The UK government’s G-Cloud framework makes it faster and cheaper for the public sector to buy Cloud services. Suppliers are approved by the CCS (Crown Commercial Service) via the G-Cloud application process, which eliminates the need to go through a full tender process for each buyer.
Suppliers can sell Cloud services via an online catalogue called the "Digital Marketplace" under three categories, or ‘lots’:
- Cloud hosting – Cloud platform or infrastructure services.
- Cloud software – applications that are accessed over the Internet and hosted in the Cloud.
- Cloud support – services to help buyers set up and maintain their Cloud services.
Becoming a G-Cloud supplier
The Digital Marketplace helps organisations sell Cloud technology and digital specialist services to the UK government. Suppliers can sell services through framework agreements with the government.
Suppliers can use the G-Cloud framework to:
- Sell Cloud technology and support (e.g. web hosting and IT health checks); and
- Provide skilled expertise to work on digital projects (e.g. technical architects and web designers).
Suppliers can apply to sell services when a new version of a framework is published on the OJEU (Official Journal of the European Union).
Providers don’t need to be based in the UK to apply, but must agree to the terms of the framework agreement and call-off contract, which are governed by British law.
The four steps to becoming a G-Cloud supplier
- The supplier submits the services it wants to supply.
- The government creates a framework agreement with the eligible supplier.
- The government conducts an assurance review of the supplier.
- The supplier is accepted into the Digital Marketplace.
Prospective suppliers are required to create an online profile on the Digital Marketplace website.
Delivering assurance on the Cloud Security Principles
The G-Cloud framework allows the client to decide which of the 14 Cloud Security Principles are most important, and which level of assurance they require in implementing these principles. Suppliers may be required to deliver assurance on any of the 14 principles.
There are a number of common approaches that can be used to assure the Cloud Security Principles, and these can be used in combination to provide greater assurance to customers.
1. Service provider assertion
The service provider (supplier) describes how its service complies with the implementation objectives, but does not provide independent validation of compliance.
The assertion gives information about:
- The service provider’s level of maturity around security;
- The existence of an in-house security team; and
- Proactive testing and historical evidence of responding to security issues.
Suppliers should provide demonstrable evidence of implemented controls.
2. Independent validation of assertions
This approach has some shortcomings, because the third-party review may not be performed to a recognised standard. This means that the assessment might not thoroughly assess the security delivered by the implementation of the Cloud Security Principles. Suppliers will need to instil confidence that the third party has carried out adequate testing and has the right skills to undertake such a review.
The service provider holds a certificate of compliance with a recognised standard.
A shortcoming with this assurance approach, according to the NCSC (National Cyber Security Centre), is that, depending on the standard or certification, the scope of certification might not address the implementation objectives of the specific Cloud Security Principle. This is because the auditor only needs to verify that controls exist (for instance, as detailed in a policy/procedure), and does not verify that said controls are present and effective.
Certification and implementation of controls are reviewed by a qualified individual
A suitably qualified individual (such as an NCSC CCP ‘Accreditor’ or ‘IA Auditor’ at senior or lead level, or a recognised information security subject matter expert) reviews the scope of the certification and the implementation of the controls.
This approach provides a higher degree of confidence that the service meets the stated objectives through certification against an appropriate standard.
If the supplier holds accredited ISO 27001 certification, an additional audit may not be necessary.
3. Independent testing of implementation
Independent testers demonstrate that controls are correctly implemented and objectives are met in practice.
- Independent penetration tests can establish whether the implementation of controls achieves the objectives. Independent testing reduces the reliance on supplier assertions. Testers should have appropriate industry-recognised qualifications.
- IT Governance is a CREST-accredited provider and meets the requirements for independent testing.
- The test results will reflect a service at a particular moment in time. As a service evolves, it will need to be regularly retested.
- A suitably qualified individual reviews the scope of testing.
- Validation should make sure that all service-impacting controls are within the scope of testing. The skills and experience of the qualified reviewer will affect the confidence that can be placed in the review.
IT Governance takes pride in the qualifications, expertise and track record of its testing and information assurance audit professionals.
4. Assurance in the service design
A qualified security architect is involved in the design or review of the service architecture.
Service providers can source experts with suitable qualifications, such as a CCP-certified ‘IA Architect’ at senior or lead level, to secure the required confidence in the reviewer’s ability. Reviewing the design of the service architecture (and the implementation of its recommendations) will give confidence that:
- The architecture defends against common attacks;
- The proposed security controls are appropriate; and
- The proposed architecture would allow effective secure operation of the service.
Such a review does not verify that components have been properly configured, or that the components are correctly or robustly implemented.
5. Assurance in the service components
Independent assurance in the components of a service (such as the products, services and individuals that a service uses).
Misconfiguration or misuse of the product can undermine any assurance gained. Independent security testing can be used to address this issue. The assurance of the component needs to be relevant to its use within the service. Independent testing of systems and components can help iron out any configuration or misuse issues and provide assurance to potential clients.
Foundation-level assurance provides a good level of security for all products, services and individuals within the scope of the G-Cloud service offering – contact IT Governance for assistance.
ISO 27001 and G-Cloud assurance
Under the new G-Cloud Security Approach, a supplier can use a suitably scoped ISO 27001:2013 accredited certification as independently validated supporting evidence that the supplier’s assertions for a number of Cloud Security Principles objectives are true.
Because ISO 27001:2013 certification alone does not meet the NCSC’s assurance requirements to support all the assertions, however, a combination of evidence is required, such as additional testing and audits, which can be carried out by our team of qualified professionals.
It is important to note that the ISO 27001 certificate must be awarded by a recognised certification body, such as UKAS.
Find out more about ISO 27001 certification