CoCo Compliance

 – what it is and how to do it

CoCo is the Code of Connection (now version 4.1), a set of mandatory requirements with which UK local authorities must comply if they are to connect to the Government Connect Secure Extranet (GCSX), part of the Public Services Network (PSN).

CoCo, which came into effect in 2009, requires local authorities to document how their information technology meets the requirements, which have been adapted from the global ISO27001 standard. There are four main categories of risk - technical, procedural, physical and human – and CoCo compliance is assessed annually.

What is required

There are many aspects to CoCo compliance. Those security requirements which pertain to protective markings include:

  • "Employees of the organization who handle information carrying a protective marking of RESTRICTED must be made aware of the impact of loss of such material and the actions to take in the event of any loss."
  • "Audit logs recording user activities, exceptions and information security events MUST be produced to assist in future investigations and access control monitoring."
  • "E-mail MUST not be automatically forwarded to a lower classification domain."
  • "The mail client or user SHOULD add a warning to each e-mail to the effect that all communications sent to or from their organisations may be subject to recording and/or monitoring in accordance with relevant legislation."
  • "The mail client or user MUST add security labels to each email that carries a protective marking of PROTECT or higher."

How to make CoCo compliance easier

A simple way to comply with CoCo is to use the januSEAL suite to apply protective markings:

  • Deploy Janusseal for Outlook software to all staff desktops in the Local Authority
  • Configure Janusseal for Outlook on all staff desktops using the pre-made configuration templates based on the current UK Government Protective Marking System

In more advanced deployments, the local authority would also use other Janusseal products and Janusnet's expert knowledge to enable protective marking capability at a wider range of email clients and devices, such as:

  • Deploy Janusseal for Outlook Web App to all Microsoft Exchange servers in the local authority with Outlook Web Access (OWA) enabled; this will allow senders to protectively mark emails sent from any web browser using the Outlook Web App service.
  • Implement Janusgate Mobile to simultaneously get the benefits of mobile email and prevent sensitive emails from being delivered to mobile devices.


Read more about how to comply with the UK Government Security Classification (including CoCo), contact us to discuss your CoCo priorities or get an overview of  the Janusseal suite.