency so capacity and caching can be tuned for peak demand.
Implementation tips
- The IT team should set up a CDN service for the company website. They can do this by researching and selecting a reputable CDN provider, setting up an account, and following the provider's instructions to integrate the CDN with the website. This often involves updating domain settings to route traffic through the CDN.
- System owners should work closely with their IT team to identify peak traffic periods. This involves looking at historical website traffic data to anticipate when high demand might occur and ensuring the CDN can handle the load during these times.
- The IT manager should ensure the CDN service is monitored. They can use the CDN provider's tools to track website performance and receive alerts for any issues, which allows for quick responses if the CDN experiences any problems.
- The procurement team should review and finalise contracts with the CDN provider. This includes ensuring the service agreement covers support for high traffic scenarios and checking that the price fits within the allocated IT budget.
- The IT support team must test the CDN setup before peak periods occur. They should simulate high traffic conditions to see how the website performs, allowing them to make any necessary adjustments to ensure smooth operation during real events.
Audit / evidence tips
-
Askthe CDN service agreement: Request a copy of the service contract with the CDN provider
Goodshould include a service level agreement (SLA) that covers handling high traffic loads
-
Askhistorical website traffic reports: Request the reports that have been used to identify peak periods
-
AskCDN performance reports: These should highlight performance metrics during peak loads
Goodwill show stable performance and quick resolution of any issues
-
Askto see invoices or receipts for the CDN service: Verify payments to the CDN provider
Goodwill show up-to-date payment statuses and contract compliance
-
Aska record of all communications with the CDN provider: This includes emails or logs of chats discussing performance and support
Gooddemonstrates a proactive relationship with the provider, with documented responses to any problems
Cross-framework mappings
How ISM-1438 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.30 | ISM-1438 requires organisations with a high availability requirement for website hosting to use CDNs that cache websites to improve resil... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.11 | Annex A 7.11 addresses resilience of information processing facilities against power and utility failures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.