Search - National Standard Microsite

This Standard supports the principles set out in the National CSP, providing detailed guidance to those implementing and managing PDS & policing systems. This Standard applies to all passwords created for use on PDS & policing systems, including those for user-level accounts, system-level accounts, and any device-specific passwords.

This MOU supports and underpins the existing arrangements in place between the CPS and the Relevant Police Force for the provision of evidential and disclosable unused material and sets out the expected level of service to be provided by both the CPS and Relevant Police Force in relation to the sharing of MME via DEMS.

This standard is intended to provide a framework of controls to support the secure decommissioning of police information systems.

This standard defines the requirements and best practice for privileged access management which should be adopted to manage elevated access consistently and securely across national policing IT systems.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This document provides a structured approach to assessing and managing security risks associated with AI adoption in law enforcement. It ensures that AI technologies are evaluated at every stage of their lifecycle, meeting security and operational requirements.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This guideline provides information on how to preserve the integrity of digital evidence which supports the investigation cyber incidents.

This guidance is to assist members of the policing community of trust to correctly classify and protect information assets in line with UK Government Security Classification Policy. This guidance in conjunction with the National Policing Community Security Policy (NCSP) and associated documents supports the requirements of the NCSP Information Management standard.
ANNEX A - Working at SECRET ANNEX B – Working at TOP SECRET ANNEX C – Classification guidance quick reader guide

This standard is intended to guide the reader through the process of securely managing personnel and embedding security at all stages of the employee lifecycle.

This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running electronic communications services within national policing systems. This standard details a minimum set of security requirements and controls that must be met to ensure security of electronic communications services. Consideration is given to the following areas of configuration, email systems, collaboration platforms and voice communications platforms.

This Standard sets out the Physical and Environmental Security measures and considerations to be used within policing. This standard will outline key guidance and advice that should be acknowledged and referred to, and where practicably possible, implemented to safeguard Policing locations including the assets within them.

This standard describes approaches to delivering comprehensive security testing (using a range of attack types) to support security and risk compliance monitoring.
It supplements National Community Security Policy Information Assurance core standard.

This framework is to ensure that all security risks are identified, assessed, and managed in accordance with best practice in order to facilitate improved governance. It is mandatory for all information systems that hold Police information, or which deliver an operational service to policing to undergo a risk assessment, as stipulated in the National Policing Community Security Policy.
The Security Risk Management Framework mutually supports the Police Cyber Assurance Framework (PCAF). The framework supports the requirements of the National Community Security Policy (NCSP).

This document provides detailed guidance to support the National Community Security Policy (NCSP) system development (Secure by Design SbD) standard. Secure by Design as a methodology has been selected to ensure that a repeatable, structured, and consistent approach to the secure delivery of solutions across policing is achieved, as well as ensuring that risks are managed within risk appetite. 

This standard outlines the functions within the Secure By Design (SbD) process, aligned to project stages, to ensure a consistent approach to cyber security is achieved throughout a system’s development. The purpose of this standard is to define an approach to ensure that all products / solutions are assured in a repeatable, structured and consistent way. This will enable security controls to be designed into solutions at an early stage, ensuring the secure delivery of solutions across policing, whilst identifying and managing risk to within risk appetite.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This standard defines the requirements which, when applied, will assist with the secure management of systems and networks.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This guidance describes best practice risk management controls for accessing Policing ICT resources whilst abroad. It also describes the circumstances when forces can make a local decision or when referral to NSIRO is required when use abroad is required.

This guideline is a baseline for Policing in use of Microsoft Purview from a Information Compliance; oversight and measurement perspective

This guideline provides audiences with background information concerning Bluetooth technology and guidance on how it can be suitably and securely deployed within the Law Enforcement environment.
It’s purpose is to provide relevant information, enabling users of Bluetooth technology to achieve operational capability whilst minimising the risks of data security compromise.

Information transfer is the process of moving information from one location to another. Policies and processes are required to protection information during this process.
Any activity involving the movement of information from one place to another carries inherent risk whereby the confidentiality, integrity or availability of that information may be compromised. Appropriate and proportionate steps must be taken to ensure the security requirements of the information being transferred are protected against deliberate or inadvertent, authorised or unauthorised attack, damage or loss.
ANNEX A – Legacy NPIRMT Protection of OFFICIAL Police Data in Transit – Risks & contextual risk mitigation tables

This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running IT services, managing threats and vulnerabilities within PDS and policing systems.

This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running network services on behalf of national policing. This standard details a minimum set of security requirements and controls that must be met to ensure security and segregation of network services.

This Standard specifies the minimum requirements regarding technical security management. It describes the requirements to enable members of the community of trust to build and operate an effective technical security infrastructure, applying security architecture principles and integrating technical security solutions, such as malware protection, intrusion detection and cryptography

This guideline defines the type of cyber and information security incidents which are required to be reported for monitoring and evaluation purposes and the applicable categories

This standard aims to ensure that physical assets are acquired securely, configured properly, maintained regularly, and disposed of safely and securely, while ensuring the confidentiality, integrity, and availability of the information they handle. By adopting this standard, organisations can ensure that they are protecting their assets against potential threats, mitigating risks, and complying with regulatory requirements.

This guideline covers recommendations for the commissioning and use of internet connections, with a specific focus on the requirements of the Law Enforcement Community Network (LECN).

This standard defines the requirements to implement Information Management as mandated in the National Community Security Policy. It encompasses the management of policing information within the OFFICIAL tier of the Government Security Classification model

This guideline provides the policing community with advice on the use of communication software such as e-conferencing.

This Standard specifies the minimum requirements regarding cyber threat and incident processes and actions. It aims to provide members of the policing community with clear direction to manage incidents associated with cyber-attacks and cyber incidents

This standard sets out the Cryptographic Algorithms to be used within policing. A list of algorithms is provided initially followed by applications and the associated cryptography required for each application. Finally the standard provides some commentary on the emerging cryptography for post quantum computing and lightweight computing.

This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This standard is intended to guide the reader through the process of securely managing business applications, both internally developed and externally sourced, regardless of whether locally installed or cloud based. Centred around stocktaking, documenting and actively managing those applications, this standard should enable the visibility of all business utilised applications, ensuring all are appropriately assessed for risk, appropriately controlled, and managed in such a way as to not introduce cyber security risk going forward.