Australian Government Certified Cloud Services List (CCSL)

The Certified Cloud Services List (CCSL) identifies cloud services that have successfully completed an IRAP assessment by the Australian government, and have been awarded certification by the Australian Signals Directorate (ASD). The certification recognizes the successful completion, review, and acceptance of a comprehensive assessment undertaken by an Information Security Registered Assessor, so all Australian and New Zealand government agencies can use it.

The Information Security Registered Assessors Program (IRAP) is governed and administered by the ASD. IRAP provides a comprehensive process for the independent assessment of a system’s security against Australian government policies and guidelines. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it.

Microsoft has undergone an IRAP assessment and been certified on the CCSL by ASD for Azure, Dynamics 365, and Office 365. For each assessment, Microsoft engaged an ASD-accredited assessor who examined the security controls and processes used by Microsoft’s IT operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Information Security Manual (ISM) controls are in place and fully effective within our assessed services.

  • In 2014, Azure was launched as the first IRAP-assessed cloud service in Australia, hosted from datacenters in Melbourne and Sydney. These two datacenters give Australian customers control over where their customer data is stored, while also providing enhanced data durability in the event of a disaster through backups at both locations.
  • In early 2015, Office 365 became the first cloud productivity service to complete this assessment.
  • In April 2015, the ASD announced the CCSL certification of both Azure and Office 365, and in November 2015, of Dynamics 365.
  • In June 2017, ASD announced the recertification of Microsoft Azure and Office 365 for a greatly expanded set of services.

Their certification provides assurance to public sector customers in government and their partners that Microsoft has appropriate and effective security controls in place for the processing, storage, and transmission of sensitive and official information that requires Dissemination Limiting Markings (DLMs). This includes the majority of government, healthcare, and education data in Australia.

Frequently asked questions

Expand all

The standard applies to all Australian federal, state, and local government agencies that use cloud services. New Zealand government agencies require compliance with a standard very similar to the Australian ISM, so they may also use the IRAP assessments.

Yes. If your organization requires or is seeking an accreditation in line with the ISM, you can use the certification of Azure and Office 365 in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation as deployed on Azure or Office 365, and for the controls and processes within your own organization.

Audit and certificates

Effective dates and audit cycle

Effective date for Azure and Office 365 is 20 June 2017 and 11 November 2015 for Dynamics 365. Recertification is due 24 months after the effective dates.

Microsoft in-scope cloud services

Expand all

Certified services include:

API Management, App Service (Mobile Apps and Web Apps), Application Gateway, Automation, Azure Active Directory, Azure Cosmos DB (formerly DocumentDB), Azure Resource Manager, Azure Search, Backup, Batch, Cloud Services, Content Delivery Network, Data Catalog, Event Hubs, ExpressRoute, HDInsight, Import/Export, IoT Hub, Key Vault, Load Balancer, Log Analytics, Machine Learning, Media Services, Microsoft Azure Portal, Multi-Factor Authentication, Notification Hubs, Redis Cache, Scheduler, Security Center, Service Bus, Service Fabric, Site Recovery, SQL Database, Storage (Blobs, Disks, Files, Queues, Tables) including Premium Storage, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, VPN Gateway, and supporting infrastructure and platform services.

Dynamics 365 for Sales, Dynamics 365 for Customer Service, Dynamics 365 for Project Service Automation

Exchange Online, Exchange Online Protection and Advanced Threat Protection, SharePoint Online and Skype for Business, Office Web Applications and Secure Workload Environment, Office Services Infrastructure and Office 365 Suite Experience, Advanced e-Discovery and Customer Lockbox, Cloud PBX, PSTN Conferencing and Calling

Power BI cloud service and Azure Information Protection either as a standalone service or as included in an Office 365 branded plan or suite

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support