Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether the Cabinet Office has quantified the likelihood and potential impact of insider threats, unauthorised privileged access, and production environment compromise within One Login, as required by ISO 27001 standards and guidance from the National Cyber Security Centre for cloud-hosted government services; and whether they will place copies of such assessments in the Library of the House.

The GOV.UK One Login team collaborates closely with the National Cyber Security Centre (NCSC) to assess and mitigate risks associated with insider threats, unauthorised privileged access, and production environment compromise, aligning with the Cyber Assessment Framework outlined in the Government Cyber Security Strategy 2022-2030. Although the programme does not specifically pursue ISO 27001 certification, it adopts multiple overlapping controls and the risk management framework is based on the HMG Orange Book, which is closely aligned with ISO 27005 guidance on managing information security risks.

While assessments of insider threats have been made, copies of these assessments will not be placed in the Library of the House, as they are part of ongoing security measures and internal governance processes.