Requirements for Cloud Computing

In this section

Government’s cloud strategy

The Government ICT Strategy and Action Plan to 2017 seeks to improve service delivery and deliver substantial savings across government, with cloud computing as a key enabler.

The Government’s approach to cloud computing [CAB Min (12) 29/8A- pdf 1.3MB] was introduced in August 2012 by the Minister of Internal Affairs of the time.  The approach established a ‘cloud first’ policy and an All-of-Government (AoG) direction for the use, development and deployment of cloud services. The cloud computing business model allows agencies to consume ICT as a service which leads to smarter investment and savings across the public sector.  Under the ‘cloud first’ policy, State Service agencies are expected to adopt Government ICT Common Capabilities when faced with new procurements, or an upcoming contract extension decision.

Benefits of cloud computing

  • Cloud computing solutions are scalable: agencies can purchase as much or as little resource as they need at any particular time.  They pay for what they use.
  • Agencies do not have to make large capital outlays on computing hardware, or pay for the upkeep of that hardware.
  • Cloud computing provides economies of scale through all-of-government volume discounts. This is particularly beneficial for smaller ICT users.
  • Agencies can easily access the latest versions of common software, which deliver improved and robust functionality, and eliminating significant costs associated with version upgrades.
  • If agencies are able to access the same programmes, and up-to-date versions of those programmes, this will improve resiliency and reduce productivity losses caused when applications are incompatible across agencies.

Cloud computing risk and assurance framework - Background to Government’s approach

Along with great benefits, using cloud services also has risk. In October 2013, Cabinet agreed to a Cloud Computing Risk and Assurance Framework [CAB Min (13) 37/6B - pdf 277KB] for government agencies. All State Service agencies are expected to follow the process in line with Cabinet direction. 

The key points from this framework are:

  • Decisions on all cloud computing services, including continuation of existing services and decisions to renew contracts, require case-by-case consideration by agency chief executives with GCIO oversight. Refer to the Cloud Service Requirements chart (Word 115KB) for further guidance. This chart summarises the process for completing the requirements for cloud computing as detailed on these pages.
  • Agency chief executives are ultimately responsible for decisions to use cloud services, and are accountable for their risk exposure.
  • No data above RESTRICTED should be held in a public cloud, whether it is hosted onshore or offshore.
  • Agencies in the State Services are expected to follow a uniform and robust information risk management process that includes:

When agencies are taking up ICT Common Capability cloud services developed for All-of-Government by the GCIO, the lead agency developing the cloud ICT Common Capability will undertake the initial cloud assessment and other agencies may be able to place reliance on some of the assessment results. However, even with ICT Common Capabilities there are always agency-specific risks and considerations.

Cloud computing and ICT Assurance – What agencies must do when adopting cloud services


All cloud computing decisions need to be made on a case-by-case basis after a proper risk assessment. State Service agencies are expected to follow the process issued by the GCIO.

For decisions on all cloud computing services, including Government ICT Common Capabilities, continuation of existing services and decisions to renew contracts, mandated agencies must:

The GCIO will use the results of agencies’ cloud risk review activities to assess on an ongoing basis whether the correct guidance and risk-based processes (Cloud Computing: Information Security and Privacy Considerations guide pdf 197KB) are being applied and followed. The GCIO will not assess the underlying risk assessments as this is the responsibility of each agency CE. Endorsement of the cloud solution will not be required from the GCIO in advance of an agency adopting the cloud service.

The GCIO Government Enterprise Architecture team can provide limited guidance on the application of this framework.  Refer to the Cloud Service Requirements chart (Word 115KB) for further guidance or email

Information sharing

To further assist agencies and promote efficiency, the GCIO encourages and facilitates the sharing and re-use of existing cloud assessment materials among agencies.

All cloud documents submitted by agencies are logged in a register. We can put agencies who are beginning to assess a cloud solution in touch with other agencies that have completed a Cloud Risk Assessment Tool (Excel 77KB) for that particular service.  

Agencies must apply their own agency specific answers to relevant questions and ensure vendor information received in this manner is current and applicable to their own risk assessment.

Agencies should also ensure that third-party contracts related to cloud solutions (including those relating to assistance completing the Cloud Risk Assessment Tool (Excel 77KB) contain clauses allowing the sharing of Cloud Risk Assessment Tool (Excel 77KB) results within the State Services.

Please contact the ICT Assurance team for more information.


Page last updated: 22/10/2015