The document outlines the agenda and processes for the accreditation of services under the UK government's G-Cloud framework. It emphasizes the importance of security accreditation for protecting information systems, detailing the steps suppliers must take to achieve and maintain accreditation, and the role of the Public Sector Accreditation Board. Additionally, it addresses compliance requirements including data protection and offshoring considerations.

1. #Accreditcamp
G-Cloud Security Working Group
UNCLASSIFIED

2. Agenda
• Welcome
• Programme update
• What is accreditation for?
• Why Pan Government Accreditation?
• The process
• Buying a service with Pan Government Accreditation
• The IA guidance
• Questions

3. Programme update
• G-Cloud II
– Award
– Assurance
• G-Cloud III?
• CloudStore
• Sales

4. What is accreditation for?
• Government must make sure the information systems we use
will protect the information they handle, and function as and
when they need to. Accreditation is the formal assessment of
the system against its information assurance requirements
• Security accreditation is required for services which will hold
information assessed at Business Impact Level profiles 1-1-
x/2-2-x, 3-3-x and above (for G-Cloud this is often shortened
to “IL1”, “IL2” & “IL3”)
• IL0 services do not need accreditation

5. Why Pan Government Accreditation?
• Central accreditation results in a service which can be
procured by multiple customers
• We want to do it once, get it right first time, and share the
benefits across government (in some cases this might be
‘most’ of the IA)
• For suppliers this will mean a reduced time to market and
lower cost of accreditation if multiple customers buy the
service
• G-Cloud SIRO and PSN SIRO authorise the work of the
Public Sector Accreditation Board (PSAB) and Pan
Government Accreditors (PGAs)

6. The process

7. Initiation of accreditation
• Suppliers must complete a scoping template for each service
requiring accreditation
• Also, if relevant, our Data Protection Act (DPA) checklist
• These can be submitted for the following deadlines to the
programme
– 10th October, 6pm; 14th November, 6pm; 12th December, 6pm
• All services with templates completed to the necessary
quality will be put into a pool ready for submission to the Pan
Government Accreditation service at CESG. We will look to
prioritise submissions to the PGAs from this pool based on
demand

8. Scoping
• Once your service has been submitted to the Pan
Government Accreditation service you will work with an
assigned PGA to agree the scope of your accreditation
• Once this is agreed a version of your scoping template with
list of required evidence will be signed off by supplier and
accreditor

9. Evidence & accreditation recommendation
• You will be required to gather and submit a set of evidence
requested by the PGA. This could include at minimum:
Lightweight RMADS required for BIL 22x / Full
RMADS
RMADS required for 33x
Residual Risk Statement Required for both IL22x and IL33x systems/services
Risk Register Required for both IL22x and IL33x systems/services
ISO/IEC 27001 Certificate, report & improvement
Required for IL22x systems/services
notice
Security Operating Procedures (relevant to the
Required for both IL22x and IL33x systems/services
consumer and/or supplier)
Other Security Related documentation such as IA
Required for both IL22x and IL33x systems/services
conditions consumers are expected to meet
Statement on personal data and a completed DPA
Required for both IL22x and IL33x systems/services
questionnaire
Required for both IL22x and IL33x systems/services,
ITHC (scope and results) and other evidence of
though the extent will be less for the IL22x
assurance (e.g. CPA certificate)
systems/services.

10. Evidence & accreditation recommendation
• Once reviewed and agreed the PGA will make a
recommendation to the Public Sector Accreditation Board
(PSAB)
• If successful the supplier will be issued with a certificate, and
their CloudStore entry will also be updated

11. Evidence
• All information to be seen by the Pan Government
Accreditor (PGA) and their advisors:
– Risk Management and Accreditation Document Set (RMADS),
– Residual Risk Statement (RRS),
– Risk Register,
– ISO27001 certification documentation
• Residual Risk Statement presented to the Public Sector
Accreditation Board (PSAB) and part or all of the remaining
documentation if needed

12. Buying a service with Pan Government
Accreditation
• Consuming department still own the information risk, but can
rely on the work of trusted IA teams (minimising re-work on
accreditation)
• IA team in the Public Sector consuming organisation to be
given RMADS and RRS. Remaining documentation available
from the supplier
• Any services procured which have not achieved pan
government accreditation are purchased at the risk to the
customer

13. Stop! Is your service ready for accreditation?
• Before any formal assurance activity is undertaken your
service design must be in a mature design state or at least
developed to a state than means any security testing carried
out is on a design that represents the final service
• If you are unsure about this contact us to discuss before
submitting your scoping template.

14. G-Cloud IA Requirements & Guidance
• All guidance and templates available on the G-Cloud website
accreditation page
• Covers
– Governance structures
– Assurance and accreditation approach
– Data Protection Act and Offshoring (outside of UK and EEA)
– Distribution of IA evidence
– Specific Guidance on BIL 2-2-x and 3-3-x services
– Accreditation scoping template
– Data Protection Act (DPA) Checklist for Suppliers

15. Data Protection Act and offshoring
• DPA checklist for suppliers, e.g.
– guarantees that staff are trained or vetted, wherever they
are based
– facilities for rectification, blocking, erasure, destruction
– guarantees about location of personal data
– ensure high data protection standards even if data in a
country with weak or no data protection law
• G-Cloud IA requirements use CIO Council paper on
offshoring and international sourcing

16. BIL2-2-x services
• Accreditation of BIL2-2-x services centred on a suitably
scoped ISO/IEC 27001 certified service
– Scope agreed with the PGA
– Scope must be unambiguous and includes all elements of the service,
e.g. onward supply chain and follow-the-moon and follow-the sun
operations
– Certification through bodies recognised by UKAS, or agreed to be
equivalent to UKAS (see note on EA MLA)
– Expected to follow sound commercial security practice
– ‘x’ for availability must be defined by Supplier

17. BIL3-3-x services
• Accreditation of BIL3-3-x services uses UK Government IA
Standards and Guidance
– Scope agreed with the PGA
– Detailed IA guidance already available for BIL3 services
– Expected to be delivered to the Public Sector through the PSN
– Implementation of technical controls at BIL3-3-x will require higher
standard to those at BIL2-2-x, including more robust compliance
– Specific guidance on geographical location; protection of
communications and data in transit; data at rest, storage and object re-
use; clearance and checking of staff; site inspections
– ‘x’ for availability must be defined by Supplier

18. Possible questions for suppliers to consider
• Can you adequately scope your service (follow-the-sun, follow-the-moon services,
location to country/legal framework)?
– What is the ‘Service’?
– Retain principle of information risk ownership
– Do you need assured products and services
– Think in layers and endpoints
– Be sure you are clear on the difference between the scope of each service
• What level of assurance can you provide in your service, including security
products within the service?
• Who can you use to provide independent assurance (UKAS certified bodies for
ISMSs)?
• How will you demonstrate compliance with the DPA in a cloud service operating
as a Data Processor?
• How will you assist the consumer with accounting and audit and forensic
readiness?

19. QUESTIONS?