Information security

Assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls and malware protection.


Risk management

Your business has established a process to identify, assess and manage information security risks. Your business ensures information security risks are assessed and appropriately managed.

Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that information. You should consider all processes involved as you collect, store, use, share and dispose of personal data. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach. With a clearer view of the risks you can begin to choose the security measures that are appropriate for your needs.


Information security policy

Senior management has approved and published an appropriate information security policy.Your business provides management direction and support for information security in accordance with business needs and relevant laws and regulations.

A policy will enable you to address security risks in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific policies. The policy should clearly set out your business' approach to security together with responsibilities for implementing the policy and monitoring compliance. You or your business should have a process in place to ensure that information security related policies and procedures are reviewed and approved before implementation. You should then give policies and procedures, set review dates and review and update in line with agreed timescales or when required. It is good practice to have a document in place, which outlines the agreed style that all policies, procedures and guidance documents must follow which you have communicated to relevant managers and staff.


Information security responsibility

Your business has defined and allocated information security responsibilities. Your business has established a management framework to coordinate and review the implementation of information security.

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the security policy. They should have the necessary authority and resources to fulfil this responsibility effectively. For larger organisations, it is common to appoint 'owners' with day-to-day responsibility for the security and use of business systems. Without clear accountability for the security of systems and specific processes, your overall security will not be properly managed or coordinated and will quickly become flawed and out of date.



Your business has established written agreements with third party service providers that include appropriate information security conditions. Your business ensures the protection of personal data that is accessed by suppliers and providers.

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services. You must be satisfied that these 'data processors' will treat your information securely as your business will remain responsible for ensuring the processing complies with the DPA. You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure they have appropriate security arrangements in place. You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA. If you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.


Incident management

Your business has established a process to report and recover from data security breaches. Your business ensures the management of data security breaches, including communication of information security events and weaknesses.

Data security breaches may arise from a theft, an attack on your systems, the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure. However a breach occurs it is important that you deal with it effectively and learn from it. You should have a process to report breaches to management as soon as staff become aware of them, and to investigate and implement recovery plans. Ideally, you should monitor the type, volume and cost of incidents to identify trends and help prevent recurrences.


Training and awareness

Your business has established regular information security awareness training for all staff. Your business ensures that employees and contractors are aware of and fulfil their information security responsibilities.

You should brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment. You should also train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report data security breaches. You should ensure that staff with specific security responsibilities or with privileged access to business systems are adequately trained and qualified as appropriate. You should schedule training to take place on or shortly after appointment with updates at regular intervals thereafter or when required. You should also reinforce training using other methods including intranet articles, circulars, team briefings and posters. Well-designed security measures will not work if staff do not know about or follow business policies and procedures. You should make policies and procedures available to all staff using staff intranet pages, policy libraries or through leaflets and posters. It is good practice to circulate bulletins or newsletters to help disseminate and inform staff of new policies and subsequent updates when required.


Secure areas

Your business has established entry controls to restrict access to premises and equipment on a need-to-know basis. Your business prevents unauthorised physical access, damage and interference to personal data.

You should implement entry controls including doors and locks, and whether premises are protected by alarms, security lighting or CCTV. You should also implement how you control access within premises and supervise visitors. Servers should be located in a separate room and protected by additional controls.


Secure storage

Your business has established secure storage arrangements to protect records and equipment. Your business prevents loss, damage, theft or compromise of personal data.

All your staff should lock away paper records and mobile computing devices when not in use ('clear desk and equipment'). Also, you should encourage staff to promptly collect documents from printers, fax machines and photocopiers, and you should switch devices off outside business hours. Ideally, you should implement secure printing.


Secure disposal

Your business has established a process to securely dispose of records and equipment when no longer required.

All your staff should securely dispose of paper records by shredding. If you use a provider to erase data and dispose of or recycle your computers, make sure they do it adequately. You may be held responsible if personal data collected by you is extracted from your old equipment if it is resold.


Home and mobile working procedures

Your business has established a mobile working policy. Your business ensures the security of mobile working and the use of mobile computing devices.

Mobile working can involve the storage and transit of personal data outside the secure boundaries of your business. However, mobile computing devices (for example, laptops, notebooks, tablets and smartphones) are vulnerable to theft and loss, and there are confidentiality risks when using devices in public places. You should assess the risks of mobile working (including remote working where mobile devices can connect to the corporate network) and devise a policy that sets out rules for authorising and managing mobile working.


Secure configuration

Your business has established a process to configure new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

The default installation of ICT equipment can include vulnerabilities such as unnecessary guest or administrative accounts, default passwords that are well known to attackers, and pre-installed but unnecessary software. These vulnerabilities can provide attackers with opportunities to gain unauthorised access to personal data held in business systems. You should securely configure (or 'harden') ICT equipment on installation. Maintaining an inventory of ICT equipment will help you to identify and remove unnecessary or unauthorised hardware and software.


Removable media

Your business has established controls to manage the use of removable media. Your business prevents unauthorised disclosure, modification, removal or destruction of personal data stored on media.

Removable media (for example, CD/DVDs, USB drives, smartphones) is highly vulnerable to theft or loss, and uncontrolled use can lead to data breaches. Where there is a business need to store personal data on removable media, you should implement a software solution that can set permissions or restrictions for individual devices as well as entire classes of devices. Personal data should be minimised and encrypted.


User access controls

Your business has established a process to assign user accounts to authorised individuals, and to manage user accounts effectively to provide the minimum access to information. Your business limits access to personal data held in information systems.

Access to systems holding personal data should be authorised by management, and user permissions restricted to the absolute minimum (or 'least privilege'). You should assign each user their own username and password to ensure accountability.


System password security

Your business has established appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.

Users' access credentials (eg a username and password or passphrase) are particularly valuable to attackers. A 'brute force' password attack is a common threat so you need to enforce strong passwords, regular password changes, and limit the number of failed login attempts. You should enable and actively encourage your users to choose a strong password. You can increase the strength and complexity of a password by: * creating a long password or passphrase; using a wide range of characters, such as a mix of uppercase letters, lowercase letters, numbers, punctuation marks and other symbols; * avoiding the use of dictionary words where possible; * avoiding simple substitutions such as 'p4$$w0rd'; and * avoiding the use of patterns derived from the physical keyboard layout (eg 'qwerty' or '1qaz2wsx'). You should also monitor user activity to detect any anomalous use. Having multiple passwords for different systems can be difficult for staff to remember however it is important that passwords are not written down or recorded in accessible locations or systems logs. You should promptly disable passwords when a user changes duties or leaves the business.


Malware protection

Your business has established effective anti-malware defences to protect computers from malware infection. Your business ensures that personal data is protected against malware.

Computers can be infected with malware (for example, viruses, worms, Trojans, spyware) via email attachments, websites and removable media. This can result in the loss or corruption of personal data. You should install malware protection software to regularly scan your computer network in order to detect and prevent threats. You will need to make sure the software is kept up-to-date and that you educate users about common threats.


Backup and restoration

Your business has established a process to routinely back-up electronic information to help restore information in the event of disaster. Your business ensures protection against the loss of personal data.

You should take regular back-ups to help restore personal data in the event of disaster or hardware failure. The extent and frequency of back-ups should reflect the sensitivity and confidentiality of the personal data, and its criticality to the continued operation of the business. Ideally, you should keep back-ups in a secure location away from the business premises, and regularly test the restoration of personal data to check the effectiveness of the back-up process.



Your business has established a process to log and monitor user and system activity to identify and help prevent data breaches. Your business records events and generates evidence.

Monitoring and logging can help your business to detect and respond to external threats and any inappropriate use of information assets by staff. You should continuously monitor inbound and outbound network traffic to identify unusual activity (for example, large transfers of personal data) or trends that could indicate an attack. Business systems should be capable of logging user access to systems holding personal data in support of access control policy monitoring and investigations. Monitoring and logging must comply with any legal or regulatory constraints, including the DPA. For example, you should make staff aware of any monitoring.


Patch management

Your business has established a process to ensure software is kept up-to-date and the latest security patches are applied. Your business prevents the exploitation of technical vulnerabilities.

Most popular software products contain technical vulnerabilities that can be exploited by attackers to gain unauthorised access to personal data held in your systems. You should use the latest versions of operating systems, web browsers and applications, and ensure these are updated regularly to help prevent the exploitation of unpatched vulnerabilities.


Boundary firewalls

Your business has established boundary firewalls to protect computers from external attack and exploitation. Your business ensures the protection of personal data in networks.

Attackers can gain unauthorised access to personal data if you do not protect the boundary between your computer network and the internet. You should install a firewall to monitor and restrict network traffic based on an agreed set of rules. A well configured firewall is your first line of defence against external attack and can help to prevent data breaches, for example, by blocking malware or hacking attempts. You should also minimise the impact of data breaches by segmenting and limiting access to network components that contain personal data. For example, your web server should be separate from your main file server. If your website is compromised then the attacker will not have direct access to your central data store.