Security Guidance
RSS feed
Table of contents

MoJ Security Operating Procedure Policy

Classification: OFFICIAL

Scope: All Ministry of Justice (MoJ) IT system administrators, and third-parties responsible for MoJ IT systems.

Expiry: When rescinded or replaced.

Review: Annual review from date of publication, or when required by legislative or departmental changes.

Authors: Security Policy, Awareness, Culture, and Education team (SPACE)

Policy owner: MoJ Information Security Team (MIST)

Authorised by: MoJ Chief Information Security Officer (CISO)

Date of publication: 19/12/2025

Document version: 1.0

This document is the MoJ Security Operating Procedure (SyOP) Policy. It provides guidance for system administrators responsible for creating and maintaining SyOPs for their IT system.

1. Introduction

MoJ IT systems and services are provided to support the delivery of the MoJ’s business services. For those systems and services to operate effectively and efficiently Security Operating Procedures (SyOPs) must be created to define and document how to use each system or service in a secure way. Breaching this policy is considered a breach under the Security Breach Policy.

2. Scope

This policy applies to all administrators of MoJ IT systems, including MoJ employees, executive agency employees, contractors, and agency staff.

3. Security Operating Procedures (SyOPs)

To help protect MoJ data and IT systems, SyOPs are provided to guide users on secure working practices for MoJ IT systems and services.

  • System administrators shall maintain a set of SyOPs that are included as part of each IT system’s security assurance.
  • System administrators shall ensure that users have read and acknowledged all relevant SyOPs before granting access to an MoJ IT system.
  • System administrators shall keep records of users that are granted access to MoJ IT systems and shall make records available during assurance or upon authorised request.
  • System administrators shall seek approval through an assured change control process before updating a SyOP for any MoJ IT system.
  • System administrators shall review user requests to contravene, disregard, or take any action that differs from the system SyOP.
  • System administrators shall track any exemptions from a SyOP using a risk management process.
  • System administrators shall ensure that all relevant legal and regulatory requirements are contained in any SyOP they are responsible for.

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.