Question to the Home Office:

To ask Her Majesty's Government what assessment they have made of (1) the current risk to the Home Office of a cyber attack; and (2) whether adequate resources are in place to respond to that risk.

Like all major government departments, the Home Office assesses threat from a range of different threat actors. The department uses this information to inform its risk assessments and action plans, both operational and tactical. Risk assessments are updated periodically and whenever a change in the perceived threat is noted.

The Home Office utilises a tiered system of risk assessment covering tactical (system level), operational (business level) and strategic (departmental level) cyber security risks. The Executive Committee has direct visibility of the Department’s strategic cyber security risk and mitigation plans.

The Home Office deploys a range of controls designed to provide defence in depth for our systems, which are modelled against the advice provided by the National Cyber Security Centre and the Government’s Minimum Cyber Security Standard. The status of these controls is under continual review by the Office of the Chief Information Security Officer, which routinely works with delivery teams to ensure that controls are practical, applicable and effective.

Robust cyber security capability requires continued funding and the availability of suitably qualified and experienced personnel. The Office of the Chief Information Security Officer is resourced for the requirements identified for FY 2021-22, balancing the need for investment against cost effectiveness for the tax payer.