Airbus Defence and Space Limited

Trusted Certificate Service

Trusted Certificate Service ensures confidentiality through encryption and Integrity of users, devices and data. It simplifies the trusted user experience whilst making system penetration more complicated and difficult. The implementation pattern aligns with the UK government recommendations from GDS and is the only UK certificate service that has NCSC accreditation.


  • Secure private network connectivity PGA Accredited to SECRET
  • End to end credential lifecycle management enabling auditing and reporting
  • Integrates with wider Logical and Physical IDAM deployment
  • Supports issuance of credentials to mobile devices enabling secure BYOD
  • Market-leading service level agreements and architecture options
  • Provision of latest cyber security technologies, systems and management tools
  • Complete implementation service, from initial survey to live operations
  • Provides the trust element for authentication and interchange of data
  • Conforms to PSN and NCSC accreditation standards


  • Airbus is vendor agnostic and able to deliver best value
  • Airbus provides trusted advisor service in cyber security
  • Offers customers complete control over certificate management
  • High availability 24x7 for mission critical applications
  • Dedicated support including service management with aligned SLA's
  • Access to highly skilled, UK security cleared engineers and advisors
  • Low risk transition and transformation management
  • Customisable options to enhance the protection of services
  • IA expertise to guide users through Government Security Policy Framework
  • Implemented to industry best practice and NCSC assurance standards


£30 per person per year

Service documents

G-Cloud 10


Airbus Defence and Space Limited

Airbus Customer Service Operation Centre

+44 (0) 1633715000

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Community cloud
Service constraints At time of publication there are no known constraints
System requirements Certificate Practice Statement (Identifies full system requirements)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Dependent on agreed SLA and hours of support selected
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AAA
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Airbus offers a 3 tiered support capability that incorporates technical and engineering assistance from initial system diagnostics to remote access support to the service users. This technical support is underpinned by incident and problem management and other service management capabilities dependent on what the customers select as a necessity to meet their requirements. An account manager or service delivery manager will be provided as part of the standard support provision.
The cost of support is dependent on the level of support required by the customer.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Implementation activities shall include:
Establishment of key contacts, assignment of a project office representative to remotely manage your deployment. Any on-site project management presence is chargeable in accordance with the G-Cloud SFIA price list, validation of the technical solution with a solution architect and further consultation with the customer if required. This is to ensure the business needs of the Customer are met, co-ordination of data capture and data validation activities with Airbus technical staff which may include WAN/LAN compliancy and any bespoke security requirements, production of an initial draft project plan with target dates for key milestones including “go-live” of the deployment (or discreet phases of the deployment, if required) and user training (where necessary), liaison with the customer throughout the deployment period
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Keys will be destroyed in line with customer security policies
End-of-contract process Trusted Certificate Service has a minimum term period of 30 days, therefore the service will continue to be invoiced on a monthly basis until terminated.
If the customer wishes to cancel the service a minimum written notice of 30 days must be issued to Airbus and the termination date shall be 30 days from receipt of the cancellation notice. The service shall be invoiced until the end of the month in which the termination date occurs.
In the event Airbus wishes to terminate the service, it shall issue no less than six months notice to the customer.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service As this service is a web based service there is no difference between mobile or desktop devices
Accessibility standards WCAG 2.0 AAA
Accessibility testing Currently the system has not been tested with users of assistive technology however, this technology is usually built into the web browser
Customisation available Yes
Description of customisation Web interface can be customised


Independence of resources HA architecture built to industry best practice standards


Service usage metrics Yes
Metrics types Airbus provides metrics through its service reporting capability including the number of service impacting incidents by priority, changes and service requests raised, open and closed, the volume of contacts received to the service desk and SLA metrics. Metrics are owned by an account manager and provided to customers at agreed timescales or on an adhoc basis if required. They form the basis of Continual Service Improvement initiatives in line with customers business requirements
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Web based interface for certificate isssuance
Data export formats Other
Other data export formats Certificate
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Service availability is calculated as a percentage of the total time in a service period that the service is available to the customer (excluding planned downtime). This is calculated using the following formula:
Achieved availability % =( (MP – SD) x 100)/MP
MP is the total time within the agreed service time (excluding planned downtime, imposed carrier downtime and any unavailability attributable to severity 3 or severity 4 incidents) within the relevant service period.
SD is the total service downtime within the agreed service time within the relevant service period during which a service and/or part thereof is unavailable (excluding planned downtime, imposed carrier downtime and any unavailability attributable to severity 3 or severity 4 incidents) within the relevant service period.
Approach to resilience This information is available on request
Outage reporting Email alerts to customers

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
Access restrictions in management interfaces and support channels Out of band management
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 19/05/2016
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications NCSC CAS(CA)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes This information is available on request

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Airbus operates a robust and mature change process which engages with the customer impacted change throughout the lifecycle.
The process ensures that all changes are tracked, managed, tested and governed prior to deployment.
The process is aligned to ITIL and linked to Change Management. This ensures that each CI is monitored for any unscheduled change and unauthorised deviation to the stored baseline in the CMDB will be identified, investigated and reported on and that interfaces required between Configuration, Change and Request Fulfillment processes are enforced and fit for purpose so that service operations maintains the CMDB to an accurate state.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach This information is available on request
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach This information is available on request
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Airbus has a robust and mature Incident Management process which is used to proactively respond to Incidents escalated by either event management tools or by customers. Incidents will be managed through to resolution in accordance with agreed Service Levels, logged in ITSM tooling to capture the number of Incidents generated across the complete service provision. Information relating to the Incidents will be reported on at agreed periods, this is typically standard monthly reports. Users can report incidents via telephone, email or via web portal

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Public Services Network (PSN)


Price £30 per person per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑