UK Public Sector AI Delivery: What ISO 27001 and Cyber Essentials Plus Require

Close these five gaps before your architecture is finalised, and your AI project will clear CE+ and ISO 27001 on the first attempt, and be ISO 42001-ready before procurement requires it.

CE+ v3.2 (Willow), mandatory since April 2025, placed every cloud service in scope and made MFA gaps and missed patches automatic disqualifiers. 

ISO 27001:2022, required since October 2025, extended governance obligations to AI assets, cloud suppliers, and ML infrastructure. A clean audit on a traditional IT estate provides no assurance that the AI workloads built on top of it are covered.

Below is a precise account of what each standard requires, where AI deployments consistently fall short, and what to fix before your first assessor arrives.

Why Your Last Compliance Audit Does Not Cover Your Current AI Project

According to SQ Magazine, the UK public sector cloud market is worth around £6 billion, with £3.1 billion transacted through G-Cloud in 2023 and 2024. G-Cloud remains the primary procurement route across government departments, local authorities, and arm’s-length bodies. The compliance threshold has since risen sharply. 

CCS confirmed in December 2025 that Cyber Essentials is now mandatory for all G-Cloud 15 Lots, a requirement that did not exist under G-Cloud 14. Cyber Essentials Plus is specifically required for Lots 1a and 1b.

The National Procurement Policy Statement, in force from February 2025 under the Procurement Act 2023, stipulates that contracting authorities must mitigate supply chain and national security risks by ensuring appropriate controls are in place. Compliance responsibility now sits with the buying organisation, and not only with the supplier.

A third pressure point arrived in 2026. GovAssure, the UK government’s cyber security compliance regime built on the NCSC’s Cyber Assessment Framework v4.0, required all organisations to submit assessments via WebCAF by 31 March 2026. From the 2026–27 cycle, third-party audits under the Cyber Resilience Audit scheme became the standard. Auditors now require logs, penetration test results, and proof of immutable backups. Self-assessment, in other words, is over.

GovAssure’s first-year results found significant gaps in departments’ cyber security and resilience, including widespread low maturity in fundamental controls such as asset management, protective monitoring, and response planning. (source: gov.uk)

AI projects are where this creates the sharpest exposure. They introduce infrastructure patterns, third-party dependencies, and data flows that sit outside the scope of a traditional IT compliance assessment. An organisation can hold a current ISO 27001 certificate and a valid CE+ and still carry exploitable gaps in the AI stack built on top of that estate. The standards cover what they were asked to cover. CTOs need to ask them to cover more.

A misconfigured UK visa portal recently exposed 100,000 passport records, the kind of gap that passes a traditional audit and still leaks citizen data. 

CE+ v3.2 (Willow): Three Requirements That Directly Affect AI and Cloud Delivery

Requirement 1: Every Cloud Service Is in Scope, Including Your AI Workloads

Cyber Essentials v3.2 became mandatory on April 28, 2025. It introduced the first formal definition of a cloud service within the scheme and confirmed that cloud services cannot be excluded from assessment scope. Assessors require a complete inventory of every SaaS, IaaS, and PaaS service in use, verified against whether it stores or processes organisational data.

Model training jobs spin up GPU clusters on demand. Inference endpoints run on managed cloud platforms. Data pipelines span multiple environments within a single project. Each of these is in scope under Willow. A service inventory built around traditional IT misses them, and assessors are specifically checking for the gap.

Requirement 2: MFA Gaps on Any Cloud Service Trigger Automatic Failure

CE+ v3.2 made MFA enforcement across cloud services a hard pass-or-fail condition. Only 47% of UK businesses currently have comprehensive MFA across their cloud estate. (GOV.UK, April 2026) For public sector AI projects accessing citizen data or government systems, the risk attached to this gap extends well beyond certification status.

Before booking a CE+ assessment, map MFA coverage across every cloud service in use. Developer tooling, model registries, and data pipeline endpoints all count, in addition to the services your central IT team manages day to day.

Requirement 3: Critical Patches Must Be Applied Within 14 Days, With No Exceptions

CE+ v3.2 introduced two new auto-fail questions requiring all high-risk and critical security updates to be applied within 14 days of release. This applies to operating systems, firmware, applications, and browser extensions. Changing board cycles longer than 14 days do not satisfy this requirement.

Kubernetes nodes, model serving containers, GPU drivers, and ML framework dependencies all fall within scope. These components are routinely excluded from standard patch management cycles. If your team cannot produce dated evidence of compliance with the 14-day window for every one of these assets, the assessment will fail on that basis alone.

ISO 27001:2022 and AI Delivery: What the Revised Standard Now Requires

CE+ establishes the security baseline. ISO 27001 governs the risk management layer above it: supplier security, asset classification, incident response governance, and controls across the full information lifecycle. Both are required for most public sector AI contracts involving sensitive or personal data.

The 2022 revision, mandatory since October 2025, reduced the control set from 114 controls across 14 domains to 93 controls and added new categories covering cloud services, threat intelligence, and supplier relationships. Organisations still holding a 2013-based certificate are outside compliance and need to initiate recertification.

The most consequential requirement for AI delivery is ISMS scope. ISO 27001 requires an Information Security Management System that covers every stage of the information lifecycle. For AI projects, that explicitly includes data collection, model training, deployment, and ongoing inference monitoring. 

Training datasets, model weights, inference APIs, and the cloud environments hosting them are information assets under the standard. An ISMS scoped around a traditional IT estate leaves them ungoverned, and a governance gap that is invisible on paper remains fully exploitable in production.

5 Gaps That Cause Public Sector AI Projects to Fail Their First Compliance Assessment

Each gap below is fixable at design stage. Left until the assessment, each one either triggers a failure or generates a remediation burden that delays deployment.

1. Cloud services mapped incorrectly. Running workloads on AWS, Azure, or Google Cloud does not extend the hyperscaler’s own accreditations to your workloads, configurations, or data. Under CE+ Willow, every service your organisation uses must be individually listed and assessed. Build the full service inventory before the CE+ assessment is opened, and include every AI-related resource regardless of how briefly it runs.
2. AI assets absent from the ISMS register. Training datasets, model weights, and inference APIs are information assets under ISO 27001:2022. Absent from the asset register, they receive no risk treatment: no classification, no access controls, no retention policy, and no incident response procedure. Add them to the register, assign an owner and a classification level, and define a retention policy before the ISO 27001 assessment scope is agreed.
3. Third-party AI APIs treated as tools rather than suppliers. ISO 27001 Annex A.5.19 and the NCSC Cloud Security Principles both require documented supply chain security practices covering subcontractors. An LLM API or model-as-a-service endpoint receives your organisation’s data. That makes it a supplier under the standard. Initiate a formal security review before approving the data flow, and record the outcome in your supplier register.
4. ML infrastructure excluded from patch governance. Kubernetes nodes, model serving containers, and GPU drivers fall outside the patch management cycle in most IT estates. Under CE+ v3.2, a critical patch uninstalled after 14 days is an automatic fail condition. Under ISO 27001:2022, it is a documented vulnerability management gap. Bring these assets into your patch governance process and generate the evidence trail before the assessment window opens.
5. Incident response plan scoped to traditional IT only. CE+ requires an incident response plan. ISO 27001:2022 requires it to be tested. A plan scoped around conventional IT incidents does not address model poisoning, data exfiltration via inference endpoints, or supply chain attacks on ML dependencies. Add these scenarios, assign response owners, and run a tabletop exercise before your project goes live.

ISO 42001: Start Building Readiness Now, Before Procurement Requires It

ISO 42001, the AI Management System standard, is not yet a routine UK public sector procurement requirement. The direction of travel is unambiguous. The EU AI Act entered into force in August 2024, with enforcement for high-risk AI systems beginning in February 2026. UK public sector bodies procuring AI tools that interact with EU data or EU-market systems are already within its reach.

The structural advantage for CTOs is that ISO 27001 and ISO 42001 share significant architectural overlap. Risk management methodology, incident management procedures, audit planning, and training frameworks all transfer directly. 

An organisation with a correctly scoped ISO 27001 ISMS can reach ISO 42001 compliance 30 to 40% faster than one building from scratch.

Closing the five gaps above is therefore dual-purpose work. It resolves the current compliance requirement and establishes the foundation that ISO 42001 certification will build on. The teams that get ISO 27001 scoped correctly now will move fastest when procurement requires the next standard.

ISO 27001 to ISO 42001: What Transfers and What Doesn’t

Public Sector AI Compliance Checklist: What to Complete Before Your Audit

Work through the checklist below before scoping your architecture. Each item maps to a specific requirement and the evidence an assessor will expect to see. None of it requires significant additional budget, only deliberate scoping decisions made early.

What Makes Deployflow Different on Public Sector AI Delivery

Most delivery partners treat compliance as a checkpoint at the end of a build. Deployflow architects for it from the first design decision, which is the difference between passing an assessment and rebuilding to pass a second one.

Two things set the approach apart. 

The first is senior engineering: the team includes solution engineers who have delivered national-scale platforms at organisations including Vodafone and Lloyds Banking Group, so governance, auditability, and security are designed into the architecture. 

The second is a governance-first delivery model. One recent project ran at a national scale within a critical national infrastructure environment. Every environment was provisioned through a modular infrastructure-as-code framework. Each one automatically inherited the required security, networking, and governance policies. Configuration drift, one of the most common audit failures, was engineered out. Every change was tracked through GitOps, satisfying regulatory requirements by default.

Public Sector AI Case Study: National-Scale Decision Intelligence at Speed

A multi-billion-dollar public-sector organisation responsible for monitoring social and economic well-being engaged Deployflow to design a national-scale AI platform. Fragmented data sat across surveys, spreadsheets, and regional systems, leaving leadership without a complete real-time picture. Deployflow consolidated those disconnected sources into a single decision-intelligence layer, with AI pipelines entirely replacing manual data classification.

What the client gained:

• 1 unified data layer merging multiple disconnected systems into a single AI-powered intelligence platform
• 24/7 real-time data ingestion and signal monitoring at national scale, replacing manual reporting
• Fully automated AI pipelines classifying survey, spreadsheet, and regional data without manual handling
• 6 to 12-month deployment path scoped from proof of concept to production for a national-scale programme

The outcome moved leadership from fragmented reporting to live oversight of how policy decisions affect community outcomes over time.

That combination of senior delivery expertise and governance-by-design is what Deployflow brings to DevOps and AI platform services for the public sector, where compliance, security, and scale have to hold together from day one.

“Working with Deployflow has been a game-changer for our organisation. From the outset, their team demonstrated a deep understanding of our needs and challenges. Their expertise in streamlining our development and operations processes has significantly improved our efficiency and productivity.

One of the most impressive aspects of Deployflow is their commitment to delivering customised solutions. They took the time to understand our specific requirements and crafted a strategy that perfectly aligned with our goals.”

Dan Rafferty, CTO at Strike

Closing compliance gaps requires the same engineering discipline that makes AI platforms perform at scale; the two are the same problem approached from different angles. Deployflow’s AI engineering and automation services are built around that principle: governance, security, and delivery designed together from the first sprint. 

Get Your AI Project Audit-Ready Before the First Assessment Window Opens

Deployflow’s AI Delivery Assessment provides public-sector CTOs with a structured gap analysis mapped to CE+, ISO 27001, and G-Cloud procurement requirements. 

The engagement covers your project’s specific infrastructure, data flows, and third-party dependencies, and produces a prioritised remediation plan, along with the evidence documentation that certifying bodies require.

Teams that complete the assessment before the architecture is finalised avoid the costs and delays of post-audit remediation. The deliverables are directly usable in procurement submissions and board-level compliance reporting.

Book a scoping call with the Deployflow team to assess your AI project’s readiness against CE+, ISO 27001, and G-Cloud requirements before your assessment window opens.

This article focuses on the compliance requirements; for the architecture and delivery side, our technical guide to public sector AI covers how to build these platforms in practice. 

UK Public Sector AI Compliance: Frequently Asked Questions