You asked

I'd like to request the following information please:

  1. Name of SIRO (Senior Information Risk Owner) or similar post (Chief Information Governance Officer etc), or responsible person for SIRO duties.
  2. Contact email of person named in request No. 1.
  3. Name of DPO (Data Protection Officer) or responsible person for DPO duties.
  4. Contact email of DPO.
  5. Name of person with overall responsibility for Cyber security or equivalent (excluding persons in q1 and q3).
  6. Contact email of person in Q5.
  7. Name of person with overall responsibility for information security or equivalent (excluding persons in q1, q3 and 5).
  8. Contact email of person in Q7.
  9. Name of person with overall responsibility for information Governance or equivalent (excluding persons in q1, q3, q5 and q7).
  10. Contact email of person in Q9
  11. Do you have appointed IAO's? If so, whom are they, if they have been defined?
  12. Are you or have you considered becoming ISO 27001 compliant or certified? If so whom is responsible for maintaining this? (as in, the person)
  13. Contact email of person in Q: 11.
  14. Are you required to connect to the PSN Code of Connection (CoCo)? If so whom is responsible for complying with its requirements? (as in, the person)
  15. Contact email of person in Q:13.
  16. What is the annual budget for Cyber Security?
  17. What was the annual spend on external assistance for cyber security last financial year? (Excluding products/systems, when I refer to external assistance I mean things like consultancy/training)
  18. What is the annual budget for data protection activities?
  19. What was the annual spend on external assistance for data protection activities last year? (Excluding products/systems, when I refer to external assistance I mean things like consultancy/training)

We said

Thank you for your request. The Security team here covers UKSA, ONS and OSR and so the following answers reflect this:

  1. We do not have a SIRO, this is no longer a mandatory role for a Government Department.

  2. Not applicable.

  3. Our Data Protection Officer (DPO) is Ross Young.

  4. The contact email of our DPO is DPO@statistics.gov.uk

  5. The person with overall responsibility for Cyber security or equivalent is Andy Wall, Chief Security Officer.

  6. The contact email is security@ons.gov.uk

  7. The name of the person with overall responsibility for information security or equivalent is Andy Wall, Chief Security Officer.

  8. The contact email is security@ons.gov.uk

  9. The name of the person with overall responsibility for information governance or equivalent is Andy Wall, Chief Security Officer.

  10. The contact email is security@ons.gov.uk

  11. We operate Information Asset Owner Roles across the organisation. This is a defined role specification in accordance with Government requirements and are typically senior managers within the different business areas.

  12. Our security approach is based on UK Government standards; we incorporate compliant ISO 27001 controls within this. We are not certified to ISO 27001. The ownership of the security approach rests with the Chief Security Officer.

  13. Not applicable.

  14. No, the PSN is no longer in operation.

  15. Not applicable.

  16. Funding for cyber security is not as a single fixed budget to the Security team. Many security functions are embedded and devolved across business areas and so unfortunetly we do not hold this.

  17. We utilise limited external consultancy in support of security and this is not specific to cyber security. The security team invests in internal and wider organisation training but this is not specific to cyber security.

  18. Funding for data protection is not as a single fixed budget. Many requirements for data protection are embedded and devolved across business areas. Specific costs for this are not collated.

  19. We do not use external consultancy in support of data protection. Training is provided internally and via civil service e-learning.

Please note

The first line of this response was updated on 2 December 2019 to provide more clarity and context to the answers.