This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

CLAS Consultancy

CESG (Communications-Electronics Security Group) Listed Advisor Scheme

The CESG Listed Advisor scheme (CLAS) was created to meet the increasing demand for authoritative information assurance advice for Government departments and agencies by approving a pool of high-quality consultants.

All CLAS Consultants hold a formal HMG Security Clearance (a minimum of SC) and are authorised to provide information assurance advice on systems processing information up to and including UK SECRET.

The delivery of CLAS consultancy is specifically tailored to UK Government departments, executive agencies and related contractors as well as the wider public sector:

  • Central and devolved Government
  • Local authorities
  • Organisations forming part of the Critical National Infrastructure
  • Non-Government organisations
  • GSI and CJX connected organisations
  • Those handling Government Protectively Marked assets such as Police and Health services and some private sector organisations

HMG Information Assurance

The Security Policy Framework (SPF), published late in 2008, replaced The Manual of Protective Security. The SPF is mandatory for all government Departments and Agencies.

It states that it ‘should also be extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies (NDPBs), contractors, Emergency Services, devolved administrations, Local Authorities or any regular suppliers of goods and/or services.’

The SPF comprises four tiers, the first three of which are available publically from the Cabinet Office website. Tier 4 has a protective marking of UK RESTRICTED and is intended for people who are required to implement tiers 1 to 3.

SPF Tiers 1 to 3:

  • Tier 1: The Overarching Security Policy Statement
  • Tier 2: The Five Core Security Principles
  • Tier 3: The Seven Security Policies

The Seven Security Policies of SPF Tier 3:

  1. Governance, Risk Management and Compliance
  2. Protective Marking and Asset Control
  3. Personnel Security
  4. Information Security and Assurance
  5. Physical Security
  6. Counter-Terrorism
  7. Business Continuity

Tier 3 also outlines 70 Mandatory Requirements to which all applicable organisations must adhere.

Government Risk Management and Accreditation of Information Systems

Government has specific requirements towards the governance of computer systems. This is called 'accreditation' and requires an Accreditor to make a balanced decision that all the risks to an information system are appropriately mitigated.

This doesn't mean that every risk must be completely eliminated (which is almost impossible) but that the Accreditor must be satisfied that the outstanding risks, when reduced with suitable counter-measures, would not exceed the risk threshold of the organisation. If it does, the organisation should be able to show its reasoning behind accepting an increased level of risk.

Risk Management and Accreditation Documentation Sets (RMADS)

The first stage in developing a Risk Management and Accreditation Documentation Set (RMADS) is to determine the Business Impact Level of the information held on the information system to be accredited. Depending on the findings, it may be sufficient simply to comply with ISO27001.

For higher levels of impact level, an RMADS is mandatory.

Developing RMADS

There are two main phases in developing an RMADS. These are further broken down into individual work units:

Phase 1 - Perform an HMG IA Standard 1 Technical Risk Assessment:

  • Catalogue the information system and generate a scope diagram.
  • Verify the minimum assumptions to ensure that the risk assessment is accurate.
  • Perform threat assessment to produce a Prioritised Risk Catalogue that must be documented within the RMADS.
Phase 2 - Create the RMADS in accordance with HMG IA Standard 2:
  • Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence.
  • Develop a Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.
  • Develop Security Operating Procedures where a technical solution or existing documentation does not meet the required level of risk mitigation.

BUY Risk Management BOOKS

The Security Risk Assessment Handbook, Second Edition

Buy now

+44 (0) 845 070 1750
live chat support software