to add a new content
Resource
National Police Information Risk Appetite Statement (Version 2.2)

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

The purpose of this document is to inform force/agency Senior Information Risk Owners (SIRO), National Information Asset Owners, National and force/agency Accreditors/Projects/programmes and other interested parties of the National Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite .

This document helps provide a baseline for defining and managing risk for all National information systems and National Police Infrastructure used within the Police services such as as Police National Database, Police National Computer, ViSOR/MAPS.

The document also helps form part of the national Information Assurance governance for information risk management and focuses on national Information Systems risk management and governance and force/agency risk management and governance.

The National Information Risk Appetite echoes the need for the police service to protect and manage risk with regards to information handling, as information mismanagement can compromise confidentiality and integrity, have an adverse impact on police operations and damage police public image and increase risks to the compliance or legal standing of the police force.

Intended audience readers are for police force SIROs, Information Asset Owners, police force Accreditors, programme and project managers as well as other interested parties in National Information risk management.

 

Published 01/01/2012
Authoring body: National Police Information Risk Management Team (NPIRMT)
Standards
Resource
ISO/IEC 27033-2:2012 IT Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security

ISO 27033-2 gives guidelines to police forces on how to plan, design, implement and document effective network security.

This standard was reviewed by the authoring body in 2018 and still deemed current. This was also further reviewed by the National Standards Assurance Board in May 2021 and still found to be current and of value.

Published 01/08/2012
Authoring body: International Standards Organisation (ISO)
Guidance
Resource
ISO/IEC 27031:2011 IT Security Techniques — Guidelines for Information and Communication Technology Readiness for Business Continuity

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Over the years, information and communication technology (ICT) has become an integral part of many of the activities which are major elements of the critical infrastructures in all organisations. The proliferation of the Internet and other IT capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. This reliance means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate.

Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. In order for an organisation to achieve ICT Readiness for Business Continuity (IRBC), it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services. 

Published 01/01/2011
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27033-1:2015 IT Security Techniques — Network Security — Part 1: Overview and Concepts

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

In todays modern world, most organisations have their information systems connected by networks either within the organisation, between different organisations or between the organisation and the general public. The purpose of this International Standard is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. 

This part of ISO/IEC 27033 provides an overview of network security. It defines and describes the concepts associated with, and provides management guidance on, network security. It also defines how to identify and analyse network security risks and then define network security requirements. It also introduces how to achieve good quality technical security architectures, and the risk, design and control aspects associated with typical network scenarios and network technology areas.

Published 01/01/2015
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 20000-1:2018 IT Service Management — Part 1: Service Management System Requirements

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This international standard has been created for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organisation delivering the services. Implementation and operation of an SMS provides on-going visibility, control of services and continual improvement, leading to greater effectiveness and efficiency.

This standard can be used by

  • Customer seeking services and requiring assurance regarding quality of the service being provided

  • Customer requiring consistent approach to the service lifecycle by all its service providers

  • an organisation to demonstrate its capability for the planning, design, transition, delivery and improvement of services

  • an organisation to monitor, measure and review its SMS and the services

  • a provider of training or advice in service management.

Published 01/01/2018
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27018:2019 IT Security Techniques — Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds acting as PII Processors

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Cloud service providers who process Personally Identifiable Information (PII) under contract to their customers need to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of PII.

PII is sometimes referred to as personal data or personal information. A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer. 

This standard was created to help the public cloud service provider to comply with applicable obligations when acting as a PII processor, enable the public cloud PII processor to be transparent in relevant matters, assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement and provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities.

There are three main requirements an organisation must identify for the protection of PII:

  1. Legal, Statutory, Regulatory and Contractual Requirements

  2. Risks Assessment

  3. Corporate policies

Published 01/01/2019
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27004:2016 IT Security Techniques — Information Security Management — Monitoring, Measurement, Analysis and Evaluation

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This international standard was created to help organisations evaluate the information security performance and the effectiveness of an information security management system. The results of monitoring and measurement of an information security management system (ISMS) can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement. It also helps to establish

  1. the monitoring and measurement of information security performance

  2. the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls

  3. the analysis and evaluation of the results of monitoring and measurement.

Published 01/01/2016
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO 22301:2019 Security and Resilience — Business Continuity Management Systems — Requirements

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This standard speaks into  the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity within an organisation experience disruption.

A BCMS emphasises the importance of:

  • understanding the organisation’s needs and the necessity for establishing business continuity policies and objectives;

  • operating and maintaining processes, capabilities and response structures for ensuring the organisation will survive disruptions;

  • monitoring and reviewing the performance and effectiveness of the BCMS;

  • continual improvement based on qualitative and quantitative measures.

The purpose of a BCMS is to prepare for, provide and maintain controls and capabilities for managing an organisation’s overall ability to continue to operate during disruptions.

  • supporting its strategic objectives

  • creating a competitive advantage

  • protecting and enhancing its reputation and credibility

  • reducing legal and financial exposure

  • reducing direct and indirect costs of disruptions

  • protecting life, property and the environment

  • providing confidence in the organisation’s ability to succeed

  • improving its capability to remain effective during disruptions

  • addressing operational vulnerabilities

The management process of BCMS are categorised by the following:

  • policy

  • planning

  • implementation and operation

  • performance assessment

  • management review

  • continual improvement

The outcomes of maintaining a BCMS are shaped by the organisation’s legal, regulatory, organisational and industry requirements, products and services provided, processes employed, size and structure of the organisation, and the requirements of its interested parties.

Published 01/01/2019
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27013:2015 IT Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The relationship between information security management and service management is so close that many organisations already recognise the benefits of adopting the two International Standards for these domains. There are a number of advantages in implementing an integrated management system.

Benefits:

  • Enhanced credibility, with internal and external customers

  • Lower cost of an integrated programme of two projects

  • Reduction in implementation time due to the integrated development of processes common to both standards

  • Better communication, reduced cost and improved operational efficiency through elimination of unnecessary duplication

  •  a greater understanding by service management

This International Standard is intended for use by persons with knowledge of both of the International Standards ISO/IEC 27001 (information security management system (ISMS) and ISO/IEC 20000-1 (a service management system (SMS)) and provides guidance on the implementation of both international standards.

Published 01/01/2015
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27001:2013 IT Security techniques — Information Security Management Systems — Requirements

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The implementation of an information security management system is a strategic decision for an organisation that is influenced by the organisation’s needs and objectives, security requirements, the organisational processes and thus the International Standard has been setup to establish, implement, maintain and continually improve an information security management system.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. This also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation and is applicable to all organisations, irrespective of size and structure.

Published 01/01/2013
Authoring body: International Organisation for Standardisation (ISO)
Standards