As we mentioned recently, the UK Government has released an updated version of the Security Policy Framework (SPF), which details the security requirements for government agencies and departments. It also applies to any private sector bodies providing services to the Government (such as List X companies).
Where there is a requirement to comply with the framework, there is also a need to have some mechanism by which you can assess your compliance. Using List X companies as an example, the normal method is to have your sponsoring Agency carry out a security assessment and let you know if you are compliant. Being caught out of compliance can, depending on the Agency in question, carry serious consequences and has been the cause of contract termination.
As a result of this, it is understandable that most organisations (including Government Agencies & Departments, not just supply contractors) want to have some way by which they can determine how compliant they are with the regulations.
In addition, for organisations looking to tender for Government work, being able to determine how easy (or difficult) it will be to meet the requirements is essential for producing a realistic and fair costing – over the years there have been dozens of companies who have made unrealistic tenders for Government work, only realising that the cost of compliance destroys any hope of making a profit from the work when it is too late.
This difficulty in carrying out self-assessments, and doing a gap-analysis for tenders, has led us to produce a draft SPF Compliance Self Assessment Tool for free download. You are welcome to make use of this tool for your own internal assessments of your security controls and, when you have completed your assessment, it will give you some easy to understand metrics of how compliant you currently are.
With this information, you will be able to properly assess any remediation work, or if you are considering tendering for new work you can make a much more accurate estimate of costs. However, please note: this tool is still in draft form and is dependent on the ability and honesty of the people carrying out the self assessment work. It is not a replacement for a security survey carried out by a professional and even showing full compliance on this tool may not mean you are deemed compliant during a Government Security Review.
If you have any questions, or would like an informal chat about how to ensure you are compliant, then get in touch. Our security consultants have many years of experience working with central and local Government bodies and help you both develop compliance and maintain compliance with both HMG Standards and International good practice guides.