Recent media reports suggest third-party solutions built on ACSC Certified Cloud Services automatically inherit ACSC certification. This is not accurate.
Any solution or service built on a certified cloud service does not automatically inherit the awarded certification of the supporting infrastructure and is not certified by the ACSC, unless it is also listed on the CCSL.
Services on the CCSL are assessed against a specific scope of ISM controls/considerations and physical/logical boundaries. Services can be delivered under a variety of arrangements, direct from the manufacturer or potentially through third-party providers. The ACSC Certification Report for a particular CCSL provider should be read to ascertain the scope of certified services.
The ACSC recommends that organisations considering third-party solutions built on ACSC certified cloud services perform their own independent security assessment and certification activity to determine if the solution or service meets their business and security needs.
The media reports included:
- Former policymakers part of new partnership to bolster nation’s cyber security
- Clean Energy Regulator signs up for Fujitsu’s protected cloud
- Microsoft reveals Objective Connect as the latest protected Azure cloud partner
You can read more about ACSC Certified Cloud Services.