Business with us

You should have clear ownership and oversight of cyber security, information security, resilience and data protection within your organisation. That includes:

• Clearly defined roles, responsibilities and accountability, that fit with your wider risk management arrangements
• Appropriate policies, procedures and standards that your staff have read and acknowledged
• Metrics in place to guide security activity and monitor compliance
• Cyber and information security needs built into your procurement and supply chain processes, to manage risks from third parties  

You should understand what you have, what matters most, and what needs protecting. That includes:

• Maintaining accurate inventories of hardware, software, data and systems throughout their lifecycle
• Maintaining an accurate inventory of critical and important business services, products or activities, including dependencies on third parties
• Maintaining an accurate inventory of your own supply chain, with due diligence, controls and assurance in place for the whole length of the contract
• Carrying out regular risk assessments to identify cyber, information security, resilience and data protection risks, assess their impact and put appropriate controls in place
• Completing data privacy impact assessments and applying appropriate controls where issues are identified  

You should have controls in place to prevent harm and lower the risks of something going wrong. That includes:

• Making sure people and systems only have the minimum access they need, and then removing that access as soon as it’s no longer needed
• Knowing what systems you have so you can spot missing updates or security weaknesses and fix them quickly
• Making sure employees have the right skills to perform their roles effectively
• Offering ongoing training so staff can spot and report phishing attempts, cyber threats and data breaches straight away
• Having the right security software in place to protect devices and systems from viruses and other harmful software
• Designing networks that are secure, with appropriate separation to protect systems and the data they handle
• Delivering services that are designed to be resilient, including plans for next steps if something does go wrong  

You should be able to identify issues quickly when they come up. That includes:

• Monitoring systems, networks and assets for any unusual activity or potential security issues
• Using tools and techniques to detect harmful or out-of-the-ordinary behaviour
• Making sure that buildings, systems and supporting facilities (such as alarms, CCTV, power and ventilation) are physically protected and monitored
• Being aware of everything that happens across your systems, and actively investigating and responding to any suspicious activity
• Putting phishing-proof multi-factor authentication (MFA) in place for systems that can accessed online or have admin privileges, or for situations involving sensitive or personal data  

You should be ready to act quickly and effectively if something goes wrong. That includes:

• Having response plans in place, with clear roles and communication strategies for managing problems
• Investigating detected issues, assessing their impact, and taking immediate steps to contain and counter threats
• Carrying out lessons-learned reviews and using the findings to improve governance, risk management and plans for future situations  

You should be able to restore services and data quickly after an incident. That includes:

• Maintaining recovery strategies and plans, and testing them regularly
• Putting controls in place to maintain critical operations during a disruption and restore IT services and business processes as soon as possible
• Using lessons learned from incidents and near misses to strengthen recovery plans and reduce the chance of something going wrong again for systems, data and supply chains