Question to the Ministry of Justice:

To ask the Secretary of State for Justice, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by their Department.

The spend by the Ministry of Justice on its IT infrastructure as set out in the question is provided in the table below, covering the previous three years:

It has not been possible to separate out costs in a meaningful way between current and legacy systems, or identify costs for pre-2013 systems. This is due to both the complexity of the IT estate, which includes outsourced services, and the finance systems in use across the department not being set up to operate in that way that facilitates this.

The costs in the table include the costs of networks, devices, voice and video infrastructure, print services, wifi, software licences that underpin the operation of the department (eg Oracle, Microsoft) and hosting. They do not include costs of bespoke software. The costs are the external (contract) costs to purchase infrastructure outright or as a service but do not include costs related to people or processes or documentation within MoJ.

The Ministry of Justice is actively managing its legacy estate and are either seeking to fund or are seeking to exit legacy systems via our existing change plans. The right approach varies: work under way includes upgrades, complete system replacements and migration to public cloud.

The Ministry of Justice regularly assesses the most critical services within its IT estate including those using legacy systems against its own framework. There is a significant programme of activity in place to mitigate these risks through decommissioning, migration to more modern environments and upgrades.

Earlier in 2023, an assessment was carried out on the top 10 most critical legacy IT systems. Out of these 10 systems, 5 were identified as red-rated IT systems as defined in the Central Digital and Data Office (CDDO) Legacy IT Risk Assessment Framework

The Ministry of Justice is in the process of assessing all of its critical systems against the CDDO framework which will provide data on how many of these are red-rated within this framework.