Cabinet Office

Main navigation

Introduction

Purpose of this Paper

Corporate governance has been the focus of increasing attention in recent years. In the UK this focus has led to the production of the Turnbull Report, which stated that:

The board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets.

and that:

The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management.

The purpose of this framework is to explain the processes of Information Assurance (IA) governance, and to provide guidance on implementation, through references to applicable standards and statements of best practice.

Objectives

The objectives of the framework are to:

• Propose a management function hierarchy for IA within Government.
• Establish information risk management as a core function alongside other key corporate governance functions, such as financial risk management.
• Provide a reference guide for those implementing information risk management within a corporate governance environment.
• Identify the procedures, mechanisms and support which are in place to facilitate IA in Government.

Audience

The development of this framework is set against a background of increasing commonality of approach across Government, in the areas of Information Assurance and Information Risk Management. Consequently, while this framework is aimed at Central Government at present, it is intended for use in time by the wider public sector. Adoption into the wider public sector will require a rationalisation exercise given that in some sectors (such as the NHS), similar governance frameworks have been established.

One of the key issues in applying this guidance to the wider public sector is that in some areas such as the NHS, the Central Government frameworks and standards such as the Manual of Protective Security do not apply. Although the framework is aimed at Central Government departments, wherever possible the guidance has been supplemented with a reference to an applicable standard.

Readership

The content of the framework is aimed at those with significant security responsibilities within the public sector, to help them understand the role of information risk management within a business context. It is intended as a reference guide on IA governance, which can be used by those involved with owning, procuring, developing, implementing and operating Information Systems (IS) services.

Ownership

The production and agreement of an appropriate governance framework is called for as part of the Government Strategy for Information Assurance.

Editorial ownership of the framework is through the Information Assurance Policy Committee (IAPC) and the Information Assurance Policy Programme Board (IAPPB). The Central Sponsor for Information Assurance (CSIA) will be responsible for maintaining the framework with changes approved by the IAPC and IAPPB.

Review

The framework will be reviewed at least annually, to take into account developments in IA standards.