UK Cybersecurity Policy Requirements Map
Requirement Name | Requirement Summary | Related Policy Topic | Policy Relevance | Implementation Notes |
|---|---|---|---|---|
UK GDPR | ||||
UK GDPR Article 32 Security Of Processing | Controllers and processors must use appropriate technical and organisational security measures for personal data. | Security of Processing | Critical | State baseline controls for confidentiality, integrity, availability, resilience, testing, and recovery. |
Risk-Based Security Measures | Security measures should reflect risk, costs, data nature, processing scope, and likely harm. | Accountability | Critical | Require documented security risk assessments and proportionate control selection before major processing changes. |
Encryption And Pseudonymisation | Encryption and pseudonymisation are examples of measures that may protect personal data. | Security of Processing | Commonly Expected | Require encryption for portable devices, remote access, backups, and sensitive data transfers where appropriate. |
Confidentiality, Integrity, Availability And Resilience | Systems and services should preserve confidentiality, integrity, availability, and resilience. | Security of Processing | Critical | Include uptime, backup, disaster recovery, malware protection, monitoring, and change control expectations. |
Ability To Restore Personal Data | Organisations need the ability to restore access to personal data after physical or technical incidents. | Incident Response | Critical | Set backup frequency, restoration testing, ownership, retention, and ransomware recovery expectations. |
Regular Testing And Evaluation Of Security | Security measures should be regularly tested, assessed, and evaluated for effectiveness. | Security of Processing | Critical | Mandate vulnerability scans, penetration testing where appropriate, control reviews, and remediation tracking. |
ICO Personal Data Breach Notification | Report notifiable personal data breaches to the ICO without undue delay and usually within 72 hours. | Incident Response | Critical | Define breach triage, DPO escalation, notification approval, evidence logging, and 72-hour deadline handling. |
Communication Of High-Risk Breaches To Individuals | High-risk personal data breaches may need prompt communication to affected individuals. | Incident Response | Critical | Include criteria and approval routes for affected individual notices and support measures. |
Personal Data Breach Record Keeping | All personal data breaches should be documented, including facts, effects, and remedial action. | Record Keeping | Critical | Require a breach register covering timestamps, decisions, risk assessment, notifications, and lessons learned. |
Processor Breach Notification To Controller | Processors must notify controllers without undue delay after becoming aware of a personal data breach. | Supplier Oversight | Critical | Require supplier breach clauses, reporting channels, minimum information, and immediate internal escalation. |
Processor Contract Security Terms | Processor contracts must require appropriate security and documented processing instructions. | Supplier Oversight | Critical | State that processors need approved contracts covering security, confidentiality, sub-processors, audits, and deletion. |
Use Of Processors Providing Sufficient Guarantees | Controllers should use only processors giving sufficient guarantees for UK GDPR compliance and security. | Supplier Oversight | Critical | Require supplier security due diligence before onboarding and periodic reassessment for high-risk services. |
Confidentiality Commitments For Persons Processing Data | Processor personnel must be committed to confidentiality or under an appropriate statutory obligation. | Training and Awareness | Commonly Expected | Require confidentiality terms for employees, contractors, administrators, and supplier personnel with data access. |
UK GDPR Accountability Principle | Controllers must be responsible for and able to demonstrate compliance with data protection principles. | Accountability | Critical | Allocate security ownership, require approvals, maintain evidence, and define review and audit responsibilities. |
Data Protection By Design And Default | Controllers must embed data protection measures into processing design and default settings. | Accountability | Critical | Require security and privacy review for new systems, products, vendors, and major changes. |
Data Protection Impact Assessments | High-risk processing requires a DPIA assessing risks and measures to address them. | Record Keeping | Commonly Expected | Explain when DPIAs are required and link approval to security risk treatment plans. |
Records Of Processing Activities | Controllers and processors may need records covering processing, recipients, transfers, retention, and security measures. | Record Keeping | Commonly Expected | Require inventories of systems, data categories, owners, suppliers, transfers, and security measures. |
DPO Involvement In Security Governance | Where appointed, the DPO monitors compliance and advises on DPIAs and data protection obligations. | Accountability | Recommended Inclusion | Define DPO consultation points for incidents, DPIAs, high-risk systems, and policy reviews. |
International Transfer Safeguards | Restricted transfers of personal data need appropriate safeguards or another lawful transfer mechanism. | Supplier Oversight | Commonly Expected | Require approval for offshore hosting, support access, cloud regions, transfer risk assessments, and safeguards. |
Data Minimisation As A Security Control | Personal data should be adequate, relevant, and limited to what is necessary. | Security of Processing | Recommended Inclusion | Require collection limits, access limits, retention controls, and secure disposal of unnecessary data. |
Storage Limitation And Secure Disposal | Personal data should not be kept longer than necessary and should be securely disposed of. | Record Keeping | Recommended Inclusion | Refer to retention schedules, deletion approval, media sanitisation, and disposal supplier controls. |
Special Category Data Protection | Special category data requires additional protection because misuse can create higher risks. | Access Management | Commonly Expected | Require stricter access controls, encryption, logging, segregation, and approval for sensitive datasets. |
Criminal Offence Data Safeguards | Criminal offence data has restricted processing conditions and requires careful security handling. | Access Management | Recommended Inclusion | Limit access, prohibit unauthorised copies, and require documented approval for storage and disclosure. |
Data Protection Act 2018 | ||||
PECR Communications Service Security | Public electronic communications service providers have specific security duties under PECR. | Security of Processing | Recommended Inclusion | Include only for relevant telecoms or electronic communications services align with incident and access controls. |
PECR Personal Data Breach Notification | Relevant communications providers must notify personal data breaches under PECR rules. | Incident Response | Recommended Inclusion | For relevant providers, distinguish PECR breach reporting from general UK GDPR breach reporting. |
Law Enforcement Processing Security | Competent authorities processing for law enforcement purposes have specific DPA 2018 security duties. | Security of Processing | Recommended Inclusion | Use only for competent authorities require access logging, audit trails, and stricter role controls. |
National Security Certificate Handling | DPA 2018 contains national security exemptions that may affect information handling in limited cases. | Record Keeping | Optional Reference | Include only where relevant require legal approval and restricted handling for exempt information. |
Companies Act Governance | ||||
Directors Duty To Promote Company Success | Directors must consider long-term consequences, employees, relationships, reputation, and stakeholders. | Accountability | Recommended Inclusion | Link cyber risk to board oversight, business continuity, reputation, customers, and long-term value. |
Directors Duty Of Reasonable Care, Skill And Diligence | Directors must exercise reasonable care, skill, and diligence, relevant to cyber risk oversight. | Accountability | Recommended Inclusion | Require senior management ownership, periodic reporting, risk acceptance approval, and policy review. |
Strategic Report Principal Risks And Uncertainties | Relevant companies must describe principal risks and uncertainties in the strategic report. | Record Keeping | Recommended Inclusion | Ensure cyber risks, incidents, and mitigations can be reported consistently where material. |
UK Corporate Governance Code Risk Management And Internal Control | Premium listed companies are expected to maintain effective risk management and internal controls. | Accountability | Commonly Expected | Frame information security as part of enterprise risk, controls assurance, and board reporting. |
Financial Services Expectations | ||||
FCA SYSC Systems And Controls | FCA-regulated firms must maintain appropriate systems, controls, and risk management arrangements. | Accountability | Critical | For regulated firms, align cyber policy with governance, risk controls, outsourcing, and compliance monitoring. |
FCA Operational Resilience | Firms must manage disruption to important business services within impact tolerances. | Incident Response | Critical | Map cyber incidents to important business services, impact tolerances, scenario testing, and communications. |
PRA Operational Resilience Expectations | PRA-regulated firms must identify important business services and prepare for severe but plausible disruption. | Incident Response | Critical | For PRA firms, tie cyber controls to resilience testing, remediation plans, and board accountability. |
FCA Outsourcing And Third-Party Risk Management | Regulated firms must manage outsourcing risks and retain responsibility for outsourced activities. | Supplier Oversight | Critical | Require due diligence, written agreements, exit plans, monitoring, access controls, and incident reporting by suppliers. |
FCA Principle 11 Regulator Notification | Firms must deal with regulators openly and disclose matters regulators would reasonably expect notice of. | Incident Response | Critical | Include assessment and escalation for cyber incidents that may require FCA notification. |
PRA Notification Of Significant Operational Incidents | PRA firms may need to notify significant operational incidents under rulebook expectations. | Incident Response | Critical | For PRA firms, route significant cyber incidents to regulatory affairs and senior management immediately. |
Public Sector Guidance | ||||
NIS Regulations Security Duties | Operators of essential services and relevant digital service providers must manage network and information system risks. | Security of Processing | Critical | For in-scope organisations, align policy with NCSC CAF outcomes and competent authority expectations. |
NIS Incident Notification Duties | In-scope organisations must report incidents meeting regulatory thresholds to the relevant authority. | Incident Response | Critical | Add NIS reporting triggers, responsible authority contacts, and parallel ICO or sector notification checks. |
NCSC Cyber Assessment Framework | CAF provides outcome-based cyber security and resilience principles for important UK services. | Accountability | Commonly Expected | Use CAF objectives to structure governance, protection, detection, response, and recovery policy commitments. |
NCSC 10 Steps To Cyber Security | NCSC 10 Steps provides practical areas for managing cyber risk across organisations. | Security of Processing | Commonly Expected | Map policy sections to risk management, engagement, asset management, architecture, vulnerabilities, and incidents. |
NCSC Small Business Guide Controls | NCSC guidance recommends practical basics for smaller UK organisations. | Training and Awareness | Recommended Inclusion | Include simple rules for passwords, updates, backups, phishing, malware protection, and mobile devices. |
Industry Standard | ||||
Cyber Essentials Technical Controls | Cyber Essentials covers basic technical controls often required by UK customers and government contracts. | Security of Processing | Commonly Expected | Reference firewalls, secure configuration, access control, malware protection, and security update management. |
Cyber Essentials Plus Verification | Cyber Essentials Plus adds independent technical verification of Cyber Essentials controls. | Security of Processing | Recommended Inclusion | Mention where certification is contractually required or used as security assurance evidence. |
Contractual Requirement | ||||
Cyber Essentials For Certain Government Contracts | Some UK government contracts require Cyber Essentials certification from suppliers. | Supplier Oversight | Commonly Expected | State certification ownership, renewal, evidence retention, and flow-down obligations to subcontractors if required. |
Public Sector Guidance | ||||
Government Security Classification Handling | Government information should be handled according to the applicable UK security classification. | Access Management | Recommended Inclusion | For public sector work, require classification marking, need-to-know access, approved storage, and secure sharing. |
Government Security Policy Framework | The SPF sets government security expectations for departments and relevant suppliers. | Accountability | Recommended Inclusion | Use where handling government assets include governance, personnel, physical, and cyber security expectations. |
NHS Data Security And Protection Toolkit | Health and care organisations use the DSPT to evidence data security and protection standards. | Accountability | Commonly Expected | For health-sector work, align policy with DSPT assertions, training, incident reporting, and audit evidence. |
NHS Confidentiality And Caldicott Handling | Health and care information should be handled under confidentiality and Caldicott principles. | Access Management | Recommended Inclusion | For health data, include need-to-know access, confidentiality reminders, disclosure controls, and Caldicott escalation. |
Industry Standard | ||||
ISO IEC 27001 Information Security Management System | ISO 27001 provides a certifiable framework for risk-based information security management. | Accountability | Commonly Expected | Use to define scope, risk treatment, control ownership, policy hierarchy, audits, and continual improvement. |
ISO IEC 27002 Security Controls | ISO 27002 gives detailed control guidance supporting ISO 27001 implementation. | Security of Processing | Recommended Inclusion | Use as a control catalogue for access, assets, suppliers, cryptography, logging, incidents, and continuity. |
ISO IEC 27005 Information Security Risk Management | ISO 27005 supports structured identification, assessment, and treatment of information security risks. | Accountability | Optional Reference | Reference if using formal risk methods define risk appetite, owners, treatment plans, and review cadence. |
PCI DSS Cardholder Data Security | Organisations handling payment card data may need to comply with PCI DSS contractually. | Security of Processing | Critical | If card data is handled, include scope, segmentation, access controls, logging, vulnerability management, and testing. |
Contractual Requirement | ||||
SOC 2 Security Trust Services Criteria | Customers may expect SOC 2 assurance for service organisations handling sensitive data. | Record Keeping | Recommended Inclusion | Use where customer assurance is needed align policy commitments with auditable control evidence. |
Customer Security Schedule Compliance | Customer contracts often require defined security controls, audits, breach notices, and subcontractor controls. | Supplier Oversight | Commonly Expected | Require legal review of security schedules and maintain a register of customer-specific security obligations. |
Contractual Security Incident Notice Periods | Contracts may require incident notice faster than statutory reporting periods. | Incident Response | Critical | Record customer notice deadlines and require contract checks during incident triage. |
Security Audit Rights And Evidence | Contracts and standards may require evidence of control operation and audit cooperation. | Record Keeping | Commonly Expected | Require retention of policies, risk assessments, logs, training records, test results, and remediation evidence. |
Industry Standard | ||||
Role-Based Access Control | Access should be granted according to business need and role responsibilities. | Access Management | Critical | Define access request, approval, least privilege, periodic review, and removal on role change or exit. |
Privileged Access Management | Administrator and privileged accounts need stronger approval, monitoring, and protection. | Access Management | Critical | Require named admin accounts, MFA, just-in-time access where possible, logging, and prompt revocation. |
Multi-Factor Authentication | MFA reduces account compromise risk, especially for remote, administrator, and cloud access. | Access Management | Critical | Mandate MFA for privileged users, remote access, email, cloud admin, and high-risk systems. |
Password And Authentication Rules | Authentication rules should reduce weak passwords and support secure account recovery. | Access Management | Commonly Expected | Set password manager, blocked password, MFA, account lockout, and secure reset expectations. |
Joiner Mover Leaver Access Process | Access should be created, changed, and removed promptly through controlled HR and IT processes. | Access Management | Critical | Require manager approval, role change review, leaver revocation, asset return, and account disabling. |
Information Asset Inventory | Organisations should know what devices, systems, data, and services they need to protect. | Record Keeping | Critical | Require owners for assets, classification, business criticality, location, supplier, and review frequency. |
Data Classification And Handling | Data should be classified so users understand required handling and protection levels. | Access Management | Commonly Expected | Define classification labels, permitted storage, sharing rules, encryption, and disposal methods. |
Vulnerability Management | Known vulnerabilities should be identified, prioritised, remediated, and tracked. | Security of Processing | Critical | Define scanning, patch prioritisation, remediation timeframes, exceptions, and reporting. |
Security Update And Patch Management | Devices and software should be kept up to date to reduce exploitation risk. | Security of Processing | Critical | Set patch deadlines, emergency patching, unsupported software restrictions, and exception approvals. |
Secure Configuration | Systems should be configured securely and unnecessary functionality removed or disabled. | Security of Processing | Critical | Require approved baselines, hardening, default password removal, configuration review, and change control. |
Malware Protection | Organisations should reduce malware risk through prevention, detection, and recovery controls. | Security of Processing | Commonly Expected | Require endpoint protection, application control where suitable, email filtering, backups, and user reporting. |
Logging And Security Monitoring | Logs and monitoring help detect attacks, investigate incidents, and evidence control operation. | Incident Response | Critical | Define log sources, retention, alerting, access to logs, time synchronisation, and investigation procedures. |
Cyber Incident Management Lifecycle | Cyber incidents should be prepared for, detected, contained, eradicated, recovered, and reviewed. | Incident Response | Critical | Set incident roles, severity levels, escalation, communications, evidence handling, and lessons learned. |
Business Continuity And Disaster Recovery | Continuity arrangements should support recovery from cyber incidents, including ransomware and system outages. | Incident Response | Critical | Require recovery priorities, backup isolation, restore testing, crisis communications, and continuity plan exercises. |
Backup Protection And Restore Testing | Backups should be protected and tested so important data can be restored after loss or compromise. | Security of Processing | Critical | Specify backup scope, frequency, encryption, offline or immutable copies, access control, and restore tests. |
Remote Working Security | Remote working needs secure devices, access, networks, collaboration tools, and reporting routes. | Access Management | Commonly Expected | Set requirements for approved devices, VPN or secure access, MFA, screen privacy, and home Wi-Fi. |
Mobile Device And BYOD Security | Mobile and personal devices need controls to protect organisational and personal data. | Access Management | Commonly Expected | Require device encryption, screen locks, update compliance, remote wipe, app controls, and BYOD approval. |
Cloud Security Responsibilities | Cloud services require clear responsibility for configuration, access, data location, monitoring, and resilience. | Supplier Oversight | Critical | Require cloud risk review, secure configuration, MFA, logging, backup, region approval, and exit planning. |
Supplier Security Due Diligence | Suppliers should be assessed for cyber risk before onboarding and during the relationship. | Supplier Oversight | Critical | Require risk tiering, security questionnaires, certifications, contract clauses, and periodic monitoring. |
Contractual Requirement | ||||
Subcontractor And Sub-Processor Controls | Subcontractors and sub-processors can increase risk and should be approved and controlled. | Supplier Oversight | Critical | Require approval, flow-down security terms, sub-processor lists, change notice, and termination controls. |
Industry Standard | ||||
Security Awareness Training | Staff should understand security responsibilities, phishing risks, reporting, and safe information handling. | Training and Awareness | Critical | Require induction, annual refreshers, phishing guidance, role-based training, and completion records. |
Phishing Awareness And Reporting | Users should know how to recognise and report suspicious emails, messages, and websites. | Training and Awareness | Commonly Expected | Set a clear reporting route and prohibit punishment for good-faith reporting of suspicious activity. |
Acceptable Use Of IT Systems | Users need clear rules for permitted use of company systems, internet, email, and data. | Training and Awareness | Commonly Expected | Cover prohibited software, personal use, data sharing, removable media, monitoring, and disciplinary consequences. |
Secure Software Development | Software should be designed, developed, tested, and maintained with security controls. | Security of Processing | Recommended Inclusion | Require secure coding, code review, dependency checks, secrets control, test environments, and release approval. |
Security Change Management | Changes to systems should be assessed, approved, tested, and documented to avoid introducing risk. | Record Keeping | Commonly Expected | Define change approval, emergency changes, rollback, security testing, segregation of duties, and records. |
Physical Security For Information Assets | Physical access to devices, records, server rooms, and secure areas should be controlled. | Access Management | Recommended Inclusion | Include visitor controls, clear desk, locked storage, equipment security, and secure disposal. |
Removable Media Controls | Removable media can cause data loss and malware infection and should be restricted. | Security of Processing | Recommended Inclusion | Restrict USB use, require encryption, scanning, approval, logging, and secure disposal. |
Email Security Controls | Email should be protected against phishing, spoofing, malware, and data leakage. | Security of Processing | Commonly Expected | Require filtering, anti-spoofing controls, MFA, secure attachments, and rules for sensitive email use. |
Network Security And Boundary Protection | Networks should be designed and configured to reduce unauthorised access and lateral movement. | Security of Processing | Commonly Expected | Include firewalls, segmentation, secure Wi-Fi, remote access controls, and network change approval. |
Security Records Retention | Security evidence should be retained long enough to support audits, investigations, and compliance. | Record Keeping | Commonly Expected | Set retention periods for logs, incidents, approvals, risk assessments, training, supplier reviews, and tests. |
Policy Review And Approval | Security policies should be approved, reviewed, updated, and communicated at suitable intervals. | Accountability | Commonly Expected | Require owner, approval body, annual review, change history, exceptions, and staff communication. |
What Should A UK Cybersecurity Policy Cover?
A UK cybersecurity or information security policy should normally cover UK GDPR Article 32 security of processing, accountability, access control, incident response, supplier oversight, records, and staff training. For organisations processing personal data, these are not merely best-practice topics; they help evidence compliance with the UK GDPR and the Data Protection Act 2018.
Which Requirements Are Most Critical For UK Organisations?
- Security of processing: policies should describe proportionate technical and organisational measures such as encryption, access controls, backup, resilience, vulnerability management, and testing.
- Incident response: policies should include escalation, assessment, containment, evidence preservation, and UK GDPR personal data breach notification routes, including the 72-hour ICO notification expectation where applicable.
- Supplier oversight: if processors or outsourced IT providers are used, policies should require due diligence, written contracts, security instructions, audit rights, and breach reporting obligations.
- Accountability and record keeping: policies should allocate ownership, require documented decisions, maintain processing and security records, and support board or senior management oversight.
How Do Sector Rules Affect An Information Security Policy?
Regulated firms, public sector bodies, and organisations working under enterprise or government contracts may need stronger language than a generic policy. Financial services firms should reflect FCA operational resilience and systems and controls expectations, while public sector suppliers may need Cyber Essentials, NCSC guidance, or government security classification handling requirements.
Why Should The Policy Be Practical Rather Than Merely Aspirational?
UK regulators and customers generally expect a policy that is implementable, evidenced, and supported by procedures. A strong policy should state who is responsible, what controls are mandatory, how incidents are escalated, how staff are trained, and how compliance is reviewed.

FAQs
You Might Also Be Interested In



