Documente Academic
Documente Profesional
Documente Cultură
This document is in draft form and is released as a "Public Beta" to solicit feedback from security
practitioners and managers.
There may be errors and ommissions within this document that are awaiting correction.
Any use of this document must be done with the acknowledgement that these errors may exist and
that the data this contains will not be viewed as final or definititive.
Security Controls info@halkynconsulting.co.uk
Outline
This document provides an outline mapping between the controls outlined in Annexe A to I
27001 and the Mandatory Requirements of the UK Government Security Policy Framework.
It is suggested that this be used to review existing, documented, security controls to asses
cross-standard compliance.
Where there are no existing controls this document can be used to determine the level of d
required to cover both ISO27001 controls and meet UK Government regulations.
NOTICE
This document does not, and can not, replace the advice given by a security professional w
detailed knowledge of your circumstance and is only provided to assist with determining
compliance requirements.
The relationship between SPF Mandatory Requirements and ISO27001 controls is presente
as a guideline only and may be modified by either the scope of applicability given under
ISO27001 and the completeness of controls developed to comply with the SPF.
Document Control
Page 2 of 45 www.halkynconsulting.co.uk
Security Controls info@halkynconsulting.co.uk
to SPF
nts
Page 3 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
5.1.2 Review of the The information security policy shall be reviewed at planned intervals or if
information security significant changes occur to ensure its continuing suitability, adequacy, and
policy effectiveness
6.1.2 Information security Information security activities shall be co-ordinated by representatives from
co-ordination different parts of the organization with relevant roles and job functions.
6.1.4 Authorization process A management authorization process for new information processing facilities shall
for information be defined and implemented.
processing facilities
6.1.5 Confidentiality Requirements for confidentiality or non-disclosure agreements reflecting the
agreements organization's needs for the protection of information shall be identified and
regularly reviewed.
6.1.6 Contact with Appropriate contacts with relevant authorities shall be maintained.
authorities
Page 4 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
6.2.2 Addressing security All identified security requirements shall be addressed before giving customers
when dealing with access to the organization's information or assets.
customers
6.2.3 Addressing security in Agreements with third parties involving accessing, processing, communicating or
third party managing the organization's information or information processing facilities, or
agreements adding products or services to information processing facilities shall cover all
relevant security requirements.
7.1.2 Ownership of assets All information and assets associated with information processing facilities shall be
'owned' by a designated part of the organization
7.1.3 Acceptable use of Rules for the acceptable use of information and assets associated with information
assets processing facilities shall be identified, documented, and implemented.
7.2.2 Information labeling An appropriate set of procedures for information labeling and handling shall be
and handling developed and implemented in accordance with the classification scheme adopted
by the organization.
Page 5 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
8.1.2 Screening Background verification checks on all candidates for employment, contractors, and
third party users shall be carried out in accordance with relevant laws, regulations
and ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks.
8.1.3 Terms and conditions As part of their contractual obligation, employees, contractors and third party users
of employment shall agree and sign the terms and conditions of their employment contract, which
shall state their and the organization's responsibilities for information security.
8.2.2 Information security All employees of the organization and, where relevant, contractors and third party
awareness, education users shall receive appropriate awareness training and regular updates in
and training organizational policies and procedures, as relevant for their job function.
8.2.3 Disciplinary processThere shall be a formal disciplinary process for employees who have committed a
security breach.
8.3 Termination or change of employment
8.3.1 Termination Responsibilities for performing employment termination or change of employment
responsibilities shall be clearly defined and assigned.
8.3.2 Return of assets All employees, contractors and third party users shall return all of the
organization's assets in their possession upon termination of their employment,
contract or agreement.
8.3.3 Removal of access The access rights of all employees, contractors and third party users to information
rights and information processing facilities shall be removed upon termination of their
employment, contract or agreement, or adjusted upon change
Page 6 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
9.1.2 Physical entry Secure areas shall be protected by appropriate entry controls to ensure that only
controls authorized personnel are allowed access.
9.1.3 Securing offices, Physical security for offices, rooms, and facilities shall be designed and applied.
rooms and facilities
9.1.4 Protecting against Physical protection against damage from fire, flood, earthquake, explosion, civil
external and unrest, and other forms of natural or man-made disaster shall be designed and
environmental threats applied.
9.1.5 Working in secure Physical protection and guidelines for working in secure areas shall be designed
areas and applied.
9.1.6 Public access, Access points such as delivery and loading areas and other points where
delivery and loading unauthorized persons may enter the premises shall be controlled and, if possible,
areas isolated from information processing facilities to avoid unauthorized access.
9.2.6 Secure disposal or re- All items of equipment containing storage media shall be checked to ensure that
use of equipment any sensitive data and licensed software has been removed or securely overwritten
prior to disposal.
9.2.7 Removal of property Equipment, information or software shall not be taken off-site without prior
authorization.
Page 7 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
10.1.2 Change management Changes to information processing facilities and systems shall be controlled.
10.1.3 Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization's assets.
10.1.4 Separation of Development, test and operational facilities shall be separated to reduce the risks
development, test of unauthorised access or changes to the operational system.
and operational
facilities
10.2 Third party service delivery management
10.2.1 Service delivery
10.2.2 Monitoring and review The services, reports and records provided by the third party shall be regularly
of third party services monitored and reviewed, and audits shall be carried out regularly.
10.2.3 Managing changes to Changes to the provision of services, including maintaining and improving existing
third party services information security policies, procedures and controls, shall be managed, taking
account of the criticality of business systems and processes involved and re-
assessment of risks.
10.3 System planning and acceptance
10.3.1 Capacity The use of resources shall be monitored, tuned, and projections made of future
management capacity requirements to ensure the required system performance.
10.3.2 System acceptance Acceptance criteria for new information systems, upgrades, and new versions shall
be established and suitable tests of the system(s) carried out during development
and prior to acceptance.
Page 8 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Page 9 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
11.2.2 Privilege The allocation and use of privileges shall be restricted and controlled.
management
Page 10 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
11.2.4 Review of user access Management shall review users' access rights at regular intervals using a formal
rights process.
11.4.1 Policy on use of Users shall only be provided with access to the services that they have been
network services specifically authorized to use.
11.4.2 User authentication Appropriate authentication methods shall be used to control access by remote
for external users.
connections
11.4.3 Equipment Automatic equipment identification shall be considered as a means to authenticate
identification in the connections from specific locations and equipment.
network
11.4.4 Remote diagnostic Physical and logical access to diagnostic and configuration ports shall be controlled.
and configuration port
protection
11.4.5 Segregation in Groups of information services, users, and information systems shall be segregated
networks on networks.
11.4.6 Network connection For shared networks, especially those extending across the organisations
control boundaries, the capability of users to connect to the network shall be restricted, in
line with the access control policy and requirements of the business applications
(see 11.1).
Page 11 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
11.5.2 User identification All users shall have a unique identifier (user ID) for their personal use only, and a
and authentication suitable authentication technique shall be chosen to substantiate the claimed
identity of a user.
11.5.3 Password Systems for managing passwords shall be interactive and shall ensure quality
management system passwords.
11.5.4 Use of system utilities The use of utility programs that might be capable of overriding system and
application controls shall be restricted and tightly controlled.
11.5.5 Session time-out Inactive sessions shall shut down after a defined period of inactivity. Applicable
Standards
11.5.6 Limitation of Restrictions on connection times shall be used to provide additional security for
connection time high-risk applications.
11.6 Application and information access control
11.6.1 Information access Access to information and application system functions by users and support
restriction personnel shall be restricted in accordance with the defined access control policy.
11.6.2 Sensitive system Sensitive systems shall have a dedicated (isolated) computing environment.
isolation
Page 12 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
12.3.2 Key management Key management shall be in place to support the organisations use of
cryptographic techniques.
Page 13 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
12.5.5 Outsourced software Outsourced software development shall be supervised and monitored by the
development organization.
12.6 Technical vulnerability management
12.6.1 Control of technical Timely information about technical vulnerabilities of information systems being
vulnerabilities used shall be obtained, the organization's exposure to such vulnerabilities
evaluated, and appropriate measures taken to address the associated risk.
13.1 Reporting information security events and weaknesses
13.1.1 Reporting information Information security events shall be reported through appropriate management
security events channels as quickly as possible.
13.1.2 Reporting security All employees, contractors and third party users of information systems and
weaknesses services shall be required to note and report any observed or suspected security
weaknesses in systems or services.
13.2 Management of information security incidents and improvements
13.2.1 Responsibilities and Management responsibilities and procedures shall be established to ensure a quick,
procedures effective, and orderly response to information security incidents.
13.2.2 Learning from There shall be mechanisms in place to enable the types, volumes, and costs of
information security information security incidents to be quantified and monitored.
incidents
13.2.3 Collection of evidence Where a follow-up action against a person or organization after an information
security incident involves legal action (either civil or criminal), evidence shall be
collected, retained, and presented to conform to the rules for evidence laid down in
the relevant jurisdiction(s).
14.1 Information security aspects of business continuity management
14.1.1 Including information A managed process shall be developed and maintained for business continuity
security in the throughout the organization that addresses the information security requirements
business continuity needed for the organisations business continuity.
management process
Page 14 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
15.1.4 Data protection and Data protection and privacy shall be ensured as required in relevant legislation,
privacy of personal regulations, and, if applicable, contractual clauses.
information
15.1.5 Prevention of misuse Users shall be deterred from using information processing facilities for unauthorized
of information purposes.
processing facilities
15.1.6 Regulation of Cryptographic controls shall be used in compliance with all relevant agreements,
cryptographic controls laws, and regulations.
Page 15 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
15.2.2 Technical compliance Information systems shall be regularly checked for compliance with security
checking implementation standards.
15.3 Information systems audit considerations
15.3.1 Information systems Audit requirements and activities involving checks on operational systems shall be
audit controls carefully planned and agreed to minimize the risk of disruptions to business
processes.
15.3.2 Protection of Access to information systems audit tools shall be protected to prevent any
information systems possible misuse or compromise.
audit tools
Page 16 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 4
Mandatory Requirement 6
Mandatory Requirement 4
Mandatory Requirement 6
Mandatory Requirement 1
Mandatory Requirement 2
Mandatory Requirement 3
Mandatory Requirement 1
Mandatory Requirement 1
Mandatory Requirement 6
Mandatory Requirement 8
Mandatory Requirement 9
Mandatory Requirement 10
Mandatory Requirement 11
Mandatory Requirement 12
Mandatory Requirement 13
Page 17 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 8
Mandatory Requirement 11
Mandatory Requirement 6
Mandatory Requirement 10
Mandatory Requirement 11
Mandatory Requirement 7
Mandatory Requirement 2
Mandatory Requirement 3
Mandatory Requirement 7
Mandatory Requirement 7
Page 18 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 1
Mandatory Requirement 13
Mandatory Requirement 14
Mandatory Requirement 11
Mandatory Requirement 2
Mandatory Requirement 3
Mandatory Requirement 12
Page 19 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 18
Mandatory Requirement 17
Mandatory Requirement 18
Mandatory Requirement 18
Mandatory Requirement 18
Mandatory Requirement 17
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Page 20 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 10
Mandatory Requirement 11
Mandatory Requirement 11
Mandatory Requirement 11
Possibly covered by MR 9 if
in scope. GPG 7 refers.
Page 21 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 4
Mandatory Requirement 9
Mandatory Requirement 8
Mandatory Requirement 9
Mandatory Requirement 8
Mandatory Requirement 7
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 7
Mandatory Requirement 7
Page 22 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 10
Mandatory Requirement 9
Mandatory Requirement 10
Mandatory Requirement 9
Mandatory Requirement 10
Page 23 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 10
Mandatory Requirement 9
Mandatory Requirement 10
Mandatory Requirement 10
Mandatory Requirement 10
Mandatory Requirement 7
Mandatory Requirement 10
Mandatory Requirement 7
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Page 24 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 7
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Page 25 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 9
Mandatory Requirement 8
Page 26 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 7
Mandatory Requirement 9
Mandatory Requirement 8
Mandatory Requirement 12
Mandatory Requirement 12
Mandatory Requirement 12
Mandatory Requirement 12
Mandatory Requirement 12
Mandatory Requirement 4
Page 27 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 4
Mandatory Requirement 4
Mandatory Requirement 4
Page 28 of 45 www.halkynconsulting.co.uk
Halkyn Consulting SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Mandatory Requirement 5
Mandatory Requirement 5
Mandatory Requirement 5
Mandatory Requirement 5
Page 29 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
MR 3 Departments and Agencies must ensure that all staff are aware of Departmental security policies and understand
their personal responsibilities for safeguarding assets and the potential consequences of breaching security rules.
MR 4 Departments and Agencies must have robust and well tested policies, procedures and management arrangements in
place to respond to, investigate and recover from security incidents or other disruptions to core business.
MR 5 Departments and Agencies must have an effective system of assurance in place to satisfy their Accounting Officer /
Head of Department and Management Board that the organisation's security arrangements are fit for purpose, that
information risks are appropriately managed, and that any significant control weaknesses are explicitly acknowledged
and regularly reviewed.
MR 6 Departments and Agencies must have an information security policy setting out how they and any delivery partners
and suppliers will protect any information assets they hold, store or process (including electronic and paper formats
and online services) to prevent unauthorised access, disclosure or loss. The policies and procedures must be regularly
reviewed to ensure currency.
MR 7 Departments and Agencies must ensure that information assets are valued, handled, shared and protected in line
with the standards and procedures set out in the Government Protective Marking System (including any special
handling arrangements) and the associated technical guidance supporting this framework.
Page 30 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
MR 7 Departments and Agencies must ensure that information assets are valued, handled, shared and protected in line
SPF Reference with the standards and procedures set out in Mandatory
the Government Protective Marking System (including any special
Requirements
handling arrangements) and the associated technical guidance supporting this framework.
MR 8 All ICT systems that handle, store and process protectively marked information or business critical data, or that are
interconnected to cross-government networks or services (e.g. the Government Secure Intranet, GSI), must undergo a
formal risk assessment to identify and understand relevant technical risks; and must undergo a proportionate
accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system
and/or service are properly managed.
MR 9 Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems,
proportionate to the value, importance and sensitivity of the information held and the requirements of any
interconnected systems.
Page 31 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
MR 10 Departments and Agencies must implement appropriate procedural controls for all ICT (or paper-based) systems or
services to prevent unauthorised access and modification, or misuse by authorised users.
Page 32 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
MR 11 Departments and Agencies must ensure that the security arrangements among their wider family of delivery partners
and third party suppliers are appropriate to the information concerned and the level of risk to the parent organisation.
This must include appropriate governance and management arrangements to manage risk, monitor compliance and
respond effectively to any incidents. Any site where third party suppliers manage assets at CONFIDENTIAL or above
must be accredited to List X standards.
MR 12 Departments and Agencies must have clear policies and processes for reporting, managing and resolving Information
Security Breaches and ICT security incidents.
MR 13 Departments must ensure that personnel security risks are effectively managed by applying rigorous recruitment
controls, and a proportionate and robust personnel security regime that determines what other checks (e.g. national
security vetting) and ongoing personnel security controls should be applied.
MR 14 Departments and Agencies must have in place an appropriate level of ongoing personnel security management,
including formal reviews of national security vetting clearances, and arrangements for vetted staff to report changes
in circumstances that might be relevant to their suitability to hold a security clearance.
MR 15 Departments must make provision for an internal appeals process for existing employees wishing to challenge
National Security Vetting decisions and inform Cabinet Office Government Security Secretariat should an individual
initiate a legal challenge against a National Security Vetting decision.
MR 16 Departments and Agencies must undertake regular security risk assessments for all sites in their estate and put in
place appropriate physical security controls to prevent, detect and respond to security incidents.
MR 17 Departments and Agencies must implement appropriate internal security controls to ensure that critical, sensitive or
protectively marked assets are protected against both surreptitious and forced attack, and are only available to those
with a genuine "need to know". Physical security measures must be proportionate to level of threat, integrated with
other protective security controls, and applied on the basis of the "defence in depth" principle.
MR 18 Departments and Agencies must put in place appropriate physical security controls to prevent unauthorised access to
their estate, reduce the vulnerability of establishments to terrorism or other physical attacks, and facilitate a quick
and effective response to security incidents. Selected controls must be proportionate to the level of threat,
appropriate to the needs of the business and based on the "defence in depth" principle.
Page 33 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Page 34 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
A.6.1.1
A.7.1.3
A.8.2.2
A.5.1.1
A.5.1.2
A.10.5.1
A.14.1.1
A.14.1.2
A.14.1.3
A.14.1.4
A.14.1.5
A.15.2.1
A.15.2.2
A.15.3.1
A.15.3.2
A.5.1.1
A.5.1.2
A.6.1.3
A.6.2.2
A.15.1.1
A.15.1.2
A.15.1.3
A.15.1.4
A.15.1.5
A.15.1.6
A.7.1.1
A.7.2.1
Page 35 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Page 36 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Page 37 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
A.8.1.2
A.12.1.1
A.9.1.3
A.9.2.1
9.1.1
9.1.2
9.1.4
9.1.5
9.1.6
Page 38 of 45 www.halkynconsulting.co.uk
Halkyn Consulting Ltd SPF - ISO 27001 Control Mapping info@halkynconsulting.co.uk
Page 39 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
10
11
12
Page 40 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
14
15
17
18
19
20
Page 41 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
Departments and Agencies must ensure that all staff are aware of Departmental security
policies and understand their personal responsibilities for safeguarding assets and the potential
consequences of breaching security rules.
Departments and Agencies must have robust and well tested policies, procedures and
management arrangements in place to respond to, investigate and recover from security
incidents or other disruptions to core business.
Departments and Agencies must have an effective system of assurance in place to satisfy their
Accounting Officer / Head of Department and Management Board that the organisation's
security arrangements are fit for purpose, that information risks are appropriately managed,
and that any significant control weaknesses are explicitly acknowledged and regularly reviewed.
Departments and Agencies must ensure that information assets are valued, handled, shared
and protected in line with the standards and procedures set out in the Government Protective
Marking System (including any special handling arrangements) and the associated technical
guidance supporting this framework.
All ICT systems that handle, store and process protectively marked information or business
critical data, or that are interconnected to cross-government networks or services (e.g. the
Government Secure Intranet, GSI), must undergo a formal risk assessment to identify and
understand relevant technical risks; and must undergo a proportionate accreditation process to
ensure that the risks to the confidentiality, integrity and availability of the data, system and/or
service are properly managed.
Departments and Agencies must put in place an appropriate range of technical controls for all
ICT systems, proportionate to the value, importance and sensitivity of the information held and
the requirements of any interconnected systems.
Departments and Agencies must implement appropriate procedural controls for all ICT (or
paper-based) systems or services to prevent unauthorised access and modification, or misuse
by authorised users.
Departments and Agencies must ensure that the security arrangements among their wider
family of delivery partners and third party suppliers are appropriate to the information
concerned and the level of risk to the parent organisation. This must include appropriate
governance and management arrangements to manage risk, monitor compliance and respond
effectively to any incidents. Any site where third party suppliers manage assets at
CONFIDENTIAL or above must be accredited to List X standards.
Departments and Agencies must have clear policies and processes for reporting, managing and
resolving Information Security Breaches and ICT security incidents.
Page 42 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
Departments and Agencies must have in place an appropriate level of ongoing personnel
security management, including formal reviews of national security vetting clearances, and
arrangements for vetted staff to report changes in circumstances that might be relevant to their
suitability to hold a security clearance.
Departments must make provision for an internal appeals process for existing employees
wishing to challenge National Security Vetting decisions and inform Cabinet Office Government
Security Secretariat should an individual initiate a legal challenge against a National Security
Vetting decision.
Departments and Agencies must put in place appropriate physical security controls to prevent
unauthorised access to their estate, reduce the vulnerability of establishments to terrorism or
other physical attacks, and facilitate a quick and effective response to security incidents.
Selected controls must be proportionate to the level of threat, appropriate to the needs of the
business and based on the "defence in depth" principle.
Departments and Agencies must ensure that all establishments in their estate put in place
effective and well tested arrangements to respond to physical security incidents, including
appropriate contingency plans and the ability to immediately implement additional security
controls following a rise in the Government Response Level.
Departments and Agencies must be resilient in the face of physical security incidents, including
terrorist attacks, applying identified security measures, and implementing incident
management contingency arrangements and plans with immediate effect following a change to
the Government Response Level.
Page 43 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
uirements
Page 44 of 45 www.halkynconsulting.co.uk
SPF Mandatory Requirements Halkyn Consulting Ltd info@halkynconsulting.co.uk
Page 45 of 45 www.halkynconsulting.co.uk