UKCloud: Leading with information security.

UKCloud provides robust, flexible, cost-efficient public cloud services, designed specifically to meet the needs of public sector organisations. Formed in 2011 and headquartered in Hampshire, UK, the company has grown to over 160 employees, with an enviable portfolio of accreditations and certifications to support its business objectives and professionalism.

Information security is imperative to UKCloud and their whole business model relies on the assurance provided by certification. Alongside public sector and vendor-based certifications, UKCloud has been certified by us to ISO 9001 for Quality Management, ISO 20000 for IT Service Management and ISO 27001 for Information Security Management. Our client also has a statement of verification to ISO 27018:2014 for Personal Data in Cloud Environments.

Serving the public sector, UKCloud is committed to continually demonstrating the highest levels of governance and assurance to their customers and their accreditors. With information security breaches on the rise, users of cloud-based services were looking for assurances on the safety of their personally identifiable information (PII). CloudUK wanted to continue to lead in information security and asked us our help as a UKAS-approved certification body to meet ISO 27018:2014. This was a new challenge; the company would be the first to achieve a statement of verification from us for this standard.

Our industry-leading experience of ISO standards, capabilities and unique methodology helped UKCloud achieving their statement of verification to ISO 27018:2014, the code of practice for the protection of PII in the cloud.

A key area here was employee and executive management support. UKCloud is very switched on to establishing and maintaining comprehensive, effective standards-based management systems, backed by top management. Staff as a consequence are very security conscious. Measures include:

• formal induction training for all new personnel as soon as they join the company

• refresher training sessions at regular intervals

• regularly participation in external assessments undertaken by us by a cross-section of all UKCloud employees.

UKCloud was generous enough to provide five top tips for organisations thinking about certification, from a client’s perspective.

1. Make sure your organisation understands the certification it is setting out to achieve, and is prepared to provide the management, resources, assets and time that will be required to complete the certification process successfully.

2. Plan early. Purchase a copy of the applicable management system standard so that you can see exactly what is required, and what activities are likely to be assessed.

3. Resource carefully. Do you have an in-house capability with the relevant experience to steer your certification programme to a successful conclusion? You may decide to ask LRQA to undertake a gap analysis to check if you are ready for the formal audit.

4. Assess your provider against other certification bodies such as LRQA, and compare their professionalism, experience and supporting services against others to ensure your decision is justified.

5. “It’s not about simply hanging a certificate on the boardroom wall.” A well-implemented management system will improve the efficiency of your organisation, demonstrate your capability and professionalism to customers, and help ensure that you are properly prepared for many of the challenges and risks facing today’s businesses.

“The delivery of secure IT services requires constant awareness of changes to best practice, developments in technical solutions and the ever-increasing range of threats and vulnerabilities that seek to compromise data. Without an established and accepted framework, promoting a risk-based approach, it would be difficult to ensure that such issues are being identified, understood and successfully managed.”

John Godwin

Director of Compliance & IA, UKCloud