Skip to main content

Part of Cloud security – good practice guide

5. Step 3 - implement

Current Chapter

Current chapter – 5. Step 3 - implement


Having decided that you wish to utilise public cloud to host your system, you need to:

  • select a cloud provider that meets the required security standards
  • apply the security controls that are under your responsibility

Using public cloud necessitates a joint responsibility to security. The cloud provider must ensure that their service is appropriately secure, and you must have confidence in it. Similarly, the users have a responsibility to ensure how they implement the solution is appropriately secure. This is often referred to as the joint responsibility model. 

Appendix A lists the minimum standards the cloud provider must meet and how you should implement the solution. These are structured around the National Cyber Security Centre’s (NCSC) 14 Cloud Security Principles.

Against each principle is the recommended approach and specific guidance, dependant on the risk classification1.


5.1 Select a cloud provider

Choose a cloud provider that meets the minimum security standards as specified in appendix A. Each of the 14 principles will have a section entitled 'The cloud provider should' - this lists a set of minimum standards. However, you only need to adopt the standard that corresponds to your risk score. For example, if your risk score is class 2, then in the above example the Cloud provider only needs to meet requirement 1. However, if your risk score is class 4, then they need to meet requirements 1 and 2. 

You can buy cloud services through the G-Cloud Framework on the Digital Marketplace. Cloud services are listed on the digital marketplace, alongside information and evidence submitted by vendors on how they perform against the National Cyber Security Centre’s Cloud Security Principles. You may need to request further information from the supplier to be confident that they meet the recommended standards.


5.2 Apply security controls

Similarly, you must implement controls inline with the recommendations listed in appendix A.  

Each of the 14 principles will have a section entitled 'The service user should' - this lists a set of minimum implementation standards. However, you only need to adopt the standard that corresponds to your risk score. For example, if your risk score is Class 2, then in the above example you have no controls to apply. However, if your risk score is Class 4, then you need to meet requirements 1 and 2.


5.3 Documentation

It's important that a complete set of documentation is kept for audit purposes to prove that appropriate due diligence has been taken with regards to where and how data is hosted.  

Therefore, document and retain:

  • evidence that the supplier meets the standard
  • evidence that you have implemented the controls
  • Cloud contract(s), showing that they are clearly compliant with UK law and what duties and obligations have been agreed

1. Principle 2.6 - Physical resilience and availability uses the service category (B)ronze, S(ilver), G(old) and (P)latinum, rather than Cat I to V, to determine which minimum standards and controls that need to be in place.


Last edited: 1 March 2022 7:30 am