Information security lifecycle
Information security lifecycle

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Information security lifecycle
  • Identifying what information you hold
  • Assess information risks
  • Securing information and data
  • Staff training and awareness
  • Monitoring and review

Information security has become a business-critical issue. It is not something you can tackle in isolation, as there are obvious overlaps with cyber security and data protection.

This Practice Note sets out a logical process for reviewing and addressing your information security requirements and includes links to relevant precedents.


Click here for a PDF version of the above Flowchart.

Identifying what information you hold

There are a number of management tools, such as information audits, you can use to identify what information you hold and are legally responsible for.

An information audit is a process by which you:

  1. identify and consider all of the information you hold (or are responsible for), and

  2. consider how and why the information is processed

To undertake an effective audit, you need to consider each class of information you hold and, for each class, determine:

  1. what information is held

  2. why it is held

  3. <•