scope:

This standard applies to the use of all information and assets owned, worked with and operated by TfL, or on behalf of TfL.

It applies to all employees, contractors and sub-contractors who are responsible as a minimum for reporting potential information security risks or concerns.

The Information Security Risk Management Framework illustrated in Figure 1, which includes this Standard, the Information Security Risk Management Policy (P123) and supporting processes and procedures applies to all individuals who have access to TfL information assets and technologies, including external parties and those providing information processing services to TfL.

Purpose

This standard summarises the information security risk management approach and methods in support of TfL's alignment to the Information Security Risk Management Policy (P123).

This standard ensures that information risk assessments are conducted in accordance with TfL's Information Security Risk Management Framework and compliments TfL's Enterprise Risk Management (ERM) function. The Standard also supports alignment to the information security standards ISO27001 and ISO27005, and in combination, helps to systematically manage and protect the confidentiality, integrity, and availability of TfL's information assets from threats and vulnerabilities