United Kingdom G-Cloud v6 OFFICIAL

United Kingdom G-Cloud v6 OFFICIAL

Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This enables public-sector organizations to compare and procure those services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.

The G-Cloud appointment process was streamlined in 2014 to reduce the time and cost to the UK government, and the government’s security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. (G-Cloud certification levels are no longer expressed as an Impact Level, or IL; Microsoft formerly held an IL2 accreditation for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365.)

Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the 14 Cloud Security Principles of G-Cloud (currently at version 6). This has not changed either the evidence Microsoft produces or the standards that the company adheres to.

Every year, Microsoft prepares documentation and submits evidence to attest that its in-scope enterprise cloud services comply with the principles, giving potential G-Cloud customers an overview of its risk environment. (As with previous G-Cloud accreditation, it relies on the ISO 27001 certification.) A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.

The Crown Commercial Service (an agency that works to improve commercial and procurement activity by the government) renewed the classification of Microsoft in-scope enterprise cloud services to G-Cloud v6, covering all of its offerings at the OFFICIAL level:

  • Software as a Service (SaaS)–using the cloud to deliver applications.
  • Platform as a Service (PaaS)–using the cloud to host, develop, and test applications.
  • Infrastructure as a Service (IaaS)–using the cloud in place of servers and other hardware.
  • Cloud consulting services–helping customers get the most from the cloud.

The appointment of Microsoft services to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, the vast majority of government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. Customers and partners, however, will need to achieve their own compliance for any components that are not included in the attestation and determination of compliance for Microsoft cloud services.

Frequently asked questions

Expand all

All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm’s-length bodies are eligible to buy services in the marketplace. If you’re uncertain of your eligibility, consult the complete list of public-sector organizations.

It is an organization or agency that is funded by the UK government but acts independently of it.

The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This provides customers with trusted cloud services that help them meet local compliance and policy requirements. In addition, replication of data in multiple datacenters across the UK gives customers geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK.

  • You can see the new Azure regions, UK West and UK South, on the global Azure map.
  • For Office 365, the UK datacenters collectively comprise the new UK Office 365 region. You can see more on the global Office 365 map.

In addition to the UK datacenters, Microsoft cloud services are also available from datacenters in Germany, Ireland, and the Netherlands. Office 365—specifically, Exchange Online—also uses datacenters in Finland and Austria.

The Service Trust Portal provides independently audited compliance reports. You can use the portal to request audit reports so that your auditors can compare the Microsoft results with your own legal and regulatory requirements.

Audit reports and certificates

Audit cycle and effective dates

To confirm that Microsoft cloud services maintain their compliance with G-Cloud agreements, the GDS accreditor may review evidence at any time, at its discretion.

Microsoft in-scope cloud services

Expand all

Virtual Machines, Cloud Services, Batch, Web Apps (formerly Web Sites), Mobile Apps (formerly Mobile Services), Notification Hub, Storage (Blobs, Tables, Queues), SQL Database, Virtual Network, Traffic Manager, Workflow Manager, ExpressRoute, Service Bus, BizTalk Services, Active Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and Scheduler

  • Dynamics 365 detailed list
  • Intune
  • Microsoft Cloud App Security
  • Office 365: Exchange Online, SharePoint Online, and Skype for Business Online
  • Power BI cloud service, either as a standalone service or as included in an Office 365 branded plan or suite

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support