The challenge

Objective

Our client, a leading multinational software enterprise based in the US, was preparing to launch their cloud security service product in the UK. As they were targeting customers in highly regulated industries, they needed an in-depth understanding of the UK compliance landscape to ensure the product would meet the required standards.

Outcome

Delivered in-depth discovery research to ascertain how the client’s service offering would meet current and future compliance requirements in the UK.

Results that matter

• An actionable view of the client’s cyber risk exposure.
• Alignment of the client’s services with UK security frameworks – Cloud Security Principles (CSP), Cyber Assessment Framework (CAF), and General Data Protection Regulation (GDPR).
• Accelerated the client’s entry into the UK market to secure strategic customers and revenue.

6point6 set a high standard with this project, which the client hopes to see replicated in other geographies. To arrive at the end goal, we ensured the best use of resources was made, for example the identification of already existing technical controls that would satisfy the demands of the UK market. This, combined with our tried and tested methodologies and project management approach, helped to make the whole process extremely efficient.

Scaling compliance challenges

The risks and costs that come with regulatory compliance can quickly undermine the business case for cloud services in new markets. Compliance in one territory doesn’t necessarily translate to compliance in others. Even general regulations can pose significant challenges, and when you’re looking to expand in heavily regulated markets, the stakes are that much higher. 

Our US-based, global software enterprise client was looking to enter the UK market with a specialised cloud security product that’s designed for governments and private sector organisations with stringent security and compliance requirements. 

A critical factor in their go-live plan was ensuring the product would adhere to EU and UK regulations and security standards. 

As the first Amazon Web Services (AWS) Authority to Operate (ATO) partner in Europe, and having worked with several clients in the UK government, 6point6 had the expertise to support the client in understanding the local compliance landscape and aligning their service with UK security frameworks.

Prioritising compliance activities based on business insight

Our discovery focused not only on our client’s solutions, existing controls and areas of compliance but also, importantly, on the customers they wanted to engage with. 

The client required a very broad set of specialisations to complete this compliance exercise, from in-depth knowledge of the standards for data privacy and information assurance to expertise in cyber architecture.

In addition to these skill sets, 6point6 brought valuable business insight to the engagement. 

Because 6point6 has worked closely with several government departments and agencies across a broad range of services, we were able to share our insight into their operating environment and risk and threat landscape, as well as their unique concerns and individual requirements.

Building the baseline

This helped us determine which of the many standards, frameworks and regulations our client needed to align with first. The priorities we identified as a baseline for the client were:

• The General Data Protection Regulation (GDPR)
• The ISO/IEC 27001 information security standard
• The UK government’s National Cyber Security Centre’s (NCSC’s) 14 Cloud Security Principles (CSPs) and Cyber Assessment Framework (CAF)

Bridging the gaps

The client was already compliant with the rigorous standards of the US federal government’s Federal Risk and Authorization Management Program (FedRAMP). This allowed us to ‘match’ elements that were already in place with the UK/EU compliance requirements, then identify gaps that needed to be addressed.

Accelerating time to market

Our approach was to reveal insights early and discuss our recommendations with the client as we identified them. This meant they did not have to wait for weekly updates before making changes, but could make regular, incremental improvements.  

In addition to supporting the client in uplifting certain controls to acquire the relevant compliance certifications, we helped them create a proposed architecture for delivering the service – including where to house customer databases, given certain geographical restrictions.

With an actionable view of their exposure to cyber risk, a clear roadmap for aligning their services with UK security frameworks, and a set of cyber activities to support future projects, our client was able to take the product to market within their specified timeframe.