Skip to main content

The Cloud Security Controls Matrix (CSCM) provides additional context to the Australian Government Information Security Manual (ISM) security controls for cloud computing to assist security assessments.

The Cloud Security Controls Matrix (CSCM) is a tool intended to be used by Information Security Registered Assessors Program (IRAP) assessors to capture the implementation of security controls from the Australian Government's Information Security Manual (ISM) by cloud service providers (CSPs) for their systems and services.

The CSCM provides indicative guidance on the scoping of cloud security assessments, and inheritance for systems under a shared responsibility model, though it should be noted that guidance is not definitive and should be interpreted by the assessor in the context of the assessed system. Further, these comments have generally been developed with reference to OFFICIAL: Sensitive and PROTECTED public clouds. This does not preclude their use for other types of cloud services, though additional scrutiny should be applied to their reference in this case.

Importantly, the CSCM also captures the ability for cloud consumers to implement security controls for systems built on top of the CSP's services by identifying where they are responsible for configuring the service in accordance with the ISM.

The latest CSCM can be found on the webpage for the Australian Government Information Security Manual.