Compliance Is Moving Faster Than Most Organisations Can Keep Up
If you work in UK public sector IT, 2026 feels like a year where the compliance ground is shifting under your feet. GovAssure assessments are maturing and expanding in scope.
Cyber Essentials Plus remains a procurement baseline but is being applied with increasing rigour. The NCSC’s Cloud Security Principles continue to underpin expectations for how government data is handled in the cloud. And sector-specific requirements, from NHS DSPT to MOD security classifications, add further layers of complexity.
For organisations migrating to or operating on AWS and Azure, the challenge isn’t whether to comply. It’s how to build cloud environments that are compliant by design, auditable by default, and sustainable to maintain without drowning in manual processes.
At Mobilise, we help public sector organisations navigate this landscape every day. We hold ISO 27001 and Cyber Essentials Plus certifications ourselves, and we architect cloud environments that are built to meet these standards from the outset not retrofitted before an audit. This guide walks through the key compliance frameworks, how they apply to cloud environments, and the practical steps to achieve and maintain readiness.
GovAssure: What’s Changed and What’s Expected
GovAssure, introduced in 2023, replaced the previous PSN compliance regime and brought a more risk-based, outcome-focused approach to assessing government departments’ cyber resilience.
Assessments are conducted against the NCSC’s Cyber Assessment Framework (CAF) and cover four core objectives: managing security risk, protecting against cyber-attack, detecting cyber security events, and minimising the impact of incidents.
In 2026, several trends are shaping how GovAssure is being applied.
Scope is expanding beyond core networks. Early GovAssure assessments focused heavily on departmental network infrastructure. Increasingly, assessments are examining cloud environments, SaaS integrations, and third-party service providers. If your workloads run on AWS or Azure, expect your cloud configuration, identity management, and incident response capabilities to be scrutinised.
Evidence needs to be demonstrable, not declarative. It’s no longer sufficient to state that you have policies and procedures in place. Assessors want to see the evidence, configuration artifacts, audit logs, access review records, incident response test results. Cloud environments that are built with Infrastructure as Code and have comprehensive logging enabled are inherently better positioned to produce this evidence.
Continuous improvement is expected. GovAssure isn’t a pass/fail certification. It produces a maturity profile with recommendations for improvement. Organisations are expected to show progress between assessment cycles, which means compliance needs to be embedded in operational practices, not treated as an annual project.
Cyber Essentials Plus: Still the Baseline, Now With More Teeth
Cyber Essentials Plus remains the UK government’s baseline security certification and a minimum requirement for many public sector contracts. The scheme covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management.
For cloud-hosted environments, applying these controls requires careful mapping.
Firewalls and network boundaries translate to Security Groups, Network ACLs, and WAF configurations on AWS, and Network Security Groups, Azure Firewall, and Application Gateway on Azure. The principle is the same restrict inbound and outbound traffic to only what’s required but the implementation is cloud-native.
Secure configuration means ensuring that cloud resources are deployed according to hardened baselines. CIS Benchmarks for AWS and Azure provide detailed, prescriptive guidance on how services should be configured. Automated compliance scanning tools — AWS Security Hub, Azure Policy, or third-party platforms like Prowler — can continuously validate configuration against these benchmarks.
User access control in the cloud encompasses IAM policies, role-based access, MFA enforcement, and the management of both human and non-human identities. Cyber Essentials Plus assessors will look at how administrative access is controlled, how privilege is managed, and whether default credentials have been changed across all cloud services.
Malware protection extends to endpoint agents on EC2 instances and virtual machines, but also to container scanning, serverless function analysis, and email security for cloud-hosted communication platforms.
Patch management in the cloud is both simpler and more complex than on-premises. Managed services (like RDS, Lambda, or Azure Functions) are patched by the cloud provider. But IaaS workloads — EC2 instances, Azure VMs — require the same patching discipline as traditional servers, often managed through AWS Systems Manager Patch Manager or Azure Update Management.
The Shared Responsibility Model: Your Most Important Compliance Concept
Every cloud compliance conversation must start with the shared responsibility model. AWS and Azure are responsible for the security of the cloud the physical infrastructure, hypervisor, and managed service foundations. You are responsible for security in the cloud, your configurations, your data, your identities, your applications.
This distinction matters enormously for compliance. When an assessor asks whether your databases are encrypted at rest, the answer isn’t “we’re on AWS, so yes.” The answer depends on whether you have enabled encryption on your RDS instances, S3 buckets, and EBS volumes. The cloud provider gives you the capability; you’re responsible for using it.
Understanding and documenting where responsibility lies and being able to demonstrate it is the foundation of cloud compliance. We recommend maintaining a shared responsibility matrix for each compliance framework, mapping every control to either the provider’s responsibility, your responsibility, or a shared responsibility, with evidence sources identified for each.
Building Audit-Ready Cloud Environments
Rather than scrambling to gather evidence before an assessment, the most effective approach is to build cloud environments that are inherently audit ready. Here’s what that looks like in practice.
Secure Landing Zones as the Foundation
A cloud landing zone is the baseline environment into which workloads are deployed. When designed with compliance in mind, it enforces security controls by default so that teams deploying workloads into the environment inherit those controls without additional effort.
At Mobilise, our landing zone designs include: encryption enabled by default across all storage and database services, CloudTrail and Azure Activity Log enabled across all accounts and subscriptions, centralised logging to a tamper-proof log archive, IAM boundaries that prevent privilege escalation, network designs that restrict public internet access by default, and guardrails implemented through AWS Service Control Policies or Azure Policy that prevent non-compliant configurations.
This approach means that compliance isn’t a layer added on top of infrastructure it’s built into the infrastructure itself.
Infrastructure as Code for Repeatable Evidence
When your infrastructure is defined in Terraform, CloudFormation, or Bicep, every configuration decision is version-controlled, peer-reviewed, and auditable. This provides assessors with a clear record of what was deployed, when, and by whom.
More importantly, Infrastructure as Code enables consistency. If your landing zone template enforces encryption, every environment provisioned from that template is encrypted. Manual configuration leads to drift; code prevents it.
Automated Compliance Monitoring
Continuous compliance monitoring tools run against your cloud environment and flag deviations from your chosen benchmarks in real-time. AWS Security Hub aggregates findings from GuardDuty, Inspector, and Config, and scores them against frameworks like CIS. Azure Defender for Cloud provides a similar unified view with a regulatory compliance dashboard.
The key is not just enabling these tools but acting on their findings. Establish SLAs for remediation of critical and high-severity findings. Automate remediation where possible using AWS Config Conformance packs, for example, automatically re-enabling encryption on an S3 bucket that’s been misconfigured or made public, or revoking an IAM key that hasn’t been rotated within policy.
Documented Incident Response
Every compliance framework expects you to have an incident response plan. For cloud environments, this plan needs to account for cloud-specific scenarios: compromised IAM credentials, exposed storage buckets, unauthorised API calls, and data exfiltration through cloud services.
Your plan should be documented, tested through tabletop exercises or simulated incidents annually, and integrated with your cloud monitoring tools so that detection feeds directly into response workflows.
A Practical Compliance Roadmap
For organisations looking to strengthen their compliance posture across GovAssure, Cyber Essentials Plus, and ISO 27001, we recommend the following phased approach.
Assess your current state. Conduct a gap analysis against each framework, focusing on cloud-specific controls. Identify where your environment meets requirements, where it falls short, and where you lack visibility.
Remediate the highest-risk gaps first. Prioritise findings that represent the greatest risk — typically around identity and access management, encryption, and logging. These are also the controls most commonly examined in assessments.
Automate your baselines. Implement Infrastructure as Code for your landing zones and policy-as-code for your guardrails. Enable continuous compliance monitoring and establish remediation workflows.
Build evidence collection into operations. Don’t wait for an assessment to gather evidence. Ensure that access reviews, configuration audits, and incident response tests are conducted on a regular schedule, with results documented and stored in an accessible format.
Invest in team capability. Compliance in the cloud requires a different skill set than compliance in traditional environments. Ensure your teams understand the shared responsibility model, can navigate cloud-native security tooling, and are comfortable producing evidence from cloud management consoles and APIs.
How Mobilise Can Help
Compliance at the intersection of cloud infrastructure and government security frameworks is complex. It requires deep expertise in both cloud architecture and the specific requirements of UK public sector assurance.
Mobilise brings both. We’ve delivered cloud migrations and platform builds for organisations including the College of Policing, DVLA, The National Archives, and Home Office who all operating under stringent security and compliance requirements. Our own ISO 27001 and Cyber Essentials Plus certifications mean we practice the same disciplines we recommend to our clients.
Whether you need a compliance gap analysis, a secure landing zone build, or ongoing support to maintain audit readiness, we’re here to help. Get in touch.
