HMG Accreditation of IT Systems

Accreditation is an internal independent assessment that an information system meets its IA requirements and that the residual risks are acceptable to the business.

Security Policy Framework (SPF) Mandatory Requirement 36 states that ‘ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2’. This accreditation requirement applies regardless of impact level or whether the system is owned by government or being supplied or operated by a third party.

An information system is deemed to be accredited when the Accreditor and the Senior Information Risk Owner (SIRO) accepts that the physical, personnel, procedural and technical countermeasures are sufficient to reduce the risks to an acceptable level.

The CLAS Scheme

The CESG Listed Adviser Scheme (CLAS) ensures that private sector Information Assurance providers such as us have a good understanding of current Government policy and guidance, the risk to official systems and the techniques available to counter them.

CESG is the Information Assurance (IA) arm of GCHQ is one of the three UK Intelligence Agencies (GCHQ, MI5, MI6) and is part of the UK's National Intelligence Machinery.

All Consultants applying for membership of CLAS are assessed on the basis of a strong competency framework. The Scheme offers the benefit of assured advice in line with the latest authoritative guidance and threat intelligence.

CLAS consultants are all SC cleared and approved to provide Information Assurance advice on systems marked up to SECRET.