We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance

Information Security Policy


Information is an asset that is vital to the University. In order to achieve the University’s objectives the appropriate controls must be put in place to ensure the confidentiality, integrity and availability of information. The primary risks for the University are around financial loss and reputational damage.

The implementation of controls must be pragmatic, appropriate, and cost effective based on assessed risks. This document sets out the guiding principles to ensure that the information security objectives are met. The Information Security Management System (ISMS) is the set of policies, procedures and governance structures that ensure that information security objectives are met.


Durham University will ensure that appropriate technical and organisational measures are in place to protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of information.


  • Protect University Information in line with risk and business requirements
  • Comply with legal, regulatory and contractual obligations
  • Uphold individuals’ right to privacy
  • Use established standards and procedures to implement information security across the institution
  • Embed information security into the full information lifecycle
  • Ensure that users of University information have a level of awareness that allows them to adequately protect the information
  • A culture that recognises the value of and need to protect University Information
  • Ensure proper reporting and investigation of information security incidents and weaknesses
  • To ensure that all roles within the Information Security Management System are undertaken by individuals competent and qualified to do so
  • To periodically undertake audits of compliance with this policy.


The Information Security Policy applies to all information assets which are owned or processed by the University.


All Users of University Information

Complete information security awareness training and be responsible for the University Information that they process.

Heads of Services / Departments / Faculties / Colleges

Implementation of the information security policy framework within their area, ensuring a risk based approach is taken to the handling of information.

Senior Information Risk Owner (SIRO)

The SIRO is the University Executive Council (UEC) lead for information security and is responsible for managing the ISMS and, as agreed by UEC, has delegated authority from UEC for some policy level decisions regarding information security.

University Executive Council (UEC)

UEC is responsible for managing information security strategy; monitoring the achievement of the information security objectives; considering and making recommendations to Senate and Council on information security policy initiatives and other matters; taking ownership and management responsibility for key information security risks; approving annual plans; and recommending the information security annual budget.

Responsibility for ensuring implementation of and compliance with this policy will be in accordance with the University’s line management structure.

Policy Administration

Version 3.0

Approved by UEC March 2017

Owner: SIRO