Australia: Cyber Security Centre released guidance for individuals and small and medium businesses on cloud shared responsibility model

On 20 October 2025, the Australian Cyber Security Centre (ACSC) released guidance on the cloud shared responsibility model for individuals and small and medium businesses. It outlines how security responsibilities are divided between customers and cloud service providers (CSPs), depending on the type of service used. CSPs are accountable for securing infrastructure and third-party operations, while customers must safeguard their data, control user access, maintain software and device security, and prepare for incident response. The guidance advises selecting reputable, secure-by-default CSPs that offer clear SRM documentation and IRAP assessments, and reviewing settings for backups, authentication, and logging. It complements the ACSC’s executive guidance for organisations with cyber risk management processes.