The HMG Security Policy Framework (SPF) will shortly be released and is there to provide the protective security outcomes that all government departments will be required to achieve.

The regulations define the minimum requirement all Departments shall implement with regards to protecting their information, technology and digital services. These are mandatory requirements that should be met for both SPF and National Cyber Security Strategy purposes.

The regulations define outcomes expected, although the specific definition of ‘sensitive’, ‘essential’, ‘important’ and ‘appropriate’ are left open. This allows each department to apply their own values based on their particular circumstances.


What is the standard?

The standard presents a MINIMUM set of measures; however, Departments should look to exceed them wherever possible. As time progresses, the measures will be increased so that they continually raise the bar and address new threats or classes of vulnerabilities. They will also be raised to incorporate the new Active Cyber Defence measures that will be expected to be used.


What are the requirements for the regulations?

The regulations are split into 5 main steps:

  • Departments shall put in place appropriate cyber security governance processes
  • Departments shall identify and catalogue sensitive information they hold
  • Departments shall identify and catalogue the key operational services they provide
  • The need for users to access sensitive information or key operational services shall be understood and continually managed


  • Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems
  • Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
  • Highly privileged accounts should not be vulnerable to common cyber-attacks


  • Departments shall take steps to detect common cyber-attacks


  • Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services


  • Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise

What does this mean for businesses?

Publication of these regulations shows that the government are taking data security very seriously, especially in light of GDPR. Any other alternative to these regulations will only put the government at risk of breach, and this isn’t worth the risk.

Organisations need to ensure they have a clear understanding of what to do in the event of a breach. This response should be tested regularly, and in doing so, will take them a long way towards the goal of becoming cyber-resilient.


More details on the specifics of these regulations can be found here –