Microsoft and UK G-Cloud
Every year, Microsoft prepares documentation and submits evidence to attest that its in-scope enterprise cloud services comply with the principles, giving potential G-Cloud customers an overview of its risk environment. (As with previous G-Cloud accreditation, it relies on the ISO 27001 certification.) A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.
The appointment of Microsoft services to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, the vast majority of government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. Customers and partners, however, will need to achieve their own compliance for any components that are not included in the attestation and determination of compliance for Microsoft cloud services.
Learn more about the benefits of United Kingdom G-Cloud v6 on the Microsoft Cloud.
Learn how to accelerate your United Kingdom G-Cloud v6 deployment with our Azure Security and Compliance Blueprint.
Microsoft in-scope cloud services
- Azure detailed list
- Cloud App Security
- Dynamics 365 detailed list
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365: Exchange Online, SharePoint Online, and Skype for Business Online
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
Audits, reports and certificates
To confirm that Microsoft cloud services maintain their compliance with G-Cloud agreements, the GDS accreditor may review evidence at any time, at its discretion.
Accelerate your deployment of UK G-Cloud solutions on Azure
Moving your government services to the cloud is now easier than ever using the Azure Security and Compliance UK Blueprint. This blueprint provides guidance and automated scripts that will get you started building compliant solutions today.
UK G-Cloud Overview
Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This enables public-sector organizations to compare and procure those services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.
The G-Cloud appointment process was streamlined in 2014 to reduce the time and cost to the UK government, and the government’s security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. (G-Cloud certification levels are no longer expressed as an Impact Level, or IL; Microsoft formerly held an IL2 accreditation for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365.)
Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the 14 Cloud Security Principles of G-Cloud. This has not changed either the evidence Microsoft produces or the standards that the company adheres to.
Assess your GDPR compliance
Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.
Frequently asked questions
All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm’s-length bodies are eligible to buy services in the marketplace. If you’re uncertain of your eligibility, consult the complete list of public-sector organizations.
It is an organization or agency that is funded by the UK government but acts independently of it.
The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This provides customers with trusted cloud services that help them meet local compliance and policy requirements. In addition, replication of data in multiple datacenters across the UK gives customers geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK.
In addition to the UK datacenters, Microsoft cloud services has data centers in multiple locations. For the most up to date list of all centers visit our data location page.