Beta This part of GOV.UK is being rebuilt – find out what this means

Digital and technology skills

Cabinet Office
, see all updates

Cyber security and information assurance

Maintaining the confidentiality, integrity and availability of services and information as well as protecting services against threats.

Cyber security and information assurance covers appropriate steps that must be taken to guarantee security when building and managing a service.

Some relevant roles: technical architects, developers, chief technology officers, chief digital officers, senior information risk owners (SIRO) and departmental security officers (DSO).

Confidentiality, integrity and availability

This involves:

Government Security Classification Scheme

This involves:

  • implementing the security controls necessary in government IT systems with consideration of the the new Government Security Classification scheme
  • understanding that at the ‘OFFICIAL’ classification tier the very best security technology from the commercial market will provide suitable defence with no need for bespoke or government-only controls
  • understanding that further security should be considered for information at classifications higher than the ‘OFFICIAL’ tier

Security policies

Ensuring security policies meet standards and legislation

This involves:

  • creating security policies for an organisation or business unit (eg an organisation’s overall approach to security or single issues such as the management of data centres, internet connectivity or remote access)
  • making sure those security policies are in line with the 3 main concepts of information security (confidentiality, integrity and availability) as well as appropriate legislation, government standards and governance requirements

Following security guidelines

Being familiar with the Cyber Security Guidance for Business and the policies outlined in the Cyber Essentials scheme.

Security controls

Choosing appropriate security controls

This involves:

  • employing different kinds of controls to maintain security (physical, technical and people/culture controls)
  • advising on the use of those controls in the development of systems and services
  • understanding that, as we move more towards commodity technologies and cloud computing, knowledge of these controls will need to change

Basing policies on desired security outcomes

This involves:

  • setting out security policies by stating a desired security outcome that security controls can achieve in a proportionate manner
  • understanding that security outcomes should be traceable to an identified risk and controls clearly traceable to a security outcome

Avoiding excessive security by meeting user needs

This involves:

  • putting user needs in context, so that security controls avoid over-prescriptive use of technology that leads to a degraded user experience
  • understanding that over-prescriptive technologies cause users to suffer degraded productivity or to circumvent security controls, compromising the service
  • ensuring that security is factored in at the design stage and not bolted on at the end of production

Implementing controls against common internet threats

This involves being:

  • familiar with both ‘The 20 Critical Security Controls for Cyber Defence’ from the Centre for the Protection of National Infrastructure (CPNI)
  • able to implement the basic controls are needed to reduce risk from common internet based threats, as outlined in the Cyber Essentials scheme
  • aware of when an assessment against the Cyber Essentials or Cyber Essentials+ schemes is necessary

Secure architecture

This involves:

  • understanding the design and architecture of security technology, infrastructure, and network build
  • using attack prevention tools and techniques as they relate to application defences and operating system defences

Risk assessment

Carrying out effective risk assessments against threats and vulnerabilities, while keeping in mind the risk appetite of the department and the costs of addressing potential issues.

Threat analysis

This involves:

  • analysing the probable interest in government information from threat sources
  • establishing the capabilities and methods of those threat sources
  • advising on proportionate ways to reduce these threats in a traceable manner
  • understanding that over-engineering security controls can lead to poor user experience, or provide illusions of security without actually reducing the risks

Emerging threats

This involves:

  • tracking emerging threats and risks
  • knowing what to monitor in the threat landscape, such as state-sponsored attacks and ‘back door’ attacks via 3rd-party vendors

Intrusion detection and prevention

This involves:

  • designing, testing and implementing intrusion detection and prevention
  • being able to run penetration tests to ensure data leak prevention
  • understanding that the nature of government services means they can be targets for a wide range of different threats – from financially motivated criminals and online activists up to nation states


This involves:

  • understanding the basic principles of asymmetric and symmetric encryption
  • being able to implement disk and file level encryption solutions
  • understanding the application of cryptography to promote security in systems such as Wireless

Operational management of cyber security incidents

This involves understanding:

  • the role of an information security operations centre (ISOC) including the reporting mechanisms in place and who to report incidents to
  • the roles of CERT-UK and GovCertUK in cyber security
  • follow-up actions that may be needed after reporting an incident, including possible legal action

Audits and verifying user behaviour

This involves:

  • conducting security testing and audits
  • establishing systems to verify user behaviour to ensure policy compliance
  • understanding that the Civil Service Reform Plan and new classification scheme place emphasis on greater user responsibility and reducing restrictive technical controls

Cloud security and Cloud First

Considering and implementing security in a cloud environment

This involves:

  • assessing the security risks of implementing cloud technologies, in line with the government’s Cloud Security Principles and ‘Cloud First’ policy
  • understanding the security impacts of using these services (vital, as public sector organisations must now consider and fully evaluate potential cloud solutions before they consider any other option)

Ensuring suppliers meet cloud security requirements

This involves:

  • reviewing/auditing third-party suppliers’ adoption of the Cloud Security Principles and other Information Assurance requisites
  • ensuring that the supplier follows the requirements throughout the service or system’s delivery

Open standards and open source

This involves:

  • advising on the use of open standards and open source technologies in government
  • understanding that government is committed to a level playing field for open technologies
  • understanding and deploying security best practice when using these technologies

Security of open and big data

This involves:

  • explaining the benefits and risks associated with big and open data, particularly those relating to data confidentiality and subject privacy
  • understand organisational and regulatory compliance related to this

Learning resources:

​Information Risk Management for Government (IS1/2) is the training advised for those in government carrying out risk assessment. CESG has a list of providers licensed to give IS1/IS2 training.

CESG has approved Certification Bodies to assess Information Assurance (IA) professionals on their capability to perform IA roles across the public sector.

CCP offers Master’s degrees in cyber security certified by the Government Communications Headquarters. These offer a deeper understanding of cyber security concepts, principles, technologies and practices.

The Government Security Profession is an organisation within the Civil Service committed to the professional development of security professionals working in government.

The Open University website offers an Introduction to cyber security online course. It gives an overview of cyber security, different types of malware (eg viruses and trojans), network security, cryptography, identity theft, risk management etc.

Widely acknowledged as Her Majesty’s Government’s standard for cyber security professionals, the CESG Certified Professionals (CCP) scheme offers courses covering roles such as:

  • accreditor
  • IA auditor
  • IA architect
  • IT security officer
  • security and risk advisor
  • communications security
  • penetration tester

The Institute of Information Security Professionals publishes a skills framework describing the range of competencies expected of information security and information assurance professionals in the effective performance of their roles.

Read the Cabinet Office policy paper The National Cyber Security Strategy 2013: forward plans and achievements to find out out about the government’s plans on how the UK can improve its cyber security by focusing on increasing knowledge, resilience and stability.