Cloud Security Principles – Part 4 – Governance Framework

Posted on 15 September 2017

In our ongoing series of blog posts looking at the 14 National Cyber Security Centre’s Cloud Security Principles, we will be looking at creating a governance framework.

Having an effective governance framework in place will ensure that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments and the appearance of new threats.

You should have sufficient confidence that the service you choose has a governance framework and processes which are appropriate for your intended use.

What should be included

A good governance framework will typically provide:

  • A clearly identified, and named, person with the direct delegated authority who is responsible for the security of the cloud service. This is typically someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.
  • A documented framework for security governance, with policies governing key aspects of information security relevant to the service.
  • Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
  • Processes to identify and ensure compliance with applicable legal and regulatory requirements.


There are two approaches to implementing a governance framework:

  1. Assertion that the goals are met – The service provider asserts the 4 points above are met. As with all service provider assertions, you would need to decide whether you are content with the level of confidence this gives you.
  2. Conformance with a recognised standard – Some common security standards include controls which cover how well a governance framework manages a particular service. Examples include: CSA CCM v3.0, ISO/IEC 27001. Standards differ in the level of detail applied. The scope of any supporting certification should be validated to ensure that the governance framework goals set out above are covered.

To read more about the Cloud Security Principles – go here

Or, if you would like to talk about your cloud security and how we can help, please contact us.

A few people we've already done it for