Information security


Review your security measures

Undertake regular reviews to ensure your security measures remain fit for purpose.

Identify changes in how you use and organise your information, and any changes required by legislation. Use this information to inform improvements.

Conduct periodic reviews and assure compliance

To minimise the risk of disruption to organisation business processes, you should carefully plan and agree suitable audit requirements for operational systems.

Minimise the opportunity for unauthorised access to information system audit tools to limit the potential to misuse or compromise them.

Regularly monitor, review, and audit your security measures so you know the degree to which your information security policies are being implemented and followed.  This should include:

  • use of operational procedures
  • handling of protectively marked materials
  • supply chain and partners services, reports and records
  • compliance with relevant legislation, requirements and standards.

Supporting documents and information

Identify changes required to your information security

Change is a given. You need to identify which changes in your environment might affect your information security and be prepared to restart your information security lifecycle.

Consider these questions to inform changes and improvements.

  • Are you using information in new ways? Think about information you collect from others (inputs), information you provide to others (outputs), work and information flows inside or outside the organisation (processes), information interfaces between organisations or systems (connections).
  • Are you bringing in a new supplier, provider, or partner to fulfil a specific need?
  • Are you planning improvements to internal or external security services?
  • Have you identified new security threats or vulnerabilities?


Your review will identify required changes to your information security requirements. These changes may trigger either the:

  • Retire phase of the information security lifecycle when systems or information are no longer required
  • Understand phase to re-start the information security lifecycle as your information security requirements change.


Page last modified: 4/05/2022