to add a new content
ISO/IEC 27002:2013 IT Security techniques - Code of Practice for Information Security Controls

This document informs the implementation of controls within an information security management system based on ISO 27001.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This International Standard is designed for organisations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It can also be used as guidance for implementing commonly accepted information security controls.

All types of organisations including public and private sector, commercial and non-profit organisations collect collect, process, store and transmit information in many forms including electronic, physical and verbal and therefore the value of information goes beyond the written words, numbers and images. Knowledge can also be intangible such as concepts, ideas, knowledge, brands, reputation – these are all forms of intangible information. As a result vital information can be very valuable to an organisation’s and as such deserves and require protection against various hazards.

Therefore it is essential that an organisation identify its security requirements by 1. Assessing risk 2. Observing all statutory, regulatory and contractual requirements that an organisation has to satisfy 3. Setting principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organisation has developed to support its operations.

Published 01/01/2013
Authoring body: International Organisation for Standardisation (ISO)
Security Policy Framework for HMG Organisations

This Framework describes the Cabinet Secretary and Official Committee on Security expectations of how HMG organisations and third parties handling HMG information and other assets will apply protective security to ensure HMG can function effectively, efficiently and securely.

The Security Policy Framework should be applied across Her Majesty’s Government and assets that are held by third parties in the wider public sector and by our commercial partners and personal responsibility and accountability should be undertaken to uphold the policy as attitudes and behaviours are key for exercising good security.

It is important to note that proper management, risk management, good governance and judgment and discretion remain the most form of effective security protection. 

Published 01/01/2018
Authoring body: Government Digital Service (GDS)
Facing the Camera - Guidance on police use of overt CCTV and facial recognition to locate persons on a watchlist in public

This code of practice issued by the Secretary of State (regulated by the Surveillance Camera Commissioner) under the Protection of Freedoms Act 2012 (PoFA) covers police forces in England & Wales. Chief officers must have regard to this code when using facial recognition algorithms as part of the operation of surveillance camera systems, or the use or processing of images or other information obtained.

The code only applies to the use of facial recognition technology and processing of images from surveillance cameras operated in 'live time' or 'near real time' operational scenarios.

The code includes considerations into:

  • Applicability
  • Biometrics
  • Ethics
  • Human Rights
  • Legal frameworks
  • Police policy documents
  • Governance
  • Evidence handling
  • Public engagement
  • Accountability and certification

Also included as an attachment is the National Surveillance Camera Strategy for context.

Published 01/11/2020
Authoring body: Surveillance Camera Commissioner (SCC)
Create and iterate an SPF record for email authentication

This document provides guidance on how to create and iterate a Sender Policy Framework record, which is a system of email authentication.

SPF works by providing domain owners a way to publish a list of the IP addresses which should be trusted for a given domain. A receiving email service can then check that a sending email service has an IP address which appears in the sender's published list.

If the IP address appears in the list of acceptable IPs, the receiving email service will forward the email to the recipient's inbox. If the receiving email service cannot confirm the IP address is valid, then it marks the email in accordance with the DMARC policy you have implemented on the domain the email is being sent from.

Published 02/07/2021
Authoring body: National Cyber Security Centre (NCSC)
Criminal Justice System Exchange Data Standards Catalogue (Version 6)

The CJS Data Standards Catalogue is a collection of data standards used by Criminal Justice Organisations in England & Wales to support interoperability between their different ICT systems.

If you are a member of a Criminal Justice Organisation and work in the area of data standards then you too can help to shape that change. If you have any questions then please raise them with the Forum representative for your organisation by visiting

Published 01/01/2020
Authoring body: Criminal Justice System (CJS) Exchange Product Board
Reference Data / Templates

This document should be used in reference to the appropriate legislation, such as the Protection of Freedoms Act 2012: DNA & Fingerprint Provisions

IDENT1 is the UK’s nationals automated fingerprint system that provides biometric series for the police force and law enforcement agencies covering England, Scotland and Wales.

IDENT1 was introduced in 2004 and replaced the National Automated Fingerprint Identification System (NAFIS) of England and Wales, as well as the electronic fingerprint identification system used by the Scottish police forces. It was developed by Northrop Grumman with the use of advanced biometric identification technology.

IDENT1 enables the forces to search and compare fingerprints and crime scene marks in a single database, providing a unified collection of finger and palm prints.

The datasets that consist in within IDENT1 are the following:

  • Colour Type

  • Fingerprint Bureau Code Type

  • Fingerprint Owners sex Type

  • Fingerprint Status Type

  • Force Code Type

  • Force Station Coe Type

  • IDENT Offence Code Type

  • Jurisdiction Type

By using efficient algorithms and technology, IDENT1 is able to deliver a high degree of search accuracy and performance for the fingerprint officers (FPOs) and police officers by taking advantage of Biometric fusion technology.

Published 01/01/2019
Authoring body: Home Office
Reference Data / Templates
Resource Description Frameworks (RDF) for web development

The standards referred to by W3C are community generated standards, last reviewed by the National Standards Assurance Board in May 2021.

The World Wide Web Consortium (W3C) is an international community where Member organisations and the public work together to develop Web standards. It’s aim is to lead the World Wide Web to its full potential by developing protocols and guidelines that ensure the long-term growth of the Web. 

The social value of the Web is that it enables human communication, commerce, and opportunities to share knowledge. One of W3C's primary goals is to make these benefits available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability. Some people view the Web as a giant repository of linked data while others as a giant set of services that exchange messages.

W3C's vision for the Web involves participation, sharing knowledge, and thereby building trust on a global scale.

The Web has transformed the way we communicate with each other. In doing so, it has also modified the nature of our social relationships. People now "meet on the Web" and carry out commercial and personal relationships, in some cases without ever meeting in person. W3C recognises that trust is a social phenomenon, but technology design can foster trust and confidence. As more activity moves on-line, it will become even more important to support complex interactions among parties around the globe.

Published 01/01/2020
Authoring body: W3C
CPA Security Characteristic Software Full Disk Encryption (Version 1.24)

This document has been reviewed by the National Standards Assurance Board in May 2021 and is still deemed relevant with sound principles, despite being dated in some areas. Users should also be aware of the NEP Windows Blueprints.


This document describes the features, testing and deployment requirements necessary to meet CPA certification for Software Full Disk Encryption security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena.

The purpose of a software disk encryption product is to protect the confidentiality of data. This document aims to describe the requirements for Software Full Disk Encryption products and obtaining Commercial Product Assurance (CPA) certification under the CPA scheme.

A typical use case is the protection of a mobile device such as a laptop in case of accidental loss or theft.

The Security Characteristic is primarily targeted towards a single user for each protected devices only applicable to software disk encryption products that operate on PCs with Extensible Firmware Interface (UEFI) or  Basic Input/Output System (BIOS). Multiple users can also be evaluated.

Intended readers are for developers, system, architects, vendors and technical staff. The disk encryption software will prevent an attacker from accessing the data.

Published 01/01/2016
Authoring body: CESG National Technical Authority for Information Assurance
ISO/IEC 27034-2:2015 IT Security techniques - Application Security - Part 2: Organisation Normative Framework

This document provides a framework for application security.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

There is an ever increasing need for businesses to focus on protecting their information and  technological infrastructures and Organisations must do this in order to stay in business. ISO/IEC 27034 provides concepts, principles, frameworks, components and processes to assist organisations in integrating security seamlessly throughout the life cycle of their applications. When an organisation uses a systematic approach for improving application security, it provides the organisation evidence and confidence that information being used and held in its application is being adequately protected. This part of ISO/IEC 27034 defines the processes required to manage the security of applications in the organisation.

The Organisation Normative Framework (ONF) is a key component for application security and provides a framework for best practises. It is the foundation of application security in the organisation. All organisations should base their decision regarding application security on this framework.

Therefore the purpose of this part of ISO/IEC 27034 is to assist organisations to create, maintain and validate their own ONF in compliance with the requirements of this International Standard.

Intended audience are managers, domain experts, auditors, ONF committee.


Published 01/01/2015
Authoring body: International Organisation for Standardisation (ISO)
Bluetooth General Guidance (v1.1)

Guidance on the risk-based approach to using Bluetooth enabled technology within the policing environment, including examples. This guide does not cover all use cases and for advice on exemptions for specific use cases, the NPIRMT team should be approached to provide a bespoke risk assessment.



Published 02/02/2017
Authoring body: National Policing Information Risk Management Team (NPIRMT)