Guidance

Information Security policy

Updated 23 December 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dwp-procurement-security-policies-and-standards/information-security-policy

15 December 2025

This Information Security Policy is part of a suite of policies designed to promote consistency across the Department for Work and Pensions (DWP) and supplier base with regards to the implementation and management of security controls. For the purposes of this policy, the term DWP and Department are used interchangeably.  

Security policies considered appropriate for public viewing published on GOV.UK 

Security policies cross-refer to each other where needed, so can be confidently used together. They contain both mandatory and advisory elements, described in consistent language – see table.

Term Intention
must denotes a requirement: a mandatory element
should should denotes a recommendation: an advisory element
may denotes approval
might denotes a possibility
can denotes both capability and possibility
is/are is/are denotes a description

Overview 

The DWP Information Security Policy sets out the DWP’s  commitment to safeguarding its information assets, the privacy of its claimants, citizens, staff, and the integrity of its services. It establishes the framework for managing information security risks effectively and proportionately across the department and its supply chain. 

The DWP Security Strategy envisions supporting our customers through a culture of business-focused, risk-informed, and proactive security that enables resilient public services. This policy is a cornerstone in achieving that vision, embedding the principle of ‘Security by Design’ throughout the system lifecycle, ensuring systems are secure by build and operated effectively. 

This policy provides the high-level principles and mandatory requirements for securing DWP’s information and information systems. To ensure a comprehensive, risk based, and universally understood structure, this policy is organised to align with the core functions of the NIST Cybersecurity Framework (CSF), the principles of the NCSC Cyber Assessment Framework (CAF), and supports DWP’s adherence to mandatory UK Government standards, including the Cabinet Office Cyber Security Standard and the GovAssure process. This provides the strategic framework under which more detailed operational control sets, such as the CIS Top 18 Controls, are utilised to meet policy requirements.

Purpose 

  • This policy is to Protect the Confidentiality, Integrity, and Availability of all DWP information assets. 

  • Ensure compliance with all relevant legal, regulatory, and contractual obligations, including but not limited to the  UK GDPRData Protection Act 2018 and The Network and Information Systems (NIS) Regulations (2018)

  • Manage information security risks in line with the department’s risk appetite. 

  • Contribute to fostering a security-aware culture where all users understand their security responsibilities. 

  • Enable the secure delivery of DWP’s services and strategic objectives. 

  • Adhere to DWP’s core security assurance principles: Lawful, Necessary, Proportionate, Effective, and Efficient. 

Scope 

This policy must be adhered to by: 

a)    All DWP personnel (employees, contractors, and temporary staff), business partners, suppliers, and Arm’s Length Bodies (ALBs) who access, process, store or transmit DWP information or connect to DWP systems. From this point forward, referred to collectively as “users”. 

This policy applies to: 

b)    All information assets, regardless of form, media, or location (for example, electronic data, paper documents, and spoken information) 

c)    All DWP information technology (IT) and operational technology (OT) systems, networks, applications, services, and devices, whether owned, leased, or managed by DWP or by third parties on DWP’s behalf. 

This policy forms the baseline for those requirements and does not replace any legal or regulatory requirements but aims to ensure DWP meets and, where appropriate, exceeds them.

Definitions 

Cyber Assessment Framework (CAF): 

A framework developed by the NCSC to guide organisations in assessing their cyber resilience. 

Chief Security Officer (CSO): 

The senior executive accountable for the organisation’s overall security. 

Encryption: 

The process of converting data into a code to prevent unauthorised access. While other data protection techniques such as anonymisation and pseudo anonymisation are also used to protect data, they are distinct processes from encryption. 

Information Asset Owner (IAO): 

This is mandated UK Government role. In line with DWP’s Data Governance model these responsibilities are formally discharged by roles such as Data Owners, Data Stewards, or Data Custodians.  

Senior Information Risk Owner (SIRO): 

A senior individual, typically at Director General level, accountable for the organisation’s overall information risk posture and for formally accepting significant residual information risk on behalf of the Accounting Officer. This is a key functional requirement of government security standards. (Note: The specific DWP assignment for this role is currently subject to departmental review). 

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF): 

Provides the structure for the policy statements below. 

Policy Exception: 

A formal, documented, and approved deviation from a policy requirement. 

Risk Appetite: 

The amount and type of risk that an organisation is willing to pursue or retain. 

Sensitive Information: 

Information whose compromise, unauthorised access, loss, or disclosure would cause harm to DWP, its staff, citizens, or services. This includes all Special Category Data (as defined by UK data protection law) and other critical assets such as financial data, commercial information, and security material.

Policy Statements 

The following policy statements are structured according to the NIST CSF. Each section explicitly states its alignment with the principles of the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) to ensure DWP’s efforts are focused on achieving measurable cyber resilience outcomes. 

1. Govern 

1.1 DWP’s Executive Team and senior leadership must demonstrate a clear and visible commitment to information security. This commitment is assured as adequate and appropriate at a strategic level by the DWP Departmental Audit and Risk Assurance Committee (DARAC).  

1.2 Clear information security roles, responsibilities, and accountabilities must be defined, documented, assigned, and communicated. Key roles are detailed in Accountabilities and Responsibilities (below). 

1.3 The Permanent Secretary is accountable for determining the department’s risk appetite and tolerance for information security risk. 

1.4 This Information Security Policy must be reviewed at least biennially, or more frequently if triggered by significant changes. The review process must include the identification and assessment of new and updated government legislation, regulations, information and cyber security policies and standards. The review is managed through the DWP Policy and Standards Review Group (PSRG). 

1.5 Any deviation from this policy must be managed through the formal, documented exception process, requiring a business justification, risk assessment, and approval via the established governance procedures. A deviation from a mandatory supporting DWP Security Standard is considered a deviation from this policy and must follow the formal exception process. 

2. Identify 

2.1 DWP must systematically identify, inventory, and maintain a comprehensive register of all its information assets, recorded on the DWP Information Asset Register (IAR). 

2.2 All assets must be classified according to the DWP Security Classification Policy, which is based on the HM Government Security Classifications Policy and an Information Asset Owner (IAO) must be assigned to each. 

2.3 DWP must establish, document, and maintain a formal enterprise-wide information security risk management framework, aligned with the DWP Risk Management Framework and HM Treasury’s Orange Book

2.4 Identified risks must be documented on a risk register, be assigned a risk owner, and be subject to regular review. 

2.5 DWP must implement a comprehensive, risk-based Contract Supply Chain Security Assurance process, in alignment with the Government supplier assurance framework. All new contracts must be assessed to determine the need for a specific Security Schedule. Specific security requirements must be addressed and flowed down to suppliers, proportionate to the risk, within all contractual agreements. Where appropriate and possible, this will be via a DWP Security Schedule. 

3. Protect 

3.1 DWP must implement robust personnel security measures throughout the employment lifecycle, including security screening (for example, BPSS or National Security Vetting) and secure joiner, mover, and leaver processes as detailed in the DWP Personnel Security Policy and in alignment with the HMG Security Standard. 

3.2 DWP must deliver a continuous and role-based security awareness, education, and training programme for all users. All users in scope of this policy, must complete all mandatory annual security and data protection awareness training relevant to their role. Users must adhere to the DWP Acceptable Use Policy

3.3 Secure procedures must be followed for the sanitisation or destruction of information and media, in alignment with the DWP Hardware Lifecycle Management Security Policy. Data Loss Prevention (DLP) technologies and processes must be implemented where appropriate to detect and prevent unauthorised exfiltration of sensitive information. 

3.4 Access to DWP information and systems must be controlled based on the principles of Least Privilege and Role-Based Access Control (RBAC). Strong authentication must be implemented, including the use of Multi-Factor Authentication (MFA) for remote access to the DWP corporate network, for all privileged user accounts, unless a specific, documented, and approved risk-based exception is in place for specialist accounts (for example, emergency break-glass accounts). For third-party services used for official DWP business where DWP information is processed, stored, or transmitted and DWP cannot enforce MFA, a risk assessment must be conducted and documented to determine if alternative or compensating controls are required. 

3.5 DWP must implement appropriate physical and environmental security controls to protect its premises, assets, and infrastructure, as mandated by the DWP Physical Security Policy

3.6 DWP must implement Mobile Device Management (MDM) controls for all corporate mobile devices, aligned with the Government Cyber Security Policy – Mobile Device Management.  

3.7 Information security requirements must be integrated into all phases of the System Development Lifecycle (SDLC). All new systems must undergo security testing before deployment. A robust vulnerability management process must be implemented to remediate vulnerabilities in a timely manner, in compliance with the DWP Technical Vulnerability Management Policy. All new systems must undergo a formal assurance process to be defined by the DWP Security Assurance strategy before entering service, and all live systems must have documented Security Operating Procedures (SyOps). 

3.8 DWP must implement measures to protect data throughout its lifecycle; sensitive information must be encrypted both at rest and in transit. DWP must use approved cryptographic controls to protect the confidentiality, integrity, and authenticity of sensitive information, in accordance with the DWP Information Management Policy, the DWP Use of Cryptography Security Standard, and the DWP Cryptographic Key Management Policy – DWP Intranet 

3.9 The development and use of Artificial Intelligence (AI) and Machine Learning (ML) systems must be subject to a specific risk assessment and adhere to the principles of the DWP Artificial Intelligence Security Policy

4. Detect 

4.1 DWP must implement comprehensive security monitoring and logging capabilities across its IT environment, in line with the DWP Protective Monitoring Security Policy. Sufficient audit logs must be generated, collected, protected, and securely stored from critical systems and reviewed for indicators of compromise. 

4.2 DWP must deploy and maintain appropriate threat detection technologies (for example, Security Information and Event Management (SIEM), Intrusion Detection/Prevention Systems (ID/IPS), and Endpoint Detection and Response (EDR)) to identify and alert on potential security events in near real-time in alignment with the DWP Technical Vulnerability Management Policy

4.3 DWP must establish and maintain processes for consuming relevant cyber threat intelligence to inform its security posture and detection capabilities.  

5. Respond 

5.1 DWP must establish, document, and maintain a formal, DWP-wide security incident management capability and plan, in compliance with the DWP Security Incident Management Standard (SS-014)

5.2 The Security Incident Response Team (SIRT) is responsible for coordinating the response to security incidents. All actual or suspected security incidents must be reported immediately via approved channels. 

5.3 A mandatory post-incident review process (‘lessons learned’) must be conducted for security incidents; the priority and scale of this review must be proportionate to the incident’s impact, as defined in the DWP Security Incident Management Standard. The DWP Security Forensic Readiness Policy details the requirements for evidence preservation to support these reviews. 

5.4 The incident management plan must include procedures for timely and appropriate internal and external communication during and after security incidents. 

6. Recover 

6.1 Information security requirements must be integrated into DWP’s Business Continuity Management (BCM) framework and plans and must comply with the DWP Business Continuity, Readiness and Response (BCRR) Policy. 

6.2 DWP must develop, document, and regularly test a strategic Disaster Recovery (DR) framework. This framework must be supported by specific plans for different environments (for example, on-premises data centres, cloud services, and networks) and inform detailed operational recovery procedures that define the sequence and steps for restoring critical services. 

6.3 Security incident response, business continuity, and disaster recovery plans must be regularly tested and exercised to validate their effectiveness.

Accountabilities and Responsibilities 

The DWP Chief Security Officer (CSO) is accountable owner of the DWP Information Security Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Data Protection. 

Key roles include, but are not limited to: 

  • Accounting Officer (AO): Ultimately accountable for security within DWP

  • Chief Security Officer (CSO): Accountable owner of this policy; responsible for its implementation, maintenance, and review. 

  • Senior Information Risk Owner (SIRO): Accountable for the department’s overall information risk strategy, the acceptance of significant residual risk, and providing assurance over the information risk management framework. 

  • Information Asset Owners (IAOs) / Data Owners: Responsible for the appropriate management and protection of specific information assets, in line with DWP’s Data Governance Model (often fulfilled by roles such as Data Owners, Data Stewards, or Data Custodians). 

  • Head of Digital Security: Leads programmes to improve cyber security controls. 

  • Line Managers: Responsible for ensuring their staff understand and comply with this policy. 

  • All DWP Users: Responsible for complying with this policy, reporting security incidents, and completing mandatory training.

Compliance 

a) This policy applies to all DWP users and relevant third parties (including but not limited to suppliers and contractors). All have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards. 

b) Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security. A security incident is defined as the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of an Authority asset in violation of security policy. This includes both deliberate and accidental events. 

c) Information security is important, and breaches can, in the most severe circumstances, result in dismissal for employees or termination of contract for suppliers, in accordance with the DWP Discipline Policy. All security incidents must be reported in accordance with the DWP Security Incident Management Standard (SS-014). DWP users must use the DWP Security Incident Referral Form as their primary reporting mechanism. 

d) DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. 

e) Failure to comply with this policy by DWP users may result in disciplinary action, up to and including dismissal, in accordance with DWP’s Discipline Procedures. 

f) If for any reason users are unable to comply with this policy or require use of technology which is outside its scope, they must discuss this with their line manager in the first instance and then the Security Advice Centre (SAC) who can provide advice on escalation/exception routes. An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the security policy team immediately. 

g) A Security Policy Exception may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Team immediately.

Back to top