The NPCC‘s National Assurance Risk & Compliance service provides expert support to help policing organisations maintain strong information assurance and cyber resilience. This includes managing the Security Assessment for Policing (SyAP) framework, conducting reviews, and embedding security into the design of new national systems. The service ensures compliance with national standards and promotes consistent security practices across forces.
How it works
The service is delivered through second-line assurance activities, policy development, and risk management; covering everything from cyber policy and standards to national system compliance and risk oversight. By working closely with forces and partners, it reduces vulnerabilities, identifies gaps, and ensures security is built into systems from the outset.
Benefits
- Assurance reports with improvement actions.
- Secure by Design feedback and compliance recommendations.
- Cyber policy documents and best practice guidance.
- National system compliance assessments.
- Single set of activities to provide assurance to all police forces over a national system.
- Risk analysis reports and control strategies.
 |
Learn more about member benefits on our dedicated Members page.
What we need
- SyAP documentation and current compliance status.
- Access to governance records, design and testing documentation.
- Policy gaps and stakeholder input.
- Risk register and mitigation plans.
- Agreement on assurance scope and timelines.
What you get
- Assurance reports with improvement actions.
- Secure by Design feedback and compliance recommendations.
- Cyber policy documents and best practice guidance.
- National system compliance assessments.
- Risk analysis reports and control strategies.
Use cases
IT systems upgrades
Police forces which have undergone a major IT infrastructure upgrade, may need to confirm its security posture.
The Police Digital Service (PDS) conducts assurance against the SyAP, reviews governance records, and provides an assurance report with improvement actions. Cyber policy guidance is shared to align with the NPCC’s standards.
Any residual risks are escalated to the National Senior Information Risk Owner (SIRO) via the national risk register. This process ensures the force maintains compliance and reduces exposure to operational risks.
Procuring and building new systems
A supplier is developing a new national intelligence platform. Before connecting forces, NPCC requires independent validation of the system’s security position.
PDS performs Secure by Design assurance during development, followed by a national system compliance assessment. Risk findings are documented, and mitigation strategies are agreed with the supplier.
Forces receive assurance that the system meets national standards, enabling safe and timely adoption.
