To ask the Chancellor of the Duchy of Lancaster what guidance his Department provides to Government Departments wishing to undertake a risk assessment of the security of new and existing IT systems; what obligations there are on Government Departments to follow that guidance; and if he will make a statement. (190731)

The National Information Assurance Strategy 2007 produced by the Cabinet Office states that Departments must have clear and accountable ownership of information risk management at board level.

Guidance is provided through the Manual of Protective Security issued by the Cabinet Office.

In publishing the Data Handling Procedures in Government: Interim Progress Report (the written statement of 17 December 2007, Official Report, column 98WS), the Government announced that departmental accounting officers should explicitly include the systematic coverage of information assurance in their annual statements on internal control. A final report is expected in spring 2008.