<p>Our approach to information risk management follows National Cyber Security Centre (NCSC) guidance. It assesses:</p>
<ulclass="list list-bullet">
<li>how Notify is built</li>
<li>the infrastructure Notify is built upon</li>
<li>support for the Notify service</li>
</ul>
<p>This approach also applies to the service providers Notify uses to send messages.</p>
<h2class="heading-medium">How we manage risks on Notify</h2>
<p>Things we do to manage risks on Notify include:</p>
<ulclass="list list-bullet">
<li>formal risk assessments based on <ahref="http://www.iso.org/iso/catalogue_detail?csnumber=56742">ISO 2700:2011</a> and National Cyber Security Centre guidance</li>
<li><ahref="https://www.cesg.gov.uk/articles/check-fundamental-principles">CHECK</a>-based testing, both annually and when any major changes are made to Notify</li>
<li>residual risk statement preparation and active management of the risk treatment plan</li>
<li>regular updates to the Privacy Impact Assessment</li>