Maintain a Comprehensive Outsourced Cloud Service Register
Keep a detailed list of cloud services used, including provider details, service purpose, and security review schedule.
Plain language
This control is about keeping a detailed list of all cloud services your organisation uses, kind of like having a detailed contact list. It's important because if you don't know what services you are using, who provides them, or when you need to check their security, you could end up with sensitive information at risk and face unexpected issues or costs.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
An outsourced cloud service register contains the following for each outsourced cloud service: - cloud service provider's name - cloud service's name - purpose for using the cloud service - sensitivity or classification of data involved - due date for the next security assessment of the cloud service - contractual arrangements for the cloud service - point of contact for users of the cloud service - 24/7 contact details for the cloud service provider.
Why it matters
Without an outsourced cloud service register, services can be missed for review, exposing sensitive data and causing compliance failures.
Operational notes
Keep a register per service: CSP/service name, purpose, data classification, contract, POC, 24/7 CSP contacts, and next assessment due date; review monthly.
Implementation tips
- System owners should create an initial register of cloud services: Identify all cloud services currently in use by asking departmental heads what tools and platforms their teams rely on. Record each service's provider, purpose, and level of data sensitivity.
- IT managers should set a reminder for regular security assessments: Use calendar tools to schedule a regular (e.g., yearly) review date for each cloud service's security. This ensures potential risks are identified and managed in time.
- Procurement teams must review contractual agreements: Go through the contracts for each service to confirm terms related to security compliance and data handling. Make sure these align with your organisation's security policies.
- Appoint a primary contact for each cloud service: Designate a team member as the point of contact for each service to streamline communication and accountability. Provide this person with training or resources to effectively liaise with the service provider.
- Ensure 24/7 contact details are up-to-date: Verify that the contact information for each cloud service provider is current, including after-hours support, so issues can be handled promptly if they arise outside of office hours.
Audit / evidence tips
-
Askthe cloud service register document: Request the current list of all outsourced cloud services the organisation uses
Goodregister will have up-to-date and comprehensive entries for each service
-
Goodpractice shows each service scheduled for assessment at least annually
-
Askevidence of reviewed contractual agreements: Request the signed contracts or agreements for cloud services. Examine these for clauses related to data protection and compliance
Goodincludes documented checks and any identified compliance gaps addressed
-
Askthe list or policy showing who is responsible for each cloud service. Check for named individuals and their roles
Goodsetup has clearly assigned contacts who understand their responsibilities
-
Askto see the method or system used to keep contact details up-to-date
Goodmethod will have recent updates and confirmation of detail accuracy
Cross-framework mappings
How ISM-1638 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires maintaining an inventory of information and associated assets with ownership | |
| handshake Supports (3) expand_less | ||
| Annex A 5.19 | ISM-1638 requires maintaining a comprehensive register of outsourced cloud services, including purpose, data sensitivity/classification, ... | |
| Annex A 5.22 | ISM-1638 requires an outsourced cloud service register with security assessment due dates and contractual and contact details for each cl... | |
| Annex A 5.23 | ISM-1638 requires documenting outsourced cloud services and key governance attributes such as purpose, data classification, contractual a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.