The questions below are based on those asked at Accreditcamp; answers have been expanded and updated, and are offered for guidance only. You must refer to the latest version of the G-Cloud IA guidance and PSN RMARD. We welcome further questions and feedback. Please contact us via the email@example.com address.
Q1: Where is the IA guidance?
A: The latest Version (1.0) is available on our accreditation page. This replaces Version 0.3 (draft).
Q2: What is the GCloud IA scoping document?
A: The G-Cloud programme has created a template document for suppliers to submit the proposed scope of accreditation for their service. Once an agreement has been reached between the PGA and the supplier, this is contained in the final version of the scoping document. The current version of the template is on our accreditation page.
Q3: Does my IL0 service need accreditation?
A: Business Impact Level 0 (BIL0, often referred to as IL0) services do not need to be put forward for pan government accreditation.
Q4: What about IL1 services? Do these need accreditation?
A: Yes. The guidance given for Business Impact Level (BIL) 22x is the minimum level we would expect for commercial, commoditised services to be used by the public sector where there is any impact caused by a compromise of the information. Therefore we will not make a distinction between BIL profiles 11x and 22x (often referred to as IL1 and IL2) – we will accredit them both in the same way.
Note: Read our blog entry about business impact levels if you are confused about the differences between ‘BIL’ and ‘IL’ and the different profiles.
Q5: How will I (a supplier) be contacted about accreditation?
A: We will be in contact by email from the firstname.lastname@example.org email address. If you have any questions about accreditation please also use this email address.
Q6: If a supplier is on the GCloud, does this mean they have the required accreditation?
A: Not necessarily. A number of G-Cloud suppliers have begun the accreditation process, but to date (12/07/12) no suppliers have completed pan government accreditation. BIL0 services and the majority of Lot 4 services do not require accreditation.
As per appendix 3 of the G-Cloud Invitation to Tender (ITT), accreditation is separate to award of a Framework Agreement and also to Assurance.
Q7: I (a supplier) have ISO27001 certification and/or have accreditation through a specific department/local accreditors. Does this mean my accreditation is complete?
A: No. All services requiring accreditation need to go through the G-Cloud accreditation process. The Pan Government Accreditors will be looking at whether a service can be used across the whole of the public sector. They will need to check whether the scope of the accreditation agreed locally or the ISO27001 fits the scope needed for pan government accreditation.
Q8: Will suppliers whose services are Business Impact Level 0 be able to view the scoping document for reference?
A: Yes. This is available on the accreditation page of our website.
Q9: Is the G-Cloud accreditation process the same as the Public Services Network (PSN) process? If not, how does it differ?
A: The G-Cloud process is designed to be as similar as we can make it to PSN. G-Cloud services operating at BIL 11x/22x will be subject to an accreditation process as defined in the G-Cloud IA guidance and the PSN RMARD.
Q10: Roughly how much time and money will accreditation cost? How will G-Cloud assist smaller firms who may find the costs prohibitive?
A: We cannot help you financially with those costs. If it is prohibitive to go through accreditation you may want to focus on the lower security levels. Note that not every customer will need an service which has been accredited by the pan government accreditors.
Q11: If during accreditation a supplier is told that it needs to make some changes to their service, will G-Cloud provide assistance to that supplier, or will its G-Cloud application be automatically terminated?
A: The application would not be terminated; accreditation is separate to award of a Framework Agreement and also to assurance. A reasonable amount of advice and guidance will be available; however, we will not be able to give financial assistance.
Q12: Will the programme advise buyers of recommended levels of IL certification for services (ie CRM should be IL2 etc.)
A: No. Public sector organisations operate on local risk management and risk ownership, and should already be familiar with impact levels. The IA guidance has been written for both supplier and customer communities.
Q13: Are you saying a supplier cannot sell until the service is accredited?
A: No. A supplier can sell an unaccredited service, but not to all customers for all requirements. Any services procured which have not achieved pan government accreditation are purchased at the risk to the consumer. The G-Cloud catalogue is open to the whole of the public sector. That includes very large secure government departments; it also includes third sector organisations or housing associations which aren’t so worried about impact levels.
Q14: If a datacentre is List X certified will they still need to be inspected for G-Cloud pan government accreditation?
A: As part of the scoping exercise and accreditation the pan government accreditors will want to see the scope of the List X certification. A decision will be made based on this evidence.
Q15: If supplier is a reseller of a cloud service such as Microsoft or Google, will those be accredited once for all and then just any value added services or processes supplied by the reseller need to be accredited?
A: That’s the aim across G-Cloud and PSN. We want to reuse existing accreditation work wherever possible. In the scoping document we ask questions which aim to draw out which parts of the components reuse other services the pan government accreditors have already looked at.
Q16 and Q17 - removed, referenced a process for accreditation we are no longer using (see below)
Q18: Is the evidence set the same as an RMADS?
A: RMADs are part of the evidence set but are not necessarily all that will be required. Check the IA guidance for the full list against IL1/2 and IL3
Q19: How does accreditation work if a G-Cloud SaaS offering is on another suppliers PaaS or IaaS service? Is an ISO27001 data centre good enough?
A: The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring). The PGAs will be asking questions about where the service is run from and where the information is stored. The answer is likely to be that the PaaS/IaaS service needs to be pan government accredited.
Q20: Can our ISO27001 and/or IL2 accreditation cover the whole vertical stack (i.e. including usage of the data centre)?
A: This depends on the scope of your 27001. If you think this can be re-used we are happy to discuss with you, based on the information you provide to us in the scoping template.
Q21: What do I get at the end of the security accreditation process?
A: If you are successful in gaining pan government accreditation through the PSN Accreditation Panel (the body authorised by the G-Cloud SIRO to accredit G-Cloud services), you will get a certificate from the pan government accreditors.
Q22: Is it guaranteed that if I go forward for security accreditation that I will get pan government accreditation certificate?
A: No. There are no guarantees that every service will gain security accreditation.
Q23: Does the data on our service need to be UK hosted?
A: Please see the guidance given by the Cabinet office on offshoring: Government ICT Offshoring (international sourcing) guidance. The off-shoring of IL2 information is not prohibited. There are a number of areas for CIOs to consider when reaching their decisions, such as DPA compliance. Such areas will be considered during accreditation.
Q24: Does the suppliers data centre really need to be inspected – can an independent audit certificate suffice?
A: The requirement to still allow for site inspection is just one part of the overall package of measures needed for the accreditation of BIL22x service. We have made our requirements as proportionate as possible for BIL22x services, but we cannot waive that right of inspection if required.
Q25: Will there be a BIL 22x assurance scheme for ICT in the same vein as CAS(T)?
A: The challenge for G-Cloud is that the services come in all shapes and sizes. We have no plans at this time to ask CESG to produce a CAS scheme for cloud services.
Note: CAS (T) is a certification scheme for telecommunications services. Read more details on the CESG CAS(T) page.
Q26: I (a SaaS supplier) am looking to host my service with a supplier that has ISO27001 certification for their data centre. Do I also need ISO27001 to achieve accreditation through G-Cloud?
Yes, you need to have your own ISO27001 certification. You can include in the scope of your ISO27001 certification what assurance you are getting from your IaaS provider (see also question 19).
Initiation of Pan Government Accreditation (updated August 2012)
In August 2012 the process for initiating accreditation was changed. Why?
By giving a larger pool of suppliers the opportunity to start accreditation we can work with those that are willing and ready to start. We also want to acknowledge that some suppliers may choose to wait until they have specific customer demand, or may wish go through accreditation sequentially for their services, rather than in parallel. These suppliers will now be able to submit at the right time for them, and plan for submission deadlines in the future.
What happens if the scoping template isn’t the right quality?
The programme reviews and feeds back comments to all suppliers who submit. Once you have addressed any feedback points you can submit for the next deadline. We aim to add any common points to the Q&A, and we also will update the scoping template as and when we need to to improve the guidance notes.
What is “necessary quality”?
The Pan Government Accreditors need to have enough information to agree the scope of your accreditation. The programme carries out an initial check to make sure you are ready for that discussion. We look at, for example: have you answered all the questions; have you answered them in adequate depth; have you written as a technical document; and we try to pick up on common errors and omissions. The Pan Government Accreditors (PGAs) will look at the document with much more technical depth.
Where can I go for guidance?
You should review our accreditation page.
How often and how many services will be submitted from the pool to CESG?
Submission of services will be based on balancing demand on the Pan Government Accreditation service from G-Cloud, PSN and other cross-government initiatives, which will vary over time. In September 2012 we are predicting a capacity of 14 services (which will slightly vary depending on the number of IL1/2 or IL3 services). We will let you know more projections as and when we can. Across the Government programmes we’re working closely with CESG to make sure the Pan Government Accreditation service continues to have capacity to deal with demand.
How will the programme prioritise services moving from the pool to submission to the PGAs?
We will look to prioritise based on demand. We will also use the date the scoping template (to quality) was submitted to the programme.
Has anything else about the process changed?
No. This is about managing initiation of accreditation. The information and process required after this point remains the same.
Page last updated 14/8/12, EG