Security

The police service within the UK has to comply with information security requirements from various sources. Some of these are legislative and others are mandated by the Cabinet Office onto central government and public sector organisations.

There are also security requirements that must be met to allow interconnection to certain wide area networks. There are other standards which on their own are not mandatory, but which support the higher level policy requirements placed upon police forces. The list here does not include legislative aspects which apply to all organisations in the UK, such as the Data Protection Act, or broad legislation that applies to public sector organisations such as the Freedom of Information Act).

On this page you will find details and links to various documents that set out what the police have to adhere to, and some supporting documents that describe how compliance can be achieved.

Please note that this list is not exhaustive, nor will every standard be required in every circumstance. Adhering to these documents does not, by itself, guarantee that a solution will meet police security requirements. All systems introduced into police service must be accredited, and the Accreditor is responsible for ensuring the technical and procedural controls address the risks commensurate with the risk appetite of the organisation. In addition, systems processing very sensitive information may have requirements in excess of those contained in these documents.

Statutory requirements

Statutory Code of Practice on the Management of Police Information (MoPI Code of Practice)

ACPO-NPIA Guidance on the Management of Police Information Second Edition 2010

National Requirements

The ACPO Community Security Policy (referenced below) sets out the following sources of Information Security Policy and Guidance. These are:

  • HMG Security Policy Framework
  • ACPO and PIAB policies
  • HMG Information Assurance Standards (Not all publicly available)
  • CESG Good Practice Guides (Not publicly available)
  • CESG IA notices (Not all publicly available)
  • ISO/IEC27001 – though there are now many other documents in the 27000 range

ACPO Community Security Policy

ACPO/ACPOS National Information Risk Appetite Statement