• 0800 0862018
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Mon - Fri 8:00 - 17:00

Information and Cyber Security

This section on information and cyber security provides our initial documents to support the information security programme with advice and support around cyber security.

Data Protection often looks at the security and legalities of personal data,  information security looks at more practical steps to secure all data in your organisation - in reality, the two things are intrinsically linked and the DPE data protection framework utilised many approaches from information security frameworks.

The documents include:
  • Cyber Essentials Guidance
  • Business Continuity Template
  • Information Security Policy
  • Physical Security Policy
  • Changing IT Provider Considerations
Whilst Cyber Essentials is a recommended framework, you may find it not right for you - however, the areas covered are those that your organisation needs to pay attention to, so it is worth reviewing. 

For a complete Information Security programme, other resources and tools are necessary, as well as strategic coordination with your information technology and facilities specialists. However, it is important to remember that accountability and governance is the responsibility of leadership and practical security and data protection is everyone's responsibility.

Other policies and tools should be used as part of your information security programme and these are an important part of a data protection programme. These include:
  • Clear desk policies
  • Record of processing (supplier, systems and hardware due diligence)
  • Retention schedules
  • Records management
  • Risk management
  • Bring your own device
  • Acceptable use
  • Password Management
  • User Access Control
  • etc.
Nothing should be taken in isolation. These tools and resources all work together.

Risk assessment is a key factor in information governance. We have therefore provided a new e-learning module on risk assessment.

Templates, Policies and Guidance:

document Cyber Essentials Guidance (24 KB)

document What to do immediately after a Cyber Attack (58 KB)

document DPE Business Continuity Template (37 KB)

document Information Security Policy (469 KB)

DPE Model Physical Security Policy

Advice and guidance when changing IT providers:  document DPE Changing IT Provider Considerations (205 KB)  

Related Best Practice Areas

Drip-feed posters

Stay Safe Online Infographic
NCSC Ten Steps to Cyber Security Infographic


External links

Get Ready for Cyber Essentials

ISO/IEC 27001 and related standards

ICO Information Security Checklist

NCSC Cyber Security Toolkit for Boards

NEN Standard Network Design:

NEN MAT Standard Network Design

NEN Secondary Standard Network Design

NEN Primary Standard Network Design

How to Report a Cyber Attack

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Government Cyber Incident Reporting Service: https://signpost-cyber-incident.service.gov.uk/

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD

Remember – ‘Hackers don’t break in they login’!

How can we prevent a cyber attack from phishing?

What does cyber mean?

What is a vulnerability?

What is cloud computing?

What is malware?

What is MFA? (Multi Factor Authentication)

What is Phishing?

What is the dark web vs deep web?

What is the difference between a virus and anti-virus software?

What should we do in the event of a cyber attack?

Where can I report phishing emails?

Ask a question

Have a question about Information or Cyber Security? Ask it here.
Invalid Input
Invalid Input
Invalid Input
Invalid Input