If you are a service provider to a Government Department or Agency and handle HMG physical or information assets you may be required to comply with guidance in the Security Policy Framework (SPF). Your client is responsible for determining which areas of the SPF should apply to your service provision and should notify you accordingly.
To demonstrate compliance, your Information Security Officer (or equivalent) must:
- Conduct an initial self assessment using external security specialists or internal audit functions;
- Submit annual security returns to the Department or Agency on the relevant Mandatory Requirements and associated security policy;
- Carry out regular internal audits using external security specialists or internal audit functions.