Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This procedure/SOP has been reviewed in August 2023 – paragraph 3.5 has been amended.
2.1 This procedure/SOP describes the process known as ‘Assurance’ and completion of the risk management and document and designs sets for a new or upgraded/changed IT solution or innovation, to ensure that information systems are designed and operated with appropriate security, taking into account the confidentiality, integrity and availability (CIA) of that information.
2.2 The process is designed to provide the assurance that information systems are appropriately risk managed to a level acceptable to the business. Consequently there is a risk of damage to the reputation of the organisation should the provision of this procedure not be followed.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 All force information systems must have completed information security assurance prior to go-live. The assurance requirement will exist throughout the entire life-cycle of the system; from concept, system procurement/development, through to decommission or until the system receives an upgrade that changes the original assurance criteria. The InfoSec Baseline Security Requirement (available on Insite/connEXion) must be considered at all times.
3.2 This process must begin at the very start of a project by submitting a completed an Idea Validation Form through Hornbill/Service Manager which is provided to Information Security Officer/Manager (ISO/ISM) as part of that process. This is typically completed by the business, in consultation with the IT Project Manager or IT Business Relations Officer.
3.3 The results of the Idea Validation Process will determine the level of security assurance required, ranging from a ‘light-touch’ approach for lower risk systems, to full government standard accreditation for higher risk systems. The accreditation of higher risk systems usually involves a more detailed technical risk assessment.
3.4 The risk assessments consider the impact and threat, so that the value of assets and the threats that they face can be better understood and managed appropriately. This will require implementing a set of physical, personnel, procedural and technical countermeasures to mitigate the risks.
3.5 The preliminary risk assessment also requires a Data Protection Impact Assessment to be completed for review by the Data Protection Officer. This enables the forces to analyse how a particular project or system will affect the privacy of the individuals involved. The assurance process will identify whether a more detailed DPIA is required. In Kent, the preliminary risk assessment also requires a Records Management Impact Assessment (RMIA) to be completed for review by the Records Manage. This enables the Force to understand how any data created and/or stored within the project or system with be retained, reviewed and deleted.
3.6 An Assurance workplan will then be developed for the project and will be agreed between the Project Manager, IT, Procurement, the business and the ISO.
3.7 The Force ISO will then act as the Accreditor for the information system.
3.8 This process usually requires that the detail of the strategy evolves with the project, with higher-level executive decisions informing more detailed delivery requirements. Therefore, the Assurance workplan must be reviewed at regular stages and updated accordingly, by specifying subsequent tasks and deliverables.
3.9 Progress against the workplan will be reviewed within the wider context of the work programme to ensure that it is being appropriately prioritised and that security assurance is maintaining pace with the procurement and development processes. This will also help ensure that the SyAP – Security Assessment for Policing or relevant documentation is being sufficiently recorded in a timely fashion.
3.10 Details of the assurance workplan, along with baseline security requirements and other guidance in relation to the security of information systems, can be found on the Force intranet.
3.11 Effective assurance also requires the proactive involvement of the Force Senior Information Risk Owner (SIRO) and the Information Asset Owner (IAO) – see W 1005 Procedure/SOP - Information Asset Owners, to set risk appetites and agree residual risks. The ISO will advise how this will be achieved.
3.12 Upon completion, the document set/SyAP or relevant documentation must be reviewed by the Information Security Managers, who are responsible for assessing the accuracy of the information system’s documented risks and associated countermeasures.
3.13 After consideration, the ISOs/ISMs must satisfy themselves that the physical, personnel, procedural and technical countermeasures are sufficient to reduce the information security risks to a level that is within the Force’s risk appetite.
3.14 Where satisfied, the ISO/ISM will endorse the document Set/SyAP or relevant documentation and provide an assurance certificate, providing either full assurance, or assurance with condition or interim assurance, if there are additional conditions, such as a restriction on system functions or timescales. At this point the system is deemed to be assured for a defined period of time.
3.15 Where the ISO/ISM assesses that the residual risks are not within the Force’s risk appetite, the ISO/ISM will provide further advice and guidance to the Information Asset Owner/Project Manager on the tasks to be completed. If this is not achievable, then a description of the residual risks will be escalated to the SIRO for a final decision.
EIA – July 2023
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security.
The following have been consulted during the formulation of this document:
• Unison
• Police Federation
• Essex Diversity and Inclusion Manager
• Health & Safety
• Strategic Change Team
• PSD Superintendent
• Policy/Risk
• Superintendents Association
• Kent IT Department
• Essex Information Management Department
• IT Dept
7.1 The Information Security Officer will be responsible for ensuring that this procedure/SOP will remain current in line with HMG and ACPO policy.
7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every two years.
8.1.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.
Policy reference: Assurance of information assets SOP (W1007)
Contact point:
Date last reviewed: August 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.