Australian Government - Attorney-General's Department

Security Policy

Achieving a Just and Secure Society

Skip breadcrumbHome » Information Security » Risk management of outsourced ICT arrangements (including Cloud)

Risk management of outsourced ICT arrangements (including Cloud)

The Australian Government Information security management guidelines—Risk management of outsourced ICT arrangements (including Cloud) provides a consistent and structured approach to undertaking a risk assessment when considering outsourced ICT arrangements for Australian Government information. They aim to help government decision-makers evaluate the benefits of the adoption of cloud computing services; and help agencies to consider the contextual risks specific to their agency and operating environment.

These guidelines cover:

  • applicable policy and legislation
  • outsourcing and offshoring, including:
    • complications arising from data being simultaneously subject to multiple legal jurisdictions
    • the difference in the business and legal cultures in other nations
  • Cloud use
  • overview of risk management for outsourced ICT arrangements, including:
    • applying International Standard ISO 31000: Risk Management—Principles and guidelines
    • organisational and strategic context
    • identifying risks
    • determining risk tolerance
    • questions to consider when determining risks within a Cloud context
    • potential threats when outsourcing information
    • mapping and assessing risks
    • determining potential consequences and likelihood
    • rating and evaluating risks
    • potential risk treatment options including outsourced treatment options
    • consultation and review.

Agencies should also refer to the Australian Government Cloud Computing Policy produced by the Australian Government Information Management Office.

The guidelines are available to download below:

Featured Links