ASD's Blueprint for Secure Cloud

Frequently Asked Questions (FAQs)

Estimated reading time: 5 minutes

What is ASD’s Blueprint for Secure Cloud?

ASD’s Blueprint for Secure Cloud (the Blueprint) provides better practice guidance, as well as configuration guides and templates covering risk management, architecture and standard operating procedures developed as per the controls in ASD’s Information Security Manual (ISM) and ASD’s Essential Eight to support the design, configuration and deployment of collaborative and secure cloud and hybrid workspaces, with a current focus on Microsoft 365.

Why has the name of the Blueprint changed?

The Blueprint was originally developed by the Digital Transformation Agency (DTA) and released in March 2020. In April 2023, responsibility for the Blueprint transferred from the DTA to ASD. Its name has been changed to reflect its transfer to ASD, as well as updates that have been made following its transfer to ASD. These updates build a strong foundation on which to continue to grow the remit of the Blueprint in the future.

How does the Blueprint interact with ASD’s broader suite of Cloud Security guidance?

ASD’s suite of Cloud Security guidance provides advice on securing the use of cloud computing services for government, large organisations and infrastructure, and small and medium businesses.

The Blueprint is an online tool to support the design, configuration and deployment of collaborative and secure cloud and hybrid workspaces built on Microsoft 365, and should ideally be used in conjunction with ASD’s Cloud Security guidance.

What support does ASD provide to help organisations implement the Blueprint?

ASD is responsible for updating and maintaining the Blueprint and responding to questions or suggestions to assist organisations in implementation. However, we do not provide consultancy or technical services to directly assist organisations in implementation. Organisations should seek advice and support from their vendors and service providers to assist in their implementation.

ASD is responsible for updating and maintaining the Blueprint, responding to questions or suggestions and providing technical advice and assistance to organisations, their vendors and service providers to support their deployment of the Blueprint. While we provide targeted technical advice on deployment of the Blueprint, we are unable to provide secondees or embed staff within organisations implementing the Blueprint.

What benefit does the Blueprint provide to organisations?

The Blueprint provides a pathway for organisations to build secure cloud or hybrid workspaces. Using the Blueprint’s templates and guidance to securely implement cloud or hybrid workspaces will help organisations drive productivity and business outcomes by enabling staff to work and collaborate from the office or from home.

The Blueprint also aims to support organisations to move away from using unsecure, aging, and bespoke legacy systems, and move to innovative, secure, and configurable systems that are well-supported by enterprise vendors including Microsoft.

Will the Blueprint be updated as terminology and technology changes?

The Blueprint is informed by ASD’s experience in responding to cyber security incidents, performing vulnerability assessments and penetration testing Australian government organisations. ASD uses our threat intelligence, as well as feedback from partners across government and industry, to ensure our cyber security advice is contemporary and actionable.

ASD will continue to regularly update and improve the Blueprint to ensure it remains a trusted and up to date resource.

Will implementing the Blueprint ensure a cloud system is PROTECTED, OFFICIAL: Sensitive or OFFICIAL?

Implementation of the Blueprint does not certify or endorse a cloud system as suitable to handle OFFICIAL, OFFICIAL: Sensitive or PROTECTED information, but does provide practical guidance for Australian government organisations to consider alongside ASD’s ISM and the Department of Home Affairs’ Protective Security Policy Framework (PSPF). The ISM and PSPF outline the requirements and controls for cloud consumers to use in the assessment of a cloud service provider (CSP), its cloud services and a cloud consumer’s own systems (including where organisations have used the Blueprint to configure these systems).

If an Australian Government organisation uses the Blueprint, do they still need to have their cloud system assessed?

ASD’s Cloud Assessment and Authorisation guidance provides guidance for CSPs, IRAP assessors and Non-Corporate Commonwealth Entities (NCCEs) who are subject to the Public Governance, Performance and Accountability Act 2013 to the extent consistent with legislation.

Cloud systems developed or configured by NCCEs need to be assessed to ensure they meet the cloud consumer’s security requirements and risk tolerance. This assessment can be performed by an IRAP assessor. ASD’s Cloud Assessment and Authorisation publication assists and guides IRAP assessors on how to perform an assessment of a CSP and its cloud services, and a cloud consumer’s own self-developed systems hosted in the cloud.

Where can I find an IRAP assessor?

IRAP assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of ASD’s ISM.

Endorsed IRAP assessors assist in securing systems and data by independently assessing an organisation’s cyber security posture, identifying security risks and suggesting mitigation measures.

A list of IRAP assessors can be found online.

How do I get in touch with other organisations using the Blueprint?

The Blueprint provides an avenue to share lessons learnt and best practice in deploying and configuring cloud or hybrid workspaces across a range of use cases and organisations. ASD is committed to building community of practice around the Blueprint to bring organisations together on a collective journey implementing, updating and growing the Blueprint.

Where can I go to for more information or if I have a question not addressed above?

If you have any further questions or need more information about anything above, please get in touch with us at or on GitHub. You can also sign up to ASD’s Cyber Security Partnership Program to be informed of new cyber security advice and alerted to emerging cyber threats.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra