Accelerate ACSC ISM compliance coverage in the AWS Cloud with AWS Support

Introduction

Important: This guidance doesn’t constitute compliance advice. Entities should seek their own legal advice on their ISM compliance obligations.

ACSC’s ISM is a framework that provides cybersecurity principles and guidance for organizations. Organizations can then apply the ISM within their overall risk management framework to protect their systems and data from cyber threats.

The ISM is mandatory for Australian Government agencies (specifically Non-Corporate Commonwealth Entities) to implement as part of their obligations under the Protective Security Policy Framework (PSPF). Other organizations, both government and corporate, that operate business-critical workloads in AWS might also find the ISM framework useful in securing their information technology operations. The ACSC also provides its Essential Eight (E8): a prioritized subset of ISM controls and practical, action-oriented approaches to reduce cyber risks that target the Small & Medium Business (SMB) segment.

This article helps boards, information security officers, risk and compliance executives, and technology leaders who are responsible for information technology strategy development and compliance with ISM. The article examines ISM’s approach to information security regulation and explores mechanisms to implement at-scale controls for customers who want to enhance ISM compliance in the AWS Cloud.

Under the AWS Shared Responsibility Model, AWS is responsible for securing the cloud infrastructure (“of” the cloud). Customers must implement security controls for their applications and workloads (“in” the cloud). AWS provides resources and artifacts to help customers understand and implement controls to help meet ISM requirements. Customers can also use AWS Support solutions with comprehensive security controls and operational excellence features to help them with their ISM compliance journey.

Understanding ISM’s approach to technology regulation

The ACSC’s ISM framework is technology and vendor neutral. ACSC doesn’t have a particular preference or opposition to the use of any specific solution architectures, technologies, or vendors by entities that want to achieve ISM compliance.

The ISM is a principles-based framework that comprises 34 cybersecurity principles grouped across six functions:

• Govern: Develop and maintain a strong and resilient cybersecurity culture. (7 principles)

• Identify: Identify assets and associated security risks. (4 principles)

• Protect: Implement and maintain controls to manage security risks. (15 principles)

• Detect: Detect and analyze cybersecurity events to identify cybersecurity incidents. (3 principles)

• Respond: Respond to cybersecurity incidents. (4 principles)

• Recover: Resume normal business operations following cybersecurity incidents. (1 principle)

As a principles-based framework, ISM describes expected, high-level risk management outcomes but isn’t prescriptive about how you achieve these outcomes.

Customers who want to achieve ISM compliance can choose their own approach to meet ISM’s principle-based expectations, including using AWS Support solutions. They can use ACSC’s ISM to identify and map individual technical controls in the AWS Cloud to help demonstrate their compliance position against the overarching cybersecurity framework.

It’s important to note that not every element of the ISM maps to a technical control. These elements that aren’t technical can relate to people and process controls, such as policies and documentation, organizational capability, and governance. Automation can’t provide these types of controls in the same way that it can with technical controls, such as encryption of data at rest or in transit.

Using AWS services to accelerate your compliance posture in the AWS Cloud

The following are specific AWS services that can help you accelerate your compliance posture in the AWS Cloud:

• AWS Well-Architected Framework (specifically, the Security pillar): Provides guidance to help you apply best practices. The Security pillar also includes current recommendations in the design, delivery, and maintenance of secure AWS workloads.

• AWS Artifact: No cost, self-service portal for on-demand access to AWS compliance reports through the AWS Management Console.

• AWS Audit Manager: Helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.

• AWS Security Assurance Services: AWS industry certified experts combined with AWS technical depth help you align with specific regulations and standards. These standards include DORA, GDPR, CCPA, PCI DSS, and ACSC.

• Amazon GuardDuty: Protects your AWS accounts and workloads with intelligent threat detection and continuous monitoring.

• AWS Security Incident Response: Automated 24/7 security incident response service with AWS expert guidance to help you prepare for, respond to, and recover from security events faster and more effectively.

• AWS Config: Allows you to assess, audit, evaluate, and remediate the configurations of your AWS resources against industry-specific or custom compliance packs.

AWS Config is particularly powerful at accelerating compliance posture because it encourages customers to use automated compliance checks, called AWS Config Rules. Customers can also use sets of rules in AWS Config (AWS Config Rules grouped into AWS Config Conformance Packs) to continuously audit and evaluate compliance of their resource configurations against a desired state. AWS has mapped a set of 130 AWS Config Rules, or unique technical controls in the AWS Cloud, against 56 of the control objectives identified in ACSC’s ISM. You can deploy this mapped set, known as the AWS Config ACSC ISM Conformance Pack, across your AWS accounts to provide a near real-time view of your compliance position against ACSC’s ISM controls.

The AWS Config dashboard provides a collective view of the technical controls in place and displays the following information:

• List of rules and associated AWS resources

• Resource compliance status to the AWS Config rules

• Overall compliance score

The compliance score is based on the number of rule-to-resource combinations across your accounts.

Note: It’s not a best practice to focus solely on achieving a particular score as an overall objective. Certain controls might not be relevant to how an ISM-regulated customer operates in the AWS Cloud. There are also several controls in the ISM framework that you can’t meet by technical means. Use compliance scores to identify and prioritize highest-risk items for remediation and demonstrate continuous improvement, rather than focus on achieving a particular score.

To continuously monitor the compliance posture of AWS resources across all of your accounts and AWS Regions, you can set up an AWS Config aggregator. To remediate a non-compliant resource in an account, you can build, associate, and execute AWS Systems Manager Automation documents.

Similarly, AWS Audit Manager is designed to streamline the audit readiness of your AWS Cloud environment, from evidence collection to report generation. You can use this service as part of your compliance management solution to automate evidence collection from multiple AWS service data sources, such as:

• AWS Config rules

• AWS CloudTrail events

• AWS Security Hub findings

• Specific AWS API calls

Audit Manager provides prebuilt standard frameworks that support the ISM and E8 frameworks. To use these frameworks to jumpstart monitoring and evidence gathering for ISM, associate data sources that map to your specific interpretation of ACSC standards. Audit Manager also supports non-technical controls so that you can centrally manage and export all evidence that proves adherence to ISM for audit purposes.

You can also use AWS Artifact, a self-service portal in the AWS Management Console, for on-demand access to AWS compliance reports. AWS customers can use AWS Artifact Reports to assess and validate the security and compliance of the AWS infrastructure and services that they use. Customers can submit AWS Artifact documents to auditors or regulators as audit artifacts.

Lastly, you can use AWS Well-Architected best practices (specifically across the Reliability, Security, and Operational Excellence pillars) to reduce your operational risk. These pillars also improve the compliance coverage and security in the AWS Cloud.

Using AWS Support to accelerate ACSC ISM controls

It takes significant effort to set up ISM controls, build an operating model, address non-compliant or operational risks, and continuously monitor, remediate, report, and collect evidence. You can’t always directly map many of the people or process-related controls necessary to achieve ISM compliance to automated and technical controls in AWS services. Implement the following AWS Support solutions to broaden your capabilities across people and process controls and accelerate your journey towards ISM compliance.

Using AWS Security Incident Response

To help with multiple information security and operational risk controls, activate AWS Security Incident Response. AWS Security Incident Response helps you prepare for, quickly respond to, and recover from security events in your AWS landscape. This service can significantly address the ISM controls related to responding to cybersecurity incidents. AWS Security Incident Response combines the experience of AWS people, processes, and technology to provide the following benefits:

• 24/7 proactive monitoring

• Auto-triaging

• Containment

• Reporting of security threats or events

The service uses reports from GuardDuty and third-party detection tools through AWS Security Hub. AWS Security Incident Response adheres to the NIST Cyber Security Framework process to manage and recover from security incidents. The service also provides a comprehensive Technical Guide to help you from “Preparation” through “Recovery” within the NIST Framework. For example, the guide shows you how to conduct tabletop exercises and simulations that replicate potential scenarios, increase your capability to respond rapidly and recover effectively, and engage AWS Security experts if required. Additionally, the service provides detailed post-incident reports that offer a complete summary of case activities, suggested remediation actions, and key metrics to help improve your compliance posture.

Using AMS

To further augment and enhance your ISM controls and security posture, you can use AWS Managed Services (AMS). AMS offers a comprehensive set of proactive, preventative, detective, and hands-on remediation capabilities that address many of the ISM controls without constraining your agility. With this support, you can focus on innovation.

AMS provides controls through automated deployment and remediation of 96 “AMS Accelerate” AWS Config rules. The rules align with major security frameworks, including PCI, NIST, HIPAA, and CIS. When you specifically map these AMS Accelerate rules to the 130 unique AWS Config rules in the ACSC ISM Conformance Pack, AMS Accelerate covers 54 out of 130 (41.5% coverage) from the start. You can see more information about this coverage in Table 1 of the Appendix.

AMS can also help implement, monitor, report, and remediate the 76 remaining controls on demand. This provides 100% coverage against the AWS defined technical security controls. The combination of built-in and on-demand features includes:

• Continuous monitoring

• Automated remediation

• Compliance reporting capabilities

These features significantly reduce the operational overhead while maintaining robust security controls.

AMS has achieved compliance certifications and attestations against numerous industry frameworks such as HIPAA, SOC, ISO/IEC 27001:2022, FedRAMP, NIST, PCI-DSS, GDPR, and IRAP. Having an IRAP compliance for a service provider is required in the ISM’s “Assessment of managed service providers” control. AMS comes with proactive AWS infrastructure monitoring, 24/7 incident management, 24/7 security monitoring, and incident remediation (aligned with the NIST 800-61 guide). AMS also includes built-in security and compliance guardrails, patching, backup, logging, and reporting capabilities. These capabilities help you manage operational risks, limit disruptions, and continuously improve security in the AWS Cloud.

When you specifically map these capabilities to the non-technical control objectives in the ISM standard, AMS supports and helps customers in meeting compliance across all six ISM risk categories.

ISM expects customers to clearly define and own the information security-related roles and responsibilities, policies and procedures, risk management, and asset classifications. However, to augment your security risk and compliance team, AMS Security experts can provide an additional layer of governance through ongoing reporting, consultation, and incident management. Find AMS security management and compliance reports, such as FedRAMP, NIST, and CIS, in AWS Artifact. These resources describe how AMS supports these controls.

Summary

To help customers continually assess, monitor, and improve their security and operational resilience posture to meet ISM expectations, AWS provides many services, written guidance, and managed support options. These options include AWS services such as AWS Config, Audit Manager, and AWS Detection and Response services. This support also includes AWS Well-Architected Framework, resources, specific ISM-related guidance, and other artifacts.

For people and process-related controls that require resource augmentation, ISM-regulated entities can use AWS Support solutions, such as Security Incident Response or AMS. Beyond providing security controls, AMS also extends control coverage to the operational and organizational aspects that documentation typically demonstrates. This coverage includes established procedures, data gathering, governance frameworks, and compliance reporting. This dual capability makes AMS valuable for organizations that want to accelerate their ISM compliance journey, reduce operational risk, and improve their security posture in AWS.

To learn more about the various AWS Support solutions available to help you accelerate and maintain your security and operational resilience, contact your AWS Technical Account Manager (TAM). To learn more, see AWS Enterprise Support.

Appendix

Table 1: AMS controls mapping to ACSC ISM

ISM topics	Control #	AWS Config rule	AWS service
Web application interactions	1552	acm-certificate-expiration-check	AWS Certificate Manager (ACM)
Web application interactions	1552	alb-http-to-https-redirection-check	Application Load Balancer
Encrypting data at rest	459	api-gw-cache-enabled-and-encrypted	API Gateway
Web proxy event logging, Centralized event logging facility, Privileged access to systems	261, 1405, 1509, 1650, 1661	api-gw-execution-logging-enabled	API Gateway
Centralized event logging facility, Privileged access to systems	1405, 1509, 1650, 1661	cloud-trail-cloud-watch-logs-enabled	CloudTrail
Encrypting data at rest	459	cloud-trail-encryption-enabled	CloudTrail
Centralized event logging facility, Privileged access to systems, Multi-factor authentication	1405, 1509, 1650, 1661, 1683	cloudtrail-enabled	CloudTrail
Centralized event logging facility, Privileged access to systems, Software interaction with databases	1405, 1509, 1536, 1650, 1661	cloudtrail-s3-dataevents-enabled	CloudTrail
Performing and retaining backups, Testing restoration of backups	1511, 1515, P9	db-instance-backup-enabled	Amazon Relational Database Service (Amazon RDS)
Capacity and availability planning and monitoring for online services	1579	dynamodb-autoscaling-enabled	Amazon DynamoDB
Performing and retaining backups	1511	dynamodb-pitr-enabled	DynamoDB
Centralized event logging facility	1985	ebs-snapshot-public-restorable-check	Amazon Elastic Block Store (Amazon EBS)
Encrypting data at rest	459	ec2-ebs-encryption-by-default	Amazon Elastic Compute Cloud (Amazon EC2)
Separate privileged operating environments, Application control, Mitigating known vulnerabilities	1380, 1657, 1690, 1691, 1693	ec2-instance-managed-by-systems-manager	Amazon EC2
Separate privileged operating environments, Application control, Mitigating known vulnerabilities	1380, 1490, 1657, 1690, 1691, 1693	ec2-managedinstance-association-compliance-status-check	Amazon EC2
Patch management processes and procedures, Cessation of support, Mitigating known vulnerabilities	298, 1501, 1694, 1695	ec2-managedinstance-patch-compliance-status-check	Amazon EC2
Encrypting data at rest	459	efs-encrypted-check	Amazon Elastic File System (Amazon EFS)
Performing and retaining backups, Testing restoration of backups	1511, 1515, P9	elasticache-redis-cluster-automatic-backup-check	Amazon ElastiCache
Encrypting data at rest	459	elasticsearch-encrypted-at-rest	OpenSearch
Web application interactions	1552	elb-acm-certificate-required	AWS Certificate Manager
Web proxy event logging, Centralized event logging facility, Privileged access to systems	261, 1405, 1509, 1650, 1661	elb-logging-enabled	Elastic Load Balancing
Encrypting data at rest	459	encrypted-volumes	Amazon EBS
Hardening operating system configurations	380	iam-group-has-users-check	AWS Identity and Access Management (IAM)
Protecting credentials	1402	iam-password-policy	IAM
Separate privileged operating environments	1380, P10	iam-policy-no-statements-with-admin-access	IAM
Multi-factor authentication, Separate privileged operating environments, Multi-factor authentication	1173, 1380, 1401, 1504, 1679, 1680, 1681	iam-root-access-key-check	IAM
Separate privileged operating environments	1380, P11	iam-user-group-membership-check	IAM
Multi-factor authentication	974, 1173, 1401, 1504, 1679, 1680, 1681	iam-user-mfa-enabled	IAM
Suspension of access to systems	1404	iam-user-unused-credentials-check	IAM
Multi-factor authentication	974, 1173, 1401, 1504, 1679, 1680, 1681	mfa-enabled-for-iam-console-access	IAM
Centralized event logging facility, Privileged access to systems	1405, 1509, 1650, 1661	multi-region-cloudtrail-enabled	CloudTrail
Network environment	1271	rds-instance-public-access-check	Amazon RDS
Capacity and availability planning and monitoring for online services	1580	rds-multi-az-support	Amazon RDS
Encrypting data at rest	459	rds-snapshot-encrypted	Amazon RDS
Encrypting data at rest	459	rds-storage-encrypted	Amazon RDS
Centralized event logging facility, Privileged access to systems, Database event logging	1405, 1509, 1537, 1650, 1661	redshift-cluster-configuration-check	Amazon Redshift
Separate privileged operating environments, Mitigating known vulnerabilities	298, 1380, 1690, 1691, 1693	redshift-cluster-maintenancesettings-check	Amazon Redshift
Communications between database servers and web servers	1277	redshift-require-tls-ssl	Amazon Redshift
Administrative Infrastructure	1388	restricted-common-ports	Security groups
Multi-factor authentication	1173, 1401, 1504, 1679, 1680, 1681	root-account-hardware-mfa-enabled	IAM
Multi-factor authentication	1173, 1401, 1504, 1679, 1680, 1681	root-account-mfa-enabled	IAM
Centralized event logging facility, Privileged access to systems, Privileged access to systems, Multi-factor authentication	1405, 1509, 1650, 1661, 1683, P8	s3-bucket-logging-enabled	Amazon S3
Centralized event logging facility	1985	s3-bucket-public-read-prohibited	Amazon S3
Centralized event logging facility	1985	s3-bucket-public-write-prohibited	Amazon S3
Performing and retaining backups, Testing restoration of backups	1511, 1515	s3-bucket-replication-enabled	Amazon S3
Encrypting data at rest	459	s3-bucket-server-side-encryption-enabled	Amazon S3
Data encryption	P7	s3-bucket-ssl-requests-only	Amazon S3
Performing and retaining backups, Testing restoration of backups	1511, 1515	s3-bucket-versioning-enabled	Amazon S3
Encrypting data at rest	459	sagemaker-endpoint-configuration-kms-key-configured	SageMaker
Encrypting data at rest	459	sagemaker-notebook-instance-kms-key-configured	SageMaker
Centralized event logging	P5	securityhub-enabled	Security Hub
Encrypting data at rest	459	sns-encrypted-kms	Amazon SNS
Gateway event logging, Centralized event logging facility, Privileged access to systems, Privileged access to systems	634, 1405, 1509, 1650, 1661	vpc-flow-logs-enabled	Amazon Virtual Private Cloud (Amazon VPC)
Administrative Infrastructure	1388	vpc-sg-open-only-to-authorized-ports	Amazon VPC

Note: The use of AWS services, such as Audit Manager, sample AWS Config compliance packs, AWS Support solutions, or others related to compliance standards and industry benchmarks such as ISM, is designed to accelerate your compliance with a specific governance standard. These services and solutions don’t replace your internal efforts and don’t guarantee that you will pass a compliance assessment.

About the authors

Nitin Verma
Nitin is a Principal Solutions Architect who specializes in cloud operations and AWS Support solutions. He helps customers achieve operational excellence in the AWS Cloud. He has over a decade of experience in cloud migration, modernization, and DevSecOps. You can follow him on LinkedIn.

Julian Busic
Julian is a Security Solutions Architect for AWS with a focus on regulatory engagement. He works with AWS customers, their regulators, and AWS teams to help customers raise the bar on secure cloud adoption and usage. Julian has over 15 years of experience working in risk and technology across the financial services industry in Australia and New Zealand.