The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Step 1 of 5: Management and organisational information security

1.1 Risk management

Your business identifies, assesses and manages information security risks.



1.2 Information security policy

Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.



1.3 Information security responsibility

Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.



1.4 Outsourcing

Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.