Limit Cloud Services to Community or Private for SECRETS
For SECRET or TOP SECRET services, only community or private clouds should be used to ensure security.
Plain language
When dealing with SECRET or TOP SECRET information, it's crucial to use cloud services that are either exclusively public or private. This helps protect extremely sensitive data from being exposed or accessed by unauthorised parties. If these precautions aren't taken, confidential secrets might get leaked, which could severely harm your organisation's reputation and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services.
Why it matters
Using public clouds for SECRET info risks data leaks, potentially compromising national security and damaging organisational trust.
Operational notes
Confirm outsourced SECRET/TOP SECRET workloads run only in community or private clouds; periodically validate the service’s cloud model and contract terms.
Implementation tips
- Managers should conduct an initial assessment of their current cloud service providers to determine if the services are classified as community or private. Review the service provider's documentation or consult directly with their representatives to verify their cloud classification.
- IT teams need to ensure that all outsourced cloud services handling SECRET and TOP SECRET data are limited to community or private clouds. This can be done by reviewing the cloud service contract and confirming the infrastructure meets these criteria.
- Procurement officers should include provisions in contracts that specifically require the use of community or private cloud services for sensitive data. They can achieve this by stating these requirements explicitly in all requests for proposals and ensuring they're reflected in the final agreement.
- System owners must regularly review the organisation’s cloud usage to ensure ongoing compliance. Schedule quarterly checks to confirm that no new non-compliant cloud services have been introduced.
- Security officers should train staff on the importance of using the appropriate cloud types for sensitive information. Develop a training module that explains the risks of public clouds for SECRET data and how to choose compliant solutions.
Audit / evidence tips
- AskThe current list of cloud service providers GoodIs an updated list showing each provider and its respective classification as community or private
- GoodIs contracts with clear terms indicating compliance and protective measures
- GoodIncludes up-to-date training material and completion records
- AskThe documentation on quarterly reviews of cloud usage. Review the results and follow-up actions taken for any non-compliance identified GoodIncludes reports with actions and resolutions for any issues found
- GoodIs a policy document with clear stipulations and adherence evidence
Cross-framework mappings
How ISM-1529 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.23 | ISM-1529 requires that outsourced SECRET and TOP SECRET cloud services are only delivered using community or private cloud deployment models | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.