Current timestamp: 23/06/2026 11:27:58
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information management - Assurance of information assets SOP (W1007)

1.0 Summary of changes

1.1 This procedure/SOP has been updated on its two-year review with the crests being updated and the following:

  • Section 3.2 - Minor wording amendment for clarity
  • Section 3.5 - Minor wording amendment for clarity
  • Section 3.14 - Minor wording amendment for clarity
  • Section 8.0 - Removal of W 2014 Procedure – Retention and deletion of information from the force intranet due to archiving of this procedure

2.0 What this procedure/SOP is about

2.1 This procedure/SOP describes the process known as ‘Assurance’ and completion of the risk management and document and designs sets for a new or upgraded/changed IT solution or innovation, to ensure that information systems are designed and operated with appropriate security, taking into account the confidentiality, integrity and availability (CIA) of that information.

2.2 The process is designed to provide the assurance that information systems are appropriately risk managed to a level acceptable to the business. Consequently, there is a risk of damage to the reputation of the organisation should the provision of this procedure not be followed.

Compliance with this procedure/SOP and any governing policy is mandatory.

3.0 Detail the procedure/SOP

3.1 All force information systems must have completed information security assurance prior to go-live. The assurance requirement will exist throughout the entire life cycle of the system; from concept, system procurement/development, through to decommission or until the system receives an upgrade that changes the original assurance criteria. The InfoSec baseline security requirement (available on Insite/connEXion) must be considered at all times.

3.2 This process must begin at the very start of a project by submitting a completed an Idea validation form through Hornbill/Service Manager. This form is provided to Information Security officer/manager (ISO/ISM) as part of that process. It is typically completed by the business, in consultation with the IT project manager or IT business relations officer.

  • Kent Police Preliminary Risk Assessment Form

3.3 The results of the Idea validation process will determine the level of security assurance required, ranging from a ‘light-touch’ approach for lower risk systems, to full government standard accreditation for higher risk systems. The accreditation of higher risk systems usually involves a more detailed technical risk assessment.

3.4 The risk assessments consider the impact and threat, so that the value of assets and the threats that they face can be better understood and managed appropriately. This will require implementing a set of physical, personnel, procedural and technical countermeasures to mitigate the risks.

3.5 The preliminary risk assessment also requires a Data Protection Impact Assessment (DPIA) to be completed and reviewed by the data protection officer. This enables the forces to analyse how a particular project or system will affect individual privacy. The assurance process will determine whether a more detailed DPIA is required. In Kent, a Records Management Impact Assessment (RMIA) must also be completed and reviewed by the records manager to ensure proper data retention, review, and deletion.

3.6 An assurance workplan will then be developed for the project and will be agreed between the project manager, IT, Procurement, the business and the ISO.

3.7 The force ISO will then act as the accreditor for the information system.

3.8 This process usually requires that the detail of the strategy evolves with the project, with higher-level executive decisions informing more detailed delivery requirements. Therefore, the assurance workplan must be reviewed at regular stages and updated accordingly, by specifying subsequent tasks and deliverables.

3.9 Progress against the workplan will be reviewed within the wider context of the work programme to ensure that it is being appropriately prioritised, and that security assurance is maintaining pace with the procurement and development processes. This will also help ensure that the SyAP – Security Assessment for Policing or relevant documentation is being sufficiently recorded in a timely fashion.

3.10 Details of the assurance workplan, along with baseline security requirements and other guidance in relation to the security of information systems, can be found on the force intranet.

3.11 Effective assurance also requires the proactive involvement of the force Senior Information Risk Owner (SIRO) and the Information Asset Owner (IAO) – see W 1005 Procedure/SOP - Information Asset Owners, to set risk appetites and agree residual risks. The ISO will advise how this will be achieved.

3.12 Upon completion, the document set/SyAP or relevant documentation must be reviewed by the Information Security Managers, who are responsible for assessing the accuracy of the information system’s documented risks and associated countermeasures.

3.13 After consideration, the ISOs/ISMs must satisfy themselves that the physical, personnel, procedural and technical countermeasures are sufficient to reduce the information security risks to a level that is within the force’s risk appetite.

3.14 Where satisfied, the ISO/ISM will endorse the document set/SyAP or relevant documentation and issue an assurance certificate. This certificate may provide full assurance, conditional assurance or interim assurance, depending on whether additional conditions apply, such as restrictions on system functions or implementation timelines. At this point, the system is considered assured for a defined period.

3.15 Where the ISO/ISM assesses that the residual risks are not within the force’s risk appetite, the ISO/ISM will provide further advice and guidance to the Information Asset Owner/Project Manager on the tasks to be completed. If this is not achievable, then a description of the residual risks will be escalated to the SIRO for a final decision.

4.0 Equality Impact Assessment

EIA – July 2023.

5.0 Risk assessment

5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security.

6.0 Consultation

The following have been consulted during the formulation of this document:

  • Unison
  • Police Federation
  • Essex Diversity and Inclusion Manager
  • Health & Safety
  • Strategic Change Team
  • PSD Superintendent
  • Policy/Risk
  • Superintendents Association
  • Kent IT Department
  • Essex Information Management Department
  • IT Department

7.0 Monitoring and review

7.1 The information security officer will be responsible for ensuring that this procedure/SOP will remain current in line with HMG and ACPO policy.

7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every two years.

8.0 Governing force policy - related force policies or related procedures (Essex)/linked standard operating procedures (Kent)

  • W 1000 Policy – Information Management
  • W 1001 Procedure/SOP – ICT Acceptable Use
  • W 1002 Procedure/SOP – User Account Management
  • W 1004 Procedure/SOP – Incident Reporting and Management
  • W 1005 Procedure/SOP – Information Asset Owners
  • W 1006 Procedure/SOP – Government Security Classification Scheme (GSC)
  • W 1008 Procedure/SOP – Physical Security
  • W 1009 Procedure/SOP – Protective Monitoring
  • W 1010 Procedure/SOP – Records Management (Physical and Digital)
  • W 1011 Procedure/SOP – Data Protection
  • W 1012 Procedure/SOP – Records Review, Retention and Disposal
  • W 1014 Procedure/SOP – Information Sharing Agreements
  • W 1015 Procedure/SOP – Redaction
  • W 1016 Procedure/SOP – Encryption of Files and Removable Digital Media
  • W 1017 Procedure/SOP – Sanitisation, Re-Use and Disposal
  • W 1019 Procedure/SOP – Freedom of Information
  • W 1020 Procedure/SOP – Use of Bluetooth
  • W 1021 Procedure/SOP – Shared and Standalone Devices
  • W 1022 Procedure/SOP – Data Protection Impact Assessments

Essex only documents:

  • W 2006 Procedure – Cryptographic Security
  • W 2011 Procedure – Transaction Monitoring and Audit
  • W 2013 Procedure – Appropriate Access and Use of Police Information
  • W 2014 Procedure – Retention and Deletion of Information from the Force Intranet
  • W 2020 Procedure – Data Quality
  • W 2021 Procedure – Handling Requests for the Early Disposal of Information
  • W 2040 Procedure – Records Centre (Dunmow)

8.1 Data security

8.1.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.

8.2 Retention and disposal of records

8.2.1 Essex Police and Kent Police will hold data in accordance with our Records review, retention and disposal policy – W 1012 Procedure/SOP - Records review, retention and disposal.

8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.

9.0 Other source documents, e.g. legislation, APP, force forms, partnership agreements (if applicable)

  • Kent Police Preliminary Risk Assessment Form – KP3915

Policy reference: Assurance of information assets SOP (W1007)
Contact point: Head of Information Security and Governance
Date last reviewed: October 2025

For general enquiries, contact us.