Australian Government Certified Cloud Services List (CCSL)

Microsoft is included on the Australian Certified Cloud Services List for both Unclassified: Dissemination Limiting Markers (DLM) and PROTECTED data based on an IRAP assessment and certification by the Australian Cyber Security Centre (ACSC).

Microsoft and CCSL

Microsoft’s Azure, Dynamics 365 CRM, and Office 365 have undergone Information Security Registered Assessor Program (IRAP) assessments and are certified on the CCSL by the Australian Cyber Security Centre (ACSC). Azure and Office 365 services have been certified for both Unclassified: Dissemination Limiting Markers (DLM) and PROTECTED data. Dynamics 365 CRM has been certified for DLM data only.

For each assessment, Microsoft engaged an ACSC-accredited IRAP assessor who examined the security controls and processes used by Microsoft’s IT operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Information Security Manual (ISM) controls are in place and fully effective within our assessed services.

  • In 2014, Azure was launched as the first IRAP-assessed cloud service in Australia, hosted from datacenters in Melbourne and Sydney. These two datacenters give Australian customers control over where their customer data is stored, while also providing enhanced data durability in the event of a disaster through backups at both locations.
  • In early 2015, Office 365 became the first cloud productivity service to complete this assessment.
  • In April 2015, the ASD announced the CCSL certification of both Azure and Office 365, and in November 2015, of Dynamics 365.
  • In June 2017, ASD announced the recertification of Microsoft Azure and Office 365 for a greatly expanded set of services.
  • In April 2018, the ACSC announced the certification of Azure and Office 365 at the PROTECTED classification. Microsoft is the first and only public cloud provider to achieve this level of certification.

The certification of Microsoft’s services helps provide assurance to public sector customers in government and their partners that Microsoft has appropriate and effective security controls in place for the processing, storage, and transmission of DLM and PROTECTED classified information . This includes the majority of government, healthcare, and education data in Australia.

Microsoft in-scope cloud services

Power BI cloud service and Azure Information Protection either as a standalone service or as included in an Office 365 branded plan or suite

Audits, reports and certificates

Services certified by ASD and included on the CCSL must be recertified 24 months after the effective date of certification.

The effective dates for the DLM certifications of Azure and Office 365 are 20 June 2017 and 11 November 2017 for Dynamics 365. The effective date for the protected classification certifications of Azure and Office 365 is 6 April 2018.

Audits, reports and certificates

Services certified by ASD and included on the CCSL must be periodically recertified to ensure compliance and take into account changes in the services over time:

  1. DLM certified services must be recertified every 24 months after the effective date of certification; and
  2. PROTECTED certified services must be recertified annually on or before 1 Sep.

The effective dates for the Microsoft certifications are contained in the ACSC Letter of Certification for each platform. All of the documentation associated with the Microsoft inclusions on the CCSL, including the IRAP assessment reports, risk management guides, ACSC certification letter and reports, and the ACSC consumer guides, are available from the Australia specific page of the Service Trust Portal.

Learn more

CCSL Overview

The Certified Cloud Services List (CCSL) identifies cloud services that have successfully completed an IRAP assessment by the Australian Government, and have been awarded certification by the Australian Cyber Security Centre (ACSC). The certification recognises the successful completion, review, and acceptance of a comprehensive assessment undertaken by an Information Security Registered Assessor, so all Australian Government agencies can use it. The CCSL can also be referenced by New Zealand Government organisations as the NZ ISM and Australian ISM are aligned.

The Information Security Registered Assessors Program (IRAP) is governed and administered by the ACSC. IRAP provides a comprehensive process for the independent assessment of a system’s security against Australian government policies and guidelines. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it.

Manage your compliance from one place

Perform ongoing risk assessment, get actionable insights, and simplify your compliance process when using Microsoft cloud services with Compliance Manager.

Try Compliance Manager nowRead the Security, Privacy and Compliance blog

Frequently asked questions

Expand all

The standard applies to all Australian federal, state, and local government agencies that use cloud services. New Zealand government agencies require compliance with a standard very similar to the Australian ISM, so they may also use the IRAP assessments.

Yes. If your organization requires or is seeking an accreditation in line with the ISM, you can use the certification of Azure, Office 365, and Dynamics 365 CRM in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation as deployed on Microsoft’s platforms, and for the controls and processes within your own organisation.