In April, the Government Security Classification scheme changed. The updated OFFICIAL, SECRET and TOP SECRET classifications provide an opportunity to make the security assurance process for G-Cloud services simpler.
Impact Levels are no longer relevant to describe the security properties and accreditation of different services. Instead, in the OFFICIAL tier, we will be adopting the Cloud Security Principles. Buyers should be choosing a service that meets their requirements and then deciding if a higher level of security is required or not.
Assure, Choose, Reuse
Suppliers will complete a number of pre-defined security statements asserting how their services meet the Cloud Security Principles.
Buyers will have greater awareness of the security detail of the services in the Digital Marketplace.
Suppliers can use existing supporting security assurance evidence, while using additional or different supporting approaches and when new evidence is available. It is the intention that buyers can reuse the risk management work of other buyers, reducing time and effort.
The new process will make it clearer, simpler and faster to find a service on the Digital Marketplace that meets a buyer’s requirements. It will also reduce the time and cost for suppliers and emphasise finding a service that suits the buyer needs.
- Suppliers will assert how they meet the Cloud Security Principles by selecting a predefined answer for a range of questions that meet the Cloud Security Principles.
- Suppliers will then be required to provide evidence and documentation to support their assertion.
- These self-assertion statements will form part of the Suppliers service entry on the Digital Marketplace.
- Buyers will be able to assess and compare services with a view as to what meets their specific requirements.
- Suppliers will be able to continuously update the assertion statements, ensuring that Buyers have the latest information.