Send your risk documents to the GCDO
Send your completed questions from the risk assessment tool and signed endorsement form to the Government Chief Digital Officer (GCDO).
Collect: your answers to the risk discovery tool
These are the questions that you’ve answered and recorded in either:
- the Excel version — risk discovery tool for public cloud services
- your own document for recording them.
You do not need to include answers to the risk discovery, questions 28 to 105, if the person at the right level of reporting:
- approved the risk of incomplete information
- documented this decision in your risk assessment.
Collect: the approval of the risk assessment
A person at the right reporting level in your organisation needs to sign off on the risk assessment.
Sign-offs can be done using either:
- your organisation’s document for sign-offs
- the ‘Cloud endorsement by agency’ form (PDF 97KB).
Classify your risk documents
Use the right classification level and make sure it’s visible for each document.
The risk assessment tool and endorsement form’s classifications might be different from the information being used in the public cloud service.
Send your documents to the GCDO
For reporting and sharing guidance about public cloud services, Cabinet requires government organisations to send their signed endorsement forms and completed questions from the risk assessment tool to firstname.lastname@example.org.
The GCDO does not endorse the sign-offs by government organisations.
Final step — use your risk assessment
Put your risk assessment to:
- immediate use — add your information’s security controls to your organisation’s risk registers
- ongoing use — work with your organisation’s security and information technology teams to schedule future reviews.