Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether they have carried out any operationally independent second-line security assurance on One Login documentation, in accordance with the Government Functional Standard 'GovS 007: Security', published on 30 July 2020.

Yes. We operate a three lines of defence process which includes employing a team of security experts, with additional scrutiny and assurance provided by GDS’s Chief Information Security Officer, the Cabinet Office’s central cyber teams and the National Cyber Security Centre.

The programme has continuously conducted multiple independent risk and threat assessments, such as regular IT Health Checks (ITHC) by NCSC accredited providers, and these will continue to be part of the programme’s operating approach. We follow the Cyber Assessment Framework (CAF) GovAssure process and completed an independent Cyber Assessment Framework security exercise in 2024, with continued work and collaboration with NCSC on future mitigations.