Security Assessments for Top Secret Cloud Services
Cloud providers' secret services need security checks every two years by authorised assessors.
Plain language
Cloud service providers storing top secret information must get a detailed security check every two years by specific authorised assessors. This is crucial because it helps catch any security weaknesses that could lead to loss or theft of highly sensitive information, which can cause severe national security issues or significant financial and reputational damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Outsourced cloud service providers and their TOP SECRET cloud services, including sensitive compartmented information cloud services, undergo a security assessment by ASD assessors (or their delegates), using the latest release of the ISM available prior to the beginning of the security assessment (or a subsequent release), at least every 24 months.
Why it matters
Missing the required 24-month ASD security assessments can leave TOP SECRET cloud services non-compliant and allow compromises to go undetected, risking national security.
Operational notes
Schedule ASD (or delegate) assessments at least every 24 months for TOP SECRET cloud services, and confirm assessors use the latest ISM release available before the assessment starts.
Implementation tips
- The IT manager should coordinate with a qualified Australian Signals Directorate (ASD) assessor to plan a security assessment for cloud services that hold top secret information. Start by scheduling the assessment at least 24 months after the last one to ensure timely compliance.
- The system owner should compile documentation on all security measures currently implemented on the cloud services. This can be done by listing security controls, access protocols, and monitoring practices, ensuring this information is up-to-date before the assessment.
- The procurement team should ensure that there is a contract or agreement with third-party cloud service providers to allow regular security assessments by authorised assessors. Include this requirement in the service agreements when selecting cloud providers.
- The IT team should review the latest Information Security Manual (ISM) guidelines before the assessment. This involves downloading or accessing the most current ISM documentation and understanding changes that could affect security assessment criteria.
- An internal audit officer should prepare a summary report of previous assessments, including follow-ups on any identified vulnerabilities. This involves collecting past assessment reports and documenting actions taken to resolve previously identified issues.
Audit / evidence tips
- AskThe latest cloud service assessment report GoodA dated report with an assessor's credentials clearly shown
- GoodIncludes a version number and publication date of the ISM used
- AskA list of implemented security controls on top secret cloud services
- AskA post-assessment action plan from prior audits GoodA completed plan showing identified issues, assigned corrective actions, and implementation dates
Cross-framework mappings
How ISM-1972 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.19 | ISM-1972 requires outsourced TOP SECRET cloud service providers (including SCI cloud services) to undergo an ASD assessor (or delegate) s... | |
| Annex A 5.21 | Annex A 5.21 requires organisations to implement processes and procedures to manage ICT supply chain information security risks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.