skip to main content
Cyber Security & Information Assurance

Cloud Security & Assurance

A bespoke cloud assurance framework based on the Cloud Security Alliance Cloud Controls Matrix, mapped to the NCSC’s 14 Cloud Security Principles and tailored to MOD and Government expectations. 

Problem Statement 

Our customer, a key supplier for government construction projects, is obligated to uphold stringent cyber security and assurance standards in accordance with government contract requirements. As part of a broader initiative to enhance cyber resilience across the public sector supply chain, the customer must ensure that all cloud-based applications used to store and process Ministry of Defence (MOD) and other Government data are appropriately secured and assured. 

This includes conducting comprehensive assurance activities to validate the security posture of each application, ensuring compliance with relevant government frameworks and standards. The work is critical to maintaining the confidentiality, integrity, and availability of customer information, and to demonstrating due diligence and audit readiness across all digital platforms in use. 

Project Objectives 

To design and implement a cloud application assurance framework that meets the security and assurance requirements for processing and storing MOD and wider Government data classified as OFFICIAL (including OFFICIAL-SENSITIVE) information. The framework must:

  • Integrate with internal governance processes and existing assurance workflows

  • Minimise operational impact

  • Ensure appropriate controls are in place across all cloud applications and services

  • Align with Secure by Design initiatives

  • Be fully documented to support audit readiness and future external assurance mechanisms

Approach 

To address the assurance of cloud applications handling MOD and Government data, our approach began with a structured discovery and analysis phase. This involved a detailed review of the client’s existing cloud usage, security processes, and assurance mechanisms. We engaged with key stakeholders to understand how cloud services were being used to store and process up to OFFICIAL-SENSITIVE information, and to assess the maturity of existing governance and risk management practices.

In parallel, we conducted a comprehensive analysis of applicable MOD and Government security requirements. This included reviewing:

  • Security Aspects Letters (SAL)

  • Government Functional Standard GovS:007 (Security)

  • Industry Security Notice 2024/06

These documents provided clear direction that cloud services must be secured in accordance with the NCSC Cloud Security Principles.

Although the client held ISO 27001 certification, our initial discovery and analysis phase revealed that cloud-specific security had received limited attention within their existing ISMS. Recognising the growing reliance on cloud services to store and process customer data—and the heightened expectations from MOD and Government stakeholders—we identified a need for a more targeted assurance approach.

While ISO/IEC 27017 was considered as a potential enhancement, the associated cost and implementation overhead made it impractical for the client at that time.

Instead, we adopted the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) as the foundation for a bespoke cloud assurance framework. This tool provided a comprehensive and widely recognised set of cloud-specific controls, which we mapped directly against the NCSC Cloud Security Principles. The resulting framework was designed to be flexible, allowing the client to prioritise controls based on risk, maturity, and operational context.

Importantly, the framework was structured in line with the shared responsibility model, clearly delineating security obligations between the cloud service provider and the client. This ensured that assurance activities addressed both vendor-managed and customer-managed elements of the cloud stack, supporting a balanced and pragmatic approach to compliance and risk management.

Outcomes 

  • A bespoke cloud assurance framework based on the Cloud Security Alliance Cloud Controls Matrix, mapped to the NCSC’s 14 Cloud Security Principles and tailored to MOD and Government expectations.

  • A clear, risk-based prioritisation model that enabled the client to focus assurance efforts on the most critical controls, while maintaining flexibility to scale or adapt as needed.

  • An integrated assurance process that aligned with the client’s existing ISMS and workflows, minimising disruption while enhancing visibility and control over cloud-based risks.

  • Improved audit readiness and demonstrable compliance with MOD and Government cloud security requirements.

  • Strengthened organisational confidence in the secure use of cloud services for handling classified information, supporting both current and future government contracts.