Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable the customer to create more secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services through the establishment of a robust control environment and making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services and provide improved security outcomes for the Australian Government.
The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the needs of the Australian Signals Directorate (ASD) Information Security Manual (ISM).
An independent IRAP assessor examined the controls of AWS’s people, process, and technology to ensure they address the needs of the ISM. This assessment and Letter of Compliance is the basis on which a Certification Authority gains assurance to certify AWS infrastructure and provide a recommendation to the Accreditation Authority for appropriate use of the platform.
An agency accreditation is the culmination of an IRAP assessment and formal certification by the ASD operating as the Certification Authority for the Australian Government. This certification provides assurance that AWS has in place the applicable controls of the ASD’s ISM and is the immediate precursor in accrediting AWS for Australian government workloads.
How do I secure my data on AWS?
AWS provides customers a wide range of security functionality to protect their data in accordance with ASD’s ISM controls, agency guidelines and policies. We are continually iterating on the security tools we provide our customers, and regularly release enhancements to existing security functionality. Additionally, we provide a wide variety of whitepapers, online documentation and security videos for our customers. Our global whitepapers have recommendations for securing your data that are just as applicable to Australian government AWS workloads.
How do I consume AWS's IRAP security documentation and guidance?
Australian government customers can leverage our ASD certification and our independent IRAP Assessors Letter of Compliance in order to accelerate their certification and accreditation objectives.
In support of our Australian government customers, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a certified cloud services supplier.
In particular, specific to assessing AWS infrastructure by an IRAP against ISM we provide under NDA (as required) to government organisations or their partners:
- IRAP Report on AWS compliance to the ISM
- ASD Certification Letter of the AWS Infrastructure platform
- Control Implementation Summary
Additional reports that are available that evaluate and test controls implemented by AWS Infrastructure and which are available under NDA (as required):
- Service Organisation Controls 1 (SOC1) Type II Report
- Service Organisation Controls 2 (SOC2) Type II Report
- ISO 27001 Certificate & Statement of Applicability
- PCI Attestation of Compliance and PCI Responsibility Summary
To find out more information about the additional reports see the AWS Compliance FAQs.
To request access to AWS’ security documentation as it pertains to Australian Government customers, or contractors conducting business with the Australian government, please contact AWS Sales and Business Development or send an email to firstname.lastname@example.org.
Why do I need an IRAP accredited assessor?
An IRAP assessor is the only individual accredited as qualified to perform an assessment of an ICT system against the Australian Government ISM and describes areas of compliance and non-compliance, describes residual risks and remediation actions and provides recommendations to a Certification Authority on certification.
What are the available IRAP documents that we provide to our customers?
The following documents are publicly available:
The Control Implementation Summary and IRAP Report Stage 2 are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Get started with AWS Artifact today.
Is AWS on the Department of Finance Whole of Government Cloud Services Panel?
Yes, AWS has been a member of the panel since the 31st of March 2015. Agencies obtain value for money in relation to cloud services and a simplified procurement process going through a pre-assessed provider and a common contractual framework. This ease of procurement enables agencies to move at the pace their mission requires to deliver services effectively to Australian citizens.
What is the ISM?
An IRAP assessor is the only individual accredited as qualified to perform an assessment of an ICT system against the Australian Government ISM and describes areas of compliance and non-compliance, describes residual risks and remediation actions and provides recommendations to a Certification Authority on certification.The ISM is the Australian Government Information Security Manual (ISM) published by the Australian Signals Directorate (ASD), an organisation within the Department of Defense that has a mission to protect Australian Government systems and information.
For more about ASDs role in protecting the Australian information security http://www.asd.gov.au/about/roleinfosec.htm
Does AWS meet the requirements of the ISM?
Yes, AWS has been audited by an independent assessor from the Information Security Registered Assessors Program. The assessment examined the security controls of Amazon’s people, process and technology to ensure that they met the needs of the ASD 2014 ISM.
Where can I find more information on the IRAP program?
Which AWS services are covered by the IRAP Assessment?
Will compliance with the ISM increase AWS service costs?
No, there is no increase in service costs for any region as a result of AWS’ ISM compliance.
Where can I find the ISM?
Is AWS on the Australian Signals Directorate’s Certified Cloud Services List?
Yes, AWS has been certified for Unclassified DLM (UD) workloads by the Australian Signals Directorate (ASD) as the Certification authority and is an inaugural member of the ASD Certified Cloud Services List (CCSL).
Agencies costs and risks are significantly reduced when relying upon the deep expertise of the ASD as the Certification Authority to determine that the residual risk of services are well understood and appropriately assessed. This creates a significantly improved security outcome for Australian government departments while also reducing their costs related to such assessments.
Why is the ISM important?
In October 2014 the Australian Department of Finance and Department of Communications jointly released the Australian Government Cloud Computing Policy 3.0, this mandated a “cloud first” approach for adoption of cloud services by federal government agencies.
“Under the Australian Government’s Cloud Policy agencies now must adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for
The ISM is the standard that governs the security of government Information and Communication Technology (ICT) systems. It complements the Protective Security Policy Framework (PSPF) produced by the Australian Government Attorney-General’s department. Together this provides a manual for implementing appropriate controls to operate all classifications of workloads in an ICT environment.
It is compliance to the ISM that is used to assess cloud service providers membership to the ASDs Certified Cloud Services List that provides the list of cloud services where ASD has acted as the certification authority. Certification is required for agencies to have workloads accredited to run on Cloud services that are procured through the Department of Finance Whole of Government Cloud Services Panel as the primary procurement vehicle for cloud services for the Australian Government.
What is an IRAP accredited assessor?
These are individuals accredited by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program as being appropriately qualified to conduct assessments against the ASD’s control framework, the Information Security Manual (ISM)
What AWS regions are covered?
The IRAP assessment and ASD Certification covers the AWS Sydney region. However, AWS treats all regions equally in terms of the controls, policies and processes that are used to operate them. Agencies should assess their workloads and business needs to determine which AWS region to use.
Can other services be used?
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Where can I find the independent IRAP auditors letter of Compliance for AWS?