KPMG LLP

Cloud Risk and Control

Helps users of Cloud services to understand the risks associated with the move to and use of these services to maximise value and build confidence in how they are managed and controlled using KPMG's proven best practice framework in order to accelerate their cloud adoption safely and cost-effectively .

Features

• Well proven framework and approach applied at major Clients globally
• Service can be utilised at any stage of cloud journey
• Identify key cloud risks in control environment and relevant controls
• Aligned to HMG guidelines and proven best practice
• Mapped to industry standards including COBIT, ISO27001/2, CSA and PCI/DSS
• Technology agnostic
• Provides clarity around roles and responsibilities between organisation and CSP
• Technical guidelines for cloud architects and engineers on control requirements
• Provides auditable traceability between controls and built environment for BAU
• Utilising analytics and visualisations to enable reporting

Benefits

• Accelerates your Cloud adoption without deviating from established controls
• Provides increased assurance over Cloud to stakeholders, HMG/Cabinet Office
• Supports compliance with standards
• Fully auditable and can be used for internal control assurance
• Helps continuously manage and proactively mitigate Cloud risks benefits
• Enables informed decisions around Cloud risks and performance
• Increases certainty and transparency on compliance with Cloud good practice
• Drives improvements in controls processes
• Helps to engage with the Cabinet Office, 2LD and Audit
• Provides intuitive Data & Analytics visualisations

£360 to £2,560 a unit a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psopportunities@kpmg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

763624354727519

Contact

KPMG G-Cloud Team
02073111000
psopportunities@kpmg.co.uk

Planning

• Planning service: Yes
• How the planning service works: KPMG's service will help ensure that: ; 1) Your Cloud strategy has a clear vision aligned to best industry practice, regulatory guidelines and is clear on the principles underpinning it;; 2) Your Cloud Strategy and planning approach enables operational efficiencies whilst simultaneously ensuring that key risks across people, processes and technology are being effectively considered and managed;; 3) You are effectively addressing risk and compliance challenges from planning stage (e.g. in order to achieve the Regulator, Chief Risk Officer or Board approval);; 4) You are identifying opportunities to mitigate Cloud concentration risk through defining the optimal mix of Cloud providers to improving agility and managing risk/resilience.; ; Using our proven Cloud Framework and transformation approach, along with significant practical experience as accelerators KPMG will work collaboratively with you to understand, assess and make recommendations to address risks and challenges with your Cloud strategy (e.g. concentration risk, contract risk and compliance risk) and planning approach. We will also leverage our in-depth risk and regulatory experience to support you in the drafting and positioning of your Cloud strategy and planning approach submission to key Stakeholders, Risk Teams or the Board.
• Planning service works with specific services: No

Training

• Training service provided: Yes
• How the training service works: KPMG can provide training around Cloud risk management and controls which can be targeted at first, second or third line of defence and would cover an end-to-end view of Cloud risks, controls and assurance approaches. ; ; The proposed modules would include but are not limited to: ; 1) Cloud essentials; ; 2) Risks of Cloud usage; ; 3) Cloud governance; ; 4) Cloud risk & Controls assessment (including Cloud provider specifics);; 5) Third party risk management; ; 6) Internal audit support;; 7) Analytics to support the above (e.g. MI & reporting); ; These are not standalone modules, however we acknowledge that not all modules will be relevant thus we developed flexible learning packages based on your organisation’s needs and learning objectives.
• Training is tied to specific services: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: KPMG's service helps you from initial service design, through procurement, implementation and live service to help you to ensure that the key Cloud risks are identified and effectively managed through having the right controls designed and operating effectively. Our Technology risk, Cloud operations and advisory multidisciplinary team will help you assess the existing controls at a technical, operational and regulatory levels, providing a view of your Cloud compliance (across IaaS, PaaS, SaaS as appropriate) and report on control gaps, risk exposure and recommendation including quick wins. We will support you with the definition of Cloud risks, design, build and transfer of controls to mitigate these in line with the agreed risk appetite.; Our Cloud Framework will accelerate the achievement of your desired outcomes as it combines KPMG’s extensive practical experience with multiple clients across industries with leading Cloud control standards (e.g. CCM) and regulatory frameworks (e.g. EBA, PRA and FCA) and HMG standards and guidelines.
• Setup or migration service is for specific cloud services: No

Quality assurance and performance testing

• Quality assurance and performance testing service: Yes
• How the quality assurance and performance testing works: A typical lifecycle for the delivery of our services would involve the risk assessment of the Cloud controls in scope to inform senior leadership of the effectiveness of areas in scope and to enable them to make informed decisions around enhancing the control environment. ; Depending on the agreed scope and approach (high level vs detailed) our multidisciplinary team will: ; ; - Conduct interviews and information gathering with key SMEs and analysis for the areas in scope;; - Review provided documentation (e.g. policies and processes, architectural and design documentation);; - Test associated guardrails (tools and/or methods that can be used to implement the controls) through access to, review and testing of relevant Technology/ Service directly (e.g. Code, Tooling, Artefacts etc.).; ; The output of the review will be will be a gap assessment report which enables higher certainty and transparency on Cloud compliance, control effectiveness and risk exposure through providing: ; - A Roadmap with key recommendations and quick wins;; - Quick wins identified with help available for implementation to accelerate your remediation journey;; - Clear areas of focus identified to minimize residual risk and keep the focus on the most pertinent Cloud risks in a cost effective manner.

Security testing

• Security services: Yes
• Security services type:
  • Security strategy
  • Security risk management
  • Security design
  • Cyber security consultancy
  • Security testing
  • Security incident management
  • Security audit services
• Certified security testers: No

Ongoing support

• Ongoing support service: No

Service scope

• Service constraints: Conflicts may exist for KPMG audit clients.; Control coverage is flexible but dependent upon an agreed scope.

User support

• Email or online ticketing support: No
• Phone support: No
• Web chat support: No
• Support levels: N/A

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI IS645896
• ISO/IEC 27001 accreditation date: ISO/IEC 27001 accreditation date
• What the ISO/IEC 27001 doesn’t cover: Items outside the Statement of Applicability v10
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Offensive Security Certified Professional/Expert (OSCP/OSCE)
  • CISSP - Certified Information Systems Security Professional
  • CCSK - Certificate of Cloud Security Knowledge
  • CCSP - Certified Cloud Security Professional
  • SCF - SABSA Chartered Security Architect – Foundation
  • AWS Certified Solutions Architect – Associate
  • GICSP - Global Industrial Cyber Security Professional
  • CISA - Certified Information Systems Auditor

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We’ve committed to Net Zero 2030, backed by our environment strategy, aligned to the 1.5-degree pathway, and approved by the Science Based Targets Initiative. And introduced an internal carbon price. A self-imposed tax that’s applied to our energy use and business travel. Bringing the cost of our carbon emissions back to us to fund decarbonisation projects. Initiatives have inspired our staff and gained us a top 2% Carbon Disclosure Project (CDP) A Rating, Platinum EcoVadis medal and Environmental Management (ISO 14001) and Energy Management (ISO 50001) certification. ; During contract delivery we will: ; ; ‒ Encourage our suppliers to report their carbon data to CDP, helping us to measure and encourage progress and remain on their Supplier Engagement Leader board. Reducing pollution through our supply chain.; ; ‒ Facilitate a ‘fighting climate change’ 90-minute session and create a team charter to agree:; ; o Traveling SMART | Minimising travel for those involved in the contract and measuring and monitoring all contract related business travel and carbon emissions using our proprietary KPMG carbon tracker tool.; ; o Living sustainably at home | Managing home office equipment efficiently and avoiding printing.; ; o Adopting a ‘digital first’ approach | Using collaborative technologies for data storage/ sharing to maximise effectiveness and reduce email volume.; ; Reducing travel, power consumption, and paper usage to minimise emissions and support sustainable behaviours.; ; ‒ Host a 60-minute sustainability impact modeller tool demonstration. Helping reduce your carbon footprint of cloud deployments using bespoke tooling to optimise implementation. ; ; ‒ Monitor, measure, and report commitments using the Social Value Portal. An evidence-based, data-driven tool, underpinned by the National Themes, Outcomes and Measures framework. It’s endorsed by the Local Government Association and compatible with all major ESG frameworks. Bringing rigour to commitments tracking and allowing you to flex and value the impact and hold us accountable.

  Covid-19 recovery

  The pandemic accelerated changes in the way we work, forcing us to adapt to ensure rapid recovery. Office space has been transformed for innovation, collaboration, and convening between our colleagues, clients, networks, and local communities. ; ; Contract specific commitments: ; ; ‒ Leverage market-leading devices and hybrid working plans to allow teams to be outstanding in delivery empowered by agile working. Offering greater flexibility and choice during the working week, bringing together physical and virtual worlds.; ; ‒ Welcome those who have not been able to join the workforce previously to play an active role e.g., those who couldn’t spend much time away from home due to caring commitments, those with great distances to travel to an office, or those with a disability which precludes travel. Creating a more diverse workforce.; ; ‒ Host a 60-minute future of work session to share our latest thinking. Including, helping you to consider how innovative technologies can support some of the hardest aspects of change to achieve and sustain high performance and nurture creativity.; ; ‒ Monitor, measure, and report commitments using the Social Value Portal. An evidence-based, data-driven tool, underpinned by the National Themes, Outcomes and Measures framework. It’s endorsed by the Local Government Association and compatible with all major ESG frameworks. Bringing rigour to commitments tracking and allowing you to flex and value the impact and hold us accountable.

  Tackling economic inequality

  Like you, we are committed to shaping an environment to narrow disparities, level the playing field, and create better growth opportunities for diverse businesses. During the delivery of the contract, we’ll tackle economic inequality through the following commitments: ; ; ‒ Adhere to inclusive recruitment and progression practices that follow the five foundational principles in the Good Work Plan (satisfaction, fair pay, participation and progression, wellbeing, and voice and autonomy). Increasing self-worth and motivation and improving retention and productivity.; ; ‒ Provide access to KPMG’s Introduction to Python Coding 10-week course to your staff and suppliers. Successful participants will receive a Credly digital certificate. Strengthening logic and problem-solving skills and equipping future generations with the desired skills to make them a relevant asset.; ; ‒ Extend the reach of our technology and engineering apprenticeships by partnering with local authorities and charities. Generating additional paths to employment for people from lower socio-economic backgrounds and bolstering future skills in the UK. Practical work experience is gained while working towards professional qualifications/ accreditations and earning a salary. ; ; ‒ Create business opportunities for a range of local suppliers such as entrepreneurs and start-ups. By encouraging our 1,800 active suppliers to use local sourcing in their supply chain. For example, for our national catering contract we expect the supplier to source produce locally, supporting local producers and reducing food miles. Our sustainable procurement policy is supporting SMEs and VCSEs via various initiatives e.g. the prompt payment code. ; ; ‒ Monitor, measure, and report commitments using the Social Value Portal. An evidence-based, data-driven tool, underpinned by the National Themes, Outcomes and Measures framework. It’s endorsed by the Local Government Association and compatible with all major ESG frameworks. Bringing rigour to commitments tracking and allowing you to flex and value the impact and hold us accountable.

  Equal opportunity

  We aim to attract the best talent in the market, from all backgrounds at every stage of their career and empower them to reach their full potential. Our initiatives include establishing 16 diversity networks to support individuals and voluntarily publishing diversity pay gaps and action plans to close gaps. Improving progression for our historically underrepresented groups* and placing us in the Top 5 in the Social Mobility Employer Index since 2017.; * Bridge Group – KPMG progression gap analysis. ; ; During the delivery of the contract, the following commitments will go further to level the playing field: ; ; ‒ Take a risk-based approach to policies, training, governance, and approvals to ensure human rights due diligence. Although our industry is not considered high-risk, risk can arise in our operations and supply-chain. Supporting your zero-tolerance approach to modern slavery. ; ; ‒ Invite your employees to join our Cross Company Allyship Programme. Matching mentees from ethnic minority groups with mentors from across KPMG and our client base. Creating diversity of thought, experience, providing career guidance, and building professional network and confidence. ; ; ‒ Provide employability support to people who have served with the armed forces. We’re signatories to the Armed Forces Covenant and holders of the Gold Defence Employers Recognition award. Providing successful career opportunities for those embarking on ‘civvy street.’ ; ; ‒ Ensure the contract workforce are physical/ digital accessibility trained, recognising that not all disabilities are visible. Building an awareness of the policies and standards that enhance accessibility and productivity.; ; ‒ Monitor, measure, and report commitments using the Social Value Portal. An evidence-based, data-driven tool, underpinned by the National Themes, Outcomes and Measures framework. It’s endorsed by the Local Government Association and compatible with all major ESG frameworks. Bringing rigour to commitments tracking and allowing you to flex and value the impact and hold us accountable.

  Wellbeing

  Our wellbeing strategy has been shaped by listening to our people and working with specialists. Focusing on the areas where we can have the biggest positive impact. During contract delivery, we will support wellbeing with the following commitments: ; ; ‒ Provide the contact workforce with a rich, innovative suite of specialist information, advice, services, and treatment – supplemented with focused initiatives. Shaped by listening to our people and working with specialists. Using clinical, organisational, and positive psychology to empower individuals by providing the right care, at the right time. And allowing them to be at their best. ; ; ‒ Facilitate a 90-minute wellbeing workshop for the contract workforce, using our bespoke Wellbeing EDGE tool to create a wellbeing charter. Identifying team member “non negotiables,” creating an inclusive environment, and agreeing our collective approach to maximise team wellbeing. ; ; ‒ Facilitate monthly constructive health and wellbeing check-ins using Wellbeing EDGE and a wellbeing survey to measure the success of our approach and identify additional support required. Understanding how the team can be effectively supported through emerging challenges. Ensuring the workforce witnesses our commitment to continuous improvement, including feedback being incorporated and acted on. Thus, empowering them to continue to speak up.; ; ‒ Appoint a dedicated accredited Wellbeing Ambassador, with a passion for wellbeing, to challenge mental health stigma and begin empathetic conversations with team members. Building, embedding, and maintaining a sustainable wellbeing approach and giving visible support to those struggling mentally or physically. ; ; ‒ Monitor, measure, and report commitments using the Social Value Portal. An evidence-based, data-driven tool, underpinned by the National Themes, Outcomes and Measures framework. It’s endorsed by the Local Government Association and compatible with all major ESG frameworks. Bringing rigour to commitments tracking and allowing you to flex and value the impact and hold us accountable.

Pricing

• Price: £360 to £2,560 a unit a day
• Discount for educational organisations: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psopportunities@kpmg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.