Maintain a Cloud Service Register for Outsourcing
Organisations must keep and regularly update a list of all outsourced cloud services they use.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
An outsourced cloud service register is developed, implemented, maintained and verified on a regular basis.
Source: ASD Information Security Manual (ISM)
Plain language
Organisations need to keep an up-to-date list of all the cloud services they have hired from outside providers. This is important because losing track of outsourced services can lead to security risks and financial losses by exposing sensitive information without realising it.
Why it matters
Without an up-to-date outsourced cloud service register, cloud usage may go untracked, increasing shadow IT, compliance failures, and unmanaged costs.
Operational notes
Review the outsourced cloud service register quarterly with service owners; confirm active providers, data types, contracts and risk ratings, and record changes with evidence.
Implementation tips
- Managers should start by identifying every cloud service used by the organisation, even those that might seem small or unimportant. They can do this by talking to different teams to ensure no services are missed and then creating a list in a shared document.
- An IT representative should be tasked with keeping the cloud service register current. They should update this list any time a service is added or removed, which requires ongoing communication with anyone in the organisation who might procure new services.
- Regular review meetings should be set up by team leaders to discuss the cloud services being used. During these meetings, it should be ensured that the register is accurate and complete, by comparing it against invoices and statements from service providers.
- Organisations should designate a person to verify the accuracy of the cloud service register, such as an internal auditor. This person should cross-check the register against billing and usage reports to catch any discrepancies.
- Business leaders should educate staff about the importance of reporting new cloud services. They can do this by holding brief training sessions or sending clear email instructions on why and how to report new services.
Audit / evidence tips
-
Ask: the cloud service register document
Good: is a comprehensive list with no obvious missing items and recent updates noted
-
Good: shows consistent review discussions at regular intervals
-
Ask: recent invoices or billing statements from cloud service providers. Compare these documents to the cloud service register
Good: matches what is listed in the register with what the organisation is billed for
-
Good: is audits completed regularly with identified corrections made
-
Ask: staff about their processes for adding new services to the register
Good: includes clear steps and understanding from staff on the importance of maintaining the register
Cross-framework mappings
How ISM-1637 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 5.9 | Annex A 5.9 requires an organisation-wide inventory of information and associated assets with ownership | |
| Supports (2) | ||
| Annex A 5.19 | ISM-1637 requires an organisation to maintain and regularly verify a register of outsourced cloud services | |
| Annex A 5.22 | Annex A 5.22 requires monitoring and review of supplier services and security practices, including managing changes | |