Guidance

Cloud computing security policy

Updated 11 March 2026

This cloud computing security policy is part of a suite of policies designed to promote consistency across the Department for Work and Pensions (DWP) and supplier base with regards to the implementation and management of security controls. For the purposes of this policy, the terms ‘DWP’ and ‘Department’ are used interchangeably.

Security policies cross-refer to each other where needed, so can be confidently used together. They contain both mandatory and advisory elements, described in consistent language as set out in the following table.

Term	Intention
must	denotes a requirement: a mandatory element
should	should denotes a recommendation: an advisory element
may	denotes approval
might	denotes a possibility
can	denotes both capability and possibility
is/are	is/are denotes a description

Overview

The DWP cloud computing security policy defines the DWP strategic approach to securing all cloud-hosted systems and services. It is a critical enabler for the DWP 2030 Business Strategy, directly supporting the priority to go “further and faster with digitalisation”. By establishing a consistent and proportionate security baseline, this policy enables DWP to become a digital organisation and securely leverage cloud technologies to deliver efficient, responsive, and resilient services to citizens.

Purpose

The purpose of this policy is to:

• establish the Department’s strategic principles, risk appetite, and governance for using all cloud computing services
• ensure DWP’s adoption of cloud services aligns securely with the UK Government’s ‘Cloud First’ strategy
• protect the confidentiality, integrity and availability of DWP information assets hosted in the cloud
• embed principles such as resilience-by-design, secure lifecycle management, and a clear understanding of the shared responsibility model (SRM)
• ensure DWP complies with all applicable legal and regulatory requirements, including the Data Protection Act 2018 and applicable data protection legislation

Scope

This policy is mandatory and applies to:

• all DWP business units and personnel (including employees, contractors, and third-party suppliers) involved in the procurement, design, deployment, or management of cloud services, from this point forward will collectively be referred to as ‘users’
• all cloud service models (Infrastructure as a Service - IaaS, Platform as a Service - PaaS, Software as a Service - SaaS) and deployment types (public, private, hybrid) used to process, store, or transmit DWP data
• all systems and services that handle DWP data classified at OFFICIAL or above (see DWP security classification policy for further information)
• all DWP information technology and operational technology systems that connect to or interact with cloud services

This policy does not apply to supplier services that do not process, store or transmit DWP data.

Core cloud security principles

DWP’s secure use of cloud services must be underpinned by the following principles:

• alignment with NCSC - all cloud services must align with the 14 National Cyber Security Centre (NCSC) Cloud Security Principles
• identity-centric security (zero trust) - this is a principle where security is based on who is accessing a resource, not where they are. Cloud services should be designed and operated with the assumption that the network, is hostile. (This is a principle, not a technical ‘must’). The principle of least privilege must be strictly enforced, and where feasible, every access request should be explicitly verified in alignment with Security Standard SS-023: Cloud Computing)
• risk-informed adoption - all decisions regarding the use of cloud services must be based on a thorough and documented acceptance of associated risks
• secure by design and default - cloud services must be selected, designed, and configured with security as a critical consideration from the outset and by default
• data sovereignty and international transfers - all cloud deployments must ensure that DWP data residency and processing are limited to UK-approved jurisdictions. Any international data transfers, including remote access from outside the UK, must comply with the DWP offshoring policy and applicable international transfer requirements
• secure exit and portability - cloud services must be selected, designed, and managed to ensure data and service portability, reversibility, and a secure exit strategy without undue vendor lock-in

Policy statements

The following statements are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework functions.

1. Govern: cloud security governance and strategy

1.1. Framework: this policy requires DWP Digital, DWP Operations, and the DWP Data Protection and Security functions to agree on clear accountability and responsibilities for establishing and maintaining a Cloud Security Governance Framework. The framework must define roles, responsibilities, risk ownership, and decision-making authority across the entire cloud service lifecycle.

1.2. Shared responsibility model: all cloud deployments must explicitly define the division of responsibilities between DWP and the Cloud Service Provider (CSP). A clearly documented RACI (responsible, accountable, consulted, informed) matrix must be developed and maintained for each cloud service, in alignment with Security Standard SS-023: Cloud Computing.

1.3. Risk appetite: DWP’s appetite for cyber risk in the context of cloud computing must be defined, documented, and approved, forming a critical consideration for all cloud service selection and risk acceptance decisions. This directly supports the Risk and Assurance pillar of the DWP Security Strategy.

2. Identify: cloud risk assessment and asset management

2.1. Cloud risk assessment: a formal risk assessment must be conducted for all cloud services that process, store, or transmit DWP data. This assessment must evaluate data sensitivity, jurisdictional risks, and composite risks from interconnected services.

2.2. Artificial intelligence (AI) and model governance:

• disclosure: CSPs must explicitly identify any embedded AI services that may access, process, or analyse DWP data
• data usage restrictions: the use of DWP data for AI model training or fine-tuning is strictly prohibited unless explicitly authorised through a formal contractual agreement

2.3. Supplier due diligence: supplier due diligence must be conducted on all potential CSPs before contract award. This may include a review of independent audit reports (for example, System and Organisation Controls 2, ISO 27001) and assurance of their security posture. Contracts should secure the right to request a software bill of materials for software integral to Important Business Services or handling sensitive DWP data.

3. Protect: implementing cloud safeguards

3.1. Identity and access control:

• access to all cloud services, data, and management plans must be controlled based on the principles of least privilege and role-based access control, in alignment with Security Standard SS-001-1: Access and Authentication
• phishing-resistant authentication must be used for privileged access, in alignment with Security Standard SS-001-1: Access and Authentication Controls, and DWP corporate access to DWP cloud services and administrative portals - access for citizens must be subject to a separate risk assessment

3.2. Data security:

• sensitive DWP information must be encrypted at rest and in transit using DWP-approved cryptographic algorithms in alignment with Security Standard SS-007: Use of Cryptography
• DWP must maintain appropriate control over encryption keys for sensitive data, in alignment with Security Standard SS-002: Public Key Infrastructure and Key Management

3.3. Secure configuration management:

• cloud environments must be established using controlled, standardised methods to minimise the risk of error and ensure consistency with approved organisational practices
• continuous monitoring must be in place to identify any departures from required security standards or approved configuration baselines

3.4. Network security:

• cloud services must be configured to ensure appropriate separation between environments and to control the flow of information

3.5. Backup and recovery:

• all critical DWP data must be securely backed up in accordance with DWP retention policies and in line with Security Standard SS-035: Backup and Recovery

4. Detect: cloud security monitoring and threat detection

4.1. Logging and monitoring: security logging and monitoring must be in place across all DWP cloud environments. Records must be safeguarded against alteration, retained in line with DWP requirements, and incorporated into central protective monitoring processes, in alignment with Security Standard SS-012: Protective Monitoring.

4.2. AI-powered defence: to counter the threat of machine-speed attacks accelerated by adversary AI, DWP should leverage AI-driven security capabilities that strengthen the Department’s ability to detect, prevent, and respond to malicious activity at pace.

4.3. Threat intelligence integration: threat detection processes must make use of relevant threat information and NCSC advisories to identify emerging risks and malicious activity.

5. Respond: cloud security incident management

5.1. Incident handling: cloud-related security incidents must be managed in accordance with the DWP-wide security incident management plan (see Security Standard SS-014: Security Incident Management).

5.2. Supplier obligations: CSPs must be contractually obligated to:

• notify DWP of any security incident affecting DWP data without undue delay and within agreed timelines
• provide full cooperation during investigations, including timely access to all relevant logs and forensic data

5.3. Forensics: DWP must have the capability to conduct forensic investigations in cloud environments. This must be supported by contractual rights to access relevant evidence and logs from the CSP, in alignment with the DWP Forensic Readiness Policy.

6. Recover: cloud resilience and business continuity

6.1. BCDR integration: DWP business continuity and disaster recovery (BCDR) plans must identify and incorporate dependencies on cloud services that support DWP Important Business Services or Critical National Infrastructure designated systems, including consideration of disruption resulting from sophisticated threats or high-level adversaries targeting those cloud services.

6.2. Resilience testing: BCDR plans involving cloud services must be tested regularly in line with the criticality of the supported DWP Important Business Service, with scenarios proportionate to the system’s criticality and the assessed threat level. Testing must include scenarios that simulate sophisticated state-sponsored disruption attacks, focusing on maintaining core service delivery under sustained degradation.

6.3. Exit and transition strategy: each critical cloud service must have a documented and tested exit strategy to ensure the secure and timely portability of data and services to an alternative provider or on-premises environment.

Accountabilities and responsibilities

The DWP Chief Security Officer is the accountable owner of the DWP Cloud Computing Security Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Central Services.

System and Service Owners are responsible for:

• conducting risk assessments and documenting the SRM for their services
• ensuring a clearly documented SRM or RACI matrix is developed and maintained for each cloud service they own
• ensuring that BCDR plans incorporate dependencies on critical cloud services

DWP Procurement and Legal Teams must ensure that:

• all CSP contracts include clauses that enforce the requirements of this policy, particularly regarding incident notification, forensic cooperation, and data residency
• where international transfers or offshoring of data are required, appropriate safeguards (such as Standard Contractual Clauses) are in place, in strict compliance with the DWP Offshoring Policy

They are also responsible for obtaining contractual assurances from CSPs regarding data sovereignty and restrictions on data usage for AI model training.

The DWP Digital Design Authority is responsible for:

• reviewing and approving exceptions to technical controls, such as those for file integrity monitoring and the use of non-root users in containers

DWP Security and Data Protection Teams are responsible for:

• regularly assessing compliance with this policy through inspections and audits
• managing the security policy exception process

All DWP Employees, Contractors, and Third-Party Suppliers are responsible for:

• being aware of and complying with this policy and its associated standards
• reporting all actual or potential security incidents immediately through the appropriate channels

Compliance

All DWP employees, contractors and third-party suppliers must comply with DWP’s security policies and standards.

Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the Security Standard SS-014: Security Incident Management.

Any proposed deviation from this policy must follow the formal DWP Security Policy Exception Process, requiring a full risk assessment and documented approval.

If compliance to the DWP Approved Cryptographic Algorithm list is not possible, a formal exception is required. The exception must be raised by the relevant Deputy Director (with a supporting risk assessment and risk mitigations) with the Director of Digital Transformation, who will determine if the exception is valid. If the Director of Digital Transformation supports the exception request, they will then approach the Chief Security Officer to consider the request, and only if agreed, can the exception be granted without an approved cryptographic algorithm being utilised.

Appendix A: definitions

Term	Definition
Cloud Computing	A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. Defined in line with NIST SP 800-145 and adopted by NCSC and ISO/IEC 17788.
Cloud Service Provider (CSP)	An entity offering cloud-based services such as IaaS, PaaS, or SaaS. CSPs may be public, private, or hybrid and must meet assurance and compliance standards.
IaaS (Infrastructure as a Service)	The supply of basic infrastructure, such as networks, processing, and storage, on which users can base their applications, CSP is responsible.
PaaS (Platform as a Service)	The level of responsibility shared with the CSP varies greatly in PaaS services. At one end of the spectrum, the distinction between IaaS and PaaS is blurred because the provider helps manage the operating system. Customers submit the source code for their application, and the service handles the rest.
SaaS (Software as a Service)	The SaaS model provides the CSP the greatest amount of responsibility while taking full advantage of the increased security provided by the provider’s large-scale operation.
Shared Responsibility Model	A framework that defines the security responsibilities of the CSP and the customer (DWP). Varies by service model (IaaS, PaaS, SaaS).
Zero Trust Architecture (ZTA)	Security model requiring strict identity verification and access validation for every device and user accessing cloud resources.