Governance Framework | Cloud industry forum

Governance Framework

Dual Governance Streams

CIF is a membership-based not-for-profit organisation answerable to its members. It has two separate governance streams: one for business activity (the Management Board responsible for administration, development, finance and similar) and one for governance of the CIF Code of Practice scheme (the Code Governance Board). This sheet is primarily concerned with governance issues related to the Code of Practice.

Code Governance Board

CIF established the Code Governance Board to have responsibility for overseeing CIF’s Code of Practice (‘CoP’). To that end the Code Governance Board oversees the conduct of the administration of the CIF CoP by reviewing CIF’s management activity and processes. The Code Governance Board discharges some of its responsibilities directly and otherwise delegates to its committees. The Code Governance Board’s responsibility is limited to overseeing the CIF CoP. The responsibility for the day-to-day management and operation of CIF’s business lies with its Management Board directors and members.

CIF members elect a party of 12 representatives and independent advisors to sit on the Code Governance Board of CIF. The Code Governance Board is chaired by a member representative on a bi-annual basis. Membership of the Code Governance Board is bi-annual and made up as follows:

  • 4 Members from industry
  • 3 Members from end-user organisations
  • 3 Members from independent advisors (academics, IT standards champions, influencers, etc).
  • 2 Members from IT legal practice

An additional 4 non-voting seats will be reserved for representatives of formally recognised partner organisations that are aligned to the Code
by specialism (e.g. technology or security standards) or by international focus (extending the reach of the Code).

The Code Governance Board is responsible for the following:

  • approving the CIF CoP ‘s goals, objectives and strategies
  • identifying the principal risks of the CIF CoP ‘s operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks
  • reviewing and approving changes to the CIF CoP
  • reviewing and approving the CIF CoP ‘s financial performance to ensure it operates viably
  • monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF CoP
  • assessing its own effectiveness in fulfilling its responsibilities, including monitoring the effectiveness of individual Representatives
  • ensuring the integrity of the CIF CoP ’s internal control system and management information systems.

Development and Maintenance of the Code

The Code will be developed by CIF under the direction of the Management Board.
All changes to the Code shall be approved by the Code Governance Board, which shall also provide guidance as to the CoP’s goals, objectives and strategies.

Audit and Appeal

In order for the Code Self-Certification process to be credible and trusted it needs to have an appropriate enforcement model to challenge any false submissions.

These validations will be based upon either a random audit, external complaint or a whistle blower alert. As such CIF will manage an audit process (directly or through accredited 3rd parties) and will have the capability and authority to enforce removal of the Certification Mark from organisations deemed not to have complied with the Code. Independent Certification will only be enabled through bodies approved and accredited by CIF and as such the process of carrying out an Independent Certification will automatically imbue the participant with a higher degree of trust than is achieved through Self-Certification.

If an external complaint or whistle blower statement is made about a self-certified participant that questions the validity of their declaration, the participant will be allowed to know the nature of the complaint and to provide any evidence to uphold their position as self-certified to the Code. CIF will operate a Compliance Committee to oversee complaints and decide on their validity. In the event that the Compliance Committee upholds the complaint, the self-certified participant shall have the ability
to challenge the findings by appeal to the Code Governance Board. The opinion of the Code Governance Board is final and no further route of appeal is available.

The CIF Compliance Committee will acknowledge all complaints and reserve the right to publish opinions publicly. Only the Code Governance Board or its nominated representative/s will approve any public comment on complaints.


The APM Group (APMG was established in 1993 and is a global business providing accreditation and certification services. APMG has a worldwide presence, with offices in Australia, China, Denmark, Germany, India, Italy, Malaysia, the Netherlands, the UK and the US. APMG has been working with CIF to help set up the administration behind the Code of Practice scheme.

APMG will use its independence to ensure those organisations which sign up to CIF and the Code of Practice registration and assessment are confident of an impartial, reasonable, consistent and professional approach to the processing of their information and assessments.

APMG will also attend the Code Governance Board to provide a direct route for feedback from applicants working through the scheme into this monitoring body.

APMG does not provide any commercial services within the Cloud and so are able to complete the assessments of organisations without any conflict of interest, protecting the integrity and confidentiality of the information provided as part of the application process.

Collaboration with Standards Organisations and Related Bodies

By nature of the industry CIF will need to operate on an international stage as the Cloud has no geographic boundary (though our legal remit will focus initially on the UK). CIF will collaborate and endorse appropriate security and technical interoperability standards that are outside of, but complement, the Code.

CIF participates in the activities of ISO/IEC JTC1 SC38 which includes cloud computing via CIF’s participation in the corresponding committee of the British Standards Institution.

CIF also actively cooperates with other industry bodies with similar interests. It has a formal liaison relationship with the Computer Security Alliance (CSA) and includes coverage of the CSA’s Consensus Assessments Initiative Questionnaire in the CoP.