The platform has been assured by the Cabinet Office Senior Information Risk Owner (SIRO) and our information and security risk is deemed to be appropriate for data classified as 'official'. In order to operate with live services, we underwent a formal risk assessment using a methodology based on ISO27005:2011. Our service is currently subject to the Cabinet Office and the Government Digital Service security governance.
Your service assurance
You'll be responsible for the assurance of your own service, and making sure that you have in place appropriate controls for the information you handle.
When you assure your service through your own organisation's information assurance (security) process, you don't need to include assurance of GOV.UK PaaS, since we've already done that - we can share the work we've done with you.
GOV.UK PaaS runs from Amazon Web Services in London and Ireland. For those choosing Ireland hosting, our offshore request for 'official' data was successful, but your department's information assurance team will need to make another offshoring request, so that the Office of the Government's Senior Information Risk Owner (OGSIRO) is aware of any increase to our aggregate risk.
Contact us at firstname.lastname@example.org if you need more details about information assurance.