Security Guidance
RSS feed
Table of contents

IT Security Incident Management Policy

Classification: OFFICIAL

Scope: All Ministry of Justice (MoJ) staff, contractors, and suppliers.

Expiry: When rescinded or replaced.

Review: Annual review from date of publication, or when required by legislative or departmental changes.

Authors: Security Policy, Awareness, Culture, and Education team (SPACE)

Policy owner: MoJ Information Security Team (MIST)

Authorised by: MoJ Chief Information Security Officer (CISO)

Date of publication: 15/08/2025

Document version: 1.0

1. Introduction

This policy outlines the MoJ mandatory requirements for ensuring that security incidents and near-misses are accurately reported, managed, resolved, and reviewed. All security incidents must be logged via the appropriate platform. This does not include Health and Safety or Operational HMPPS security incidents, for which local reporting and management protocols must be followed.

2. Scope

This policy applies to all MoJ staff, contractors, and suppliers.

3. Responsibilities

  • The Cabinet Office (CO) holds the MoJ accountable for submitting a quarterly return on departmental security incidents, providing insights that inform the Government Security Group’s strategic view.
  • Under the new CO mandated cyber assurance regime (GovAssure), business-critical systems must complete the Cyber Assurance Framework (CAF), which includes a ‘Response and Recovery’ outcome requiring clear and comprehensive Incident Management Plans that are regularly tested and reviewed.
  • All MoJ staff, contractors, and suppliers are responsible for the identification and recording of security incidents and near-misses.
  • Designated incident management staff are responsible for the identification and recording of security incidents and near-misses.
  • While the policy establishes a minimum baseline, additional measures may be required to meet specific regulations, contractual obligations, or to address particular threats.

4. Policy Statements

All staff shall comply with the following policy statements:

  1. All staff shall properly identify, classify, and record security incidents or near-misses relating to MoJ data, sites, IT systems, or people.
  2. All staff shall record identified or suspected security incidents or near-misses as soon as possible after identification and within regulatory timeframes.
  3. Staff responsible for contractors and third-party agreements shall ensure that all third parties and contractors identify and report security incidents, whether relating directly to them or their supply chain, to the designated MoJ contacts.

  4. All third parties and contractors shall support the management and resolution of reported incidents.

    Heads of business areas and directorates:

  5. Shall ensure that processes are in place to triage, manage, escalate, and resolve security incidents, involving central MoJ security teams as appropriate.
  6. Staff shall be adequately trained and equipped with the necessary skills and knowledge for effective security incident management.
  7. Identified incident management staff shall take ownership and responsibility for the triage, management, escalation, and resolution of assigned security incidents.
  8. Staff involved in incident management shall participate in lessons learnt exercises to ensure continuous improvement.
  9. Effective and proportionate security controls shall be implemented to mitigate any identified risks.

5. Compliance

The Security and Information Directorate (SID) will regularly review this policy and its associated guidance documents to ensure they remain fit for purpose. Routine compliance activities, such as reviews of security controls, will be conducted. Failure to meet policy requirements, in the absence of a formally escalated risk, may result in disciplinary action as per MoJ HR Policies. For external parties and contractors, non-compliance may constitute a breach of contract and, if a criminal offence is identified, may lead to prosecution.

6. Exceptions

Any request for a policy exemption or deviation should be directed to the relevant Senior Information Risk Owner (SIRO), with support from the MoJ Information Security Team. Initial enquiries should be made via the MoJ Security Team at security@justice.gov.uk to discuss potential mitigation options.

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.