G-Cloud and ISO27001 – All 27001 Certificates Are NOT The Same

iStock_000021358032XSmall

UPDATE June 2015: Since the original publication of this article, the Government’s approach to G-Cloud security has significantly changed. Please refer to this article instead – it explains the new security assertions process introduced with G-Cloud 6. To keep in touch with future developments why not sign-up to receive our regular news .

Contrary to a popular myth, 270001 certification does not automatically mean easy G-Cloud accreditation . All 27001 certificates are NOT the same. If you’re thinking of gaining ISO27001 to support your G-Cloud accreditation this article will help you get it right first time.

Busting the ISO27001 / G-Cloud myth

You may have a shiny new ISO27001 Certificate hanging on the wall and feel justifiably proud of your achievement. If you are on the G-Cloud Framework or are planning on joining, the next stage is to fill the space next to it with a nice G-Cloud Accreditation Certificate. That shouldn’t be too much problem should it, after all your ISO27001 Certificate says you are compliant with the standard and that’s all they’re after right?

Sorry, think again!

27001 is the basis for G-Cloud accreditation, but not all ISO27001 certificates are equal in the eyes of the all-seeing Pan Government Accreditor (PGA) responsible for G-Cloud Accreditation. Keep your eye on the goal. Start your 27001 journey with an eye the real goal – G-Cloud accreditation.

How to get it right first time

  1. The devil is in the detail. The PGA will only accept ISO27001 Certificates that have been issued by a UKAS recognised organisation including the European equivalent provided by the European co-operation for Accreditation (EA). Full details of recognised organisations are provided by UKAS . If your ISO27001 certificate is not from one of these organisations then you may as well take it down and start again.
  2. Be careful about scope. When presenting your UKAS recognised ISO27001 certificate to the PGA, the first thing that will come up for scrutiny will be the scope. The PGA will expect to see the complete range of the services being submitted for accreditation included in the scope. If you already have 27001 certification, it is nigh on essential to review the scope. If it doesn’t support the entire service delivery you will get knocked back and may have to recertify.
  3. Write for your audience. Help the PGA understand how security is managed within your organisation. The PGA will have intimate knowledge of government policies and standards and will be expecting to see the same type of information reflected in the way you describe security handling of government information. As HMG is the customer, align your policies with the Baseline Control Set (BCS) – the HMG equivalent of ISO27002 (best practice for implementing an ISO 27001 certified ISMS).
  4. Don’t go for a tick box solution. If you’re ultimate goal is GCloud, don’t be tempted to go for ISO27001 in a box. There are plenty of these cheap, lightweight solutions out there. You’ll get something to hang on the wall and shout about on your website but it won’t add value to your company’s information risk posture and won’t pass muster when it comes to meeting the PGAs requirements for GCloud. The tick box path is a false economy. Make sure you don’t have to go through the frustration of doing 27001 twice – get it right first time.

Sounds too complicated? Remember the benefits

Admittedly gaining G-Cloud accreditation is not a simple process. There are checks and balances in place for very sensible reasons but the rewards could be really worthwhile: multiple government departments making use of your G-Cloud offering without having to worry about security accreditation because you’ve already done the hard work and had it validated as acceptable – that’s what accreditation means (in case you didn’t know!).

So, why not start off on the right foot and closely examine how to implement ISO27001 that is in tune with HMG requirements and in a way that is going to really benefit your organisation? The benefits should not only include the commercial ones associated with G-Cloud but also the improvements to your whole information risk management processes which are only going to strengthen your business.


Article by Dave James , MD of Ascentor.

Other content you might like: