On 27 July 2020, following the closure of the Cloud Services Certification Program (CSCP) and the associated Certified Cloud Services List (CCSL), the Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) released new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry.
The Cloud Security Guidance will guide organisations including government, Cloud Service Providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services, so a risk-informed decision can be made about its suitability to handle an organisation’s data.
Commonwealth entities will continue to self-assess their cloud solutions in accordance with the Guidance. They will also continue to be responsible for their own assurance and risk management activities. Information Security Registered Assessors Program (IRAP) will continue to support government in maintaining their assurance and risk management activities.
A Ministerial statement on the new guidance can be found here.