Cabinet Office Homepage
The Security Policy Framework (SPF) contains the primary internal protective security policy and guidance on security and risk management for HM Government Departments and associated bodies. It is the source on which all localised security policies should be based. The framework supersedes the Manual of Protective Security and has been made publicly available for the first time; however, it has clearly been necessary to restrict access to some technical and procedural material on security grounds. Whilst it is recognised that security policies will differ according to the range of business and risks faced by each organisation, the framework does set out the minimum security requirements which are mandatory for all Government Departments and Agencies. The framework also provides technical information, advice and guidance to support implementation of the policy requirements.
The Manual of Protective Security (MPS) was the primary source of protective security policy advice and guidance for government. It set out the government’s policy on its own internal security and contained some specific security controls and procedures which meant it was a RESTRICTED document and therefore was not publicly available. However, this has been superseded by the Security Policy Framework and much of the framework has been made publicly available for the first time. However, it has clearly been necessary to restrict access to some technical and procedural material on security grounds to avoid introducing or increasing vulnerability.
The SPF sets out 70 minimum security requirements for security policy that all Government Departments and Agencies (defined as including all bodies directly responsible to them) must adhere to. This framework should also be extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies (NDPBs), contractors, Emergency Services, devolved administrations, Local Authorities, or any regular suppliers of goods and / or services. It is for Departments to stipulate where and what level of compliance is required of their delivery partners, and where equivalent security policies are acceptable. Organisations wishing to adopt the framework should note that this website does not provide the full guidance necessary to implement effective protective security and should contact Cabinet Office to obtain further information if they qualify under one of the above categories.
The Government is committed to greater transparency, as demonstrated by the publishing of the National Security Strategy in March 2008, without introducing or increasing vulnerability. This also reinforces greater accountability across HM Government by committing Departments to publicly available security standards. The Government has a duty to lead in this process, however ultimately, security is the responsibility of everyone and it is important to increase public knowledge and awareness so that each one of us can play our part. Although much of the SPF has been made publicly available for the first time, it has clearly been necessary to restrict access to some technical and procedural material on security grounds.
Protective Security is the term used to encapsulate the mitigating actions/policies required to meet the prevailing threat to an organisation and to protect its assets from compromise. There are three interdependent disciplines within Protective Security covering each category of asset, namely; physical (buildings/estates/property), personnel (staff/customers) and information (documents/data systems) security. Protective Security, particularly with regard to information security, is often expressed in terms of Confidentiality, Integrity and Availability. Confidentiality relates to the protection of assets, Integrity relates to the reliability and veracity of assets and Availability relates to the correct and controlled sharing of assets in a timely and efficient manner.
The SPF covers protective security and risk management and sets out an overarching security statement, 5 core security principles and seven key policy areas (see below) in which the mandatory minimum requirements are clearly identified:
Cabinet Office Security Policy Division (COSPD), within the Intelligence, Security and Resilience Group in Cabinet Office, is responsible for the framework. COSPD work very closely with a variety of security agencies and organisations across government, but the main partners in developing the SPF were:
The SPF is endorsed by the Official Committee of Security (SO) which is chaired by the Cabinet Secretary and Head of the Civil Service, Sir Gus O’Donnell.
The mandatory requirements are all available publicly and are highlighted clearly in green boxes for quick reference. A few green boxes are supplemented by further policy and /or guidance and can be accessed by following the link entitled “Further guidance”. It should be noted however that this publicly available version of the framework does not include any protectively marked guidance material.
The SPF Review Group which has representatives from across government and the security agencies, will review the framework. It will be updated on a regular basis with a
refreshed edition every six months. Interim or urgent security polices can be announced immediately, and will then be incorporated into the next edition of the framework.
Any further queries about the framework should be sent to the SPF Team.