Information Assurance

HMG (IL3) Accreditation for Service Providers

HMG CLAS Consultancy

If you are a data centre looking to offer hosting services to Government Agencies you will HAVE to get that service accredited to HMG standards. Bids and tenders from UK Government Departments require products and services to be accredited to IL2, IL3 or even IL4 (or OFFICIAL marked data). These terms essentially require the service provider to pass the BCS (baseline control set) audit which is based on ISO27001 and a suite of other documents (such as the Cabinet Office Security Policy Framework  and CESG Good Practice Guides). This can seem a complex process and the jargon can seem confusing if you are not familiar with the world of HMG accreditation their methods and terminology.

CNS HUT3 Consultancy services look to demystify the key principles whilst ensuring that all critical steps for achieving accreditation are met. The steps required may differ depending on the impact level (IL) required but typically CNS utilise the following methodology:






To satisfy requirements security controls must be robust and sufficiently comprehensive. This phase defines the borders of the service to be accredited by ensuring that ALL elements are included.


BCS Gap Analysis

Following the scoping exercise a gap analysis of appropriate assurance activities is required. HMG BCS (baseline control set) RAG (red, amber, green) status methodology is used. Evidence required is in the form of independent audit reports, existing policies and procedures, audits of 3rd parties, proof of processes and interviews with key staff.


Technical Risk Assessment & Risk Treatment Plan

Once the gap analysis is complete a technical risk assessment is undertaken using the HMG IA Standards No. 1 and 2 methodology. The purpose of this phase is to quantify the risks by identifying the threat vectors and actors. This process allows the service provider to remediate any areas that require further works. A  RAG risk treatment plan, aligned with CESG good practice guides is also used.


CESG Approved IT Health Check (ITHC)

Once all remedial works have been completed an IT Health Check (ITHC) by an accredited green CHECK or CREST penetration testing company is required. This is to prove that the system is in a position to be certified for HMG use. The ITHC takes the form of network level external and internal as well as application layer tests.



All evidence must then be submitted in a Risk Management and Accreditation Document Set (RMADS) which includes a Statement of Residual Risk, Security Operating Procedures (SyOPs) and confirmation that the service provider can support customers obligations under the Data Protection Act 1998 (DPA).


Risk Management and Accreditation of Information Systems

CNS CLAS consultants have extensive experience in creating RMADS for our public sector customers, on either a project or general network basis. CNS has been involved in RMADS creation for a number of public sector clients across a variety of situations, and a strong process ensures that our RMADS creation is rapid, accurate and cost effective, as well as meeting the requirements of the accreditor.