scope:

This standard applies to senior managers when implementing information security controls.

It also applies to Legal, Information Technology (IT) and Cyber Security teams when monitoring changes to the associated standards and legislation and supports the implementation of these requirements into TfL. This standard is Pan-TfL thereby covering TfL business units, subsidiaries and third-party suppliers.

Note: Auditors shall require evidence of full compliance for any area where the business is within scope.

Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information and cyber security.

TfL are required to adhere to multiple Information Security legal and contractual requirements. It must be ensured that TfL regularly review and update their information security standards, policies, legal and contractual obligations as they evolve.

Management are responsible for maintaining compliance with national legal requirements

The TfL Cyber Information Security Steering Group (CISSG) is responsible for reviewing compliance with information security policies

System owners and business owners are responsible for monitoring compliance with information security standards and policies and to ensure that processes and procedures remain aligned to the IT ISMS and the Information Technology Security Policy (P116) and the requirements set out within

It shall be ensured that appropriate eLearning is maintained for all employees covering cyber security, information security and the legal compliance especially with regard to privacy laws such as the UK Data Protection Act (2018); Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR)

All staff are responsible for complying with the security policies

Managers shall ensure contractual and legal compliance in operational aspects of IT / information security activities when dealing with third party suppliers

Compliance with cyber security and information security controls is a mandatory requirement across the TfL

Any breach arising through deliberate action or lack of an acceptable standard of care and attention may result in disciplinary action being taken. Formal disciplinary process shall be in place as stated in S1789 Human Resources Information Security Standard and may be used where appropriate for non-compliance with security policies

To maintain the security of information when the responsibility for information processing has been outsourced to another organisation, TfL shall ensure that all contracts are subject to appropriate risk assessment and proportionate cyber security and information security requirements are set out which the third party are required to comply with.

It shall be ensured that contractual requirements meet TfL's cyber security and information security Policies and Standards and that the third party where feasible is audited to ensure on-going compliance

The applicable legal requirement includes, but are not limited to, the following UK legislations:

• UK General Data Protection Regulation 2018

• UK Data Protection Act 2018

• Network and Information Systems Regulations 2018

• Payment Card Industry Data Security Standard

• The Computer Misuse Act 1990

• Official Secrets Act 1989

• The Electronic Communications Act 2000

Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures

TfL have an established internal audit capability, who shall conduct periodic audits and provide a point of contact to external auditors. Further information on this can be obtained on the Internal Audit Instructions and Guidance pages.

Compliance audits shall be carried out by the TfL Internal Audit Team prior to external audits being conducted

TfL internal audit must always remain independent from cyber security

All information security policies and standards must be reviewed annually by document owners.

Where is identified that TfL is not aligned with ISO27001, the following steps shall be taken:

• Identify the issue or non-conformity

• Recording it in an auditable log

• Taking appropriate action to resolve including the engagement of the Cyber Security Team.

Purpose

This document defines the requirements for ensuring compliance with best practice standards, TfL policies and government legislation, such as:

• ISO/IEC 27001:2017

• P116 TfL's Information Technology Security Policy

• R2927 TfL's Information Security Management System (ISMS) Framework

• UK General Data Protection Regulation (GDPR) (2021)

• The Computer Misuse Act (1990)

• Official Secrets Act (1989)

• Freedom of Information Act (2000).

This compliance protects the confidentiality, integrity and availability of TfL's information assets from threats and vulnerabilities relating to information and cyber security.