Elevating Digital Assurance in Policing: A Strategic Approach to Next-Generation Compliance

Digital Transformation in UK Policing

UK policing is at a pivotal point in its digital evolution. Forces across the country are under growing pressure to replace outdated legacy systems and integrate with national platforms such as the Police National Computer (PNC), Police National Database (PND), Child Abuse Image Database (CAID) and the upcoming National Law Enforcement Data Service (NLEDS). These are central to a future where intelligence is shared seamlessly, investigations are accelerated and public safety is enhanced through smarter, data-driven operations.

However, this transformation is unfolding in a landscape marked by financial pressures, evolving cyber threats, a shortage of digital skills, and heightened public expectations around transparency and accountability. At the same time, police forces must manage the exceptional sensitivity of the data they hold – ranging from personal identifiers to national security intelligence – while ensuring compliance with strict legal frameworks, including the Data Protection Act 2018 (Part 3) and UK GDPR.

Success will hinge not only on technology adoption, but on building a secure, interoperable and trusted digital ecosystem that can meet both operational needs and public scrutiny.

Meeting Complex Cyber and Compliance Demands

To adapt to this evolving landscape, police forces must:

• Maintain secure access to national systems such as NLEDS, PNC-PND, CAIDs and the Criminal Justice Extranet.
• Comply with National Information Assurance and Risk Management frameworks.
• Deliver services that are not only secure and compliant, but also resilient and operationally effective.
• Support roles such as Senior Information Risk Officers (SIROs), Information Asset Owners (IAOs) and National Senior Information Risk Officers (NSIROs) in meeting their governance and reporting obligations.

However, achieving these goals presents key challenges:

• Traditional compliance-based audits are often static and insufficient in identifying evolving risks.
• Duplication and inefficiencies in audit processes strain limited resources.
• A lack of consistent, risk-aligned methodologies hampers cyber assurance across national and local systems.

A Risk-Based, Continuous Assurance Approach

Police forces can address these challenges by adopting a structured, risk-based audit lifecycle that goes beyond box-ticking compliance. This includes:

• Defining clear audit scopes and tailoring approaches to national policing systems and their associated risk environments.
• Using accepted standards such as NIST CSF, NCSC GovAssure CAF, and ISO/IEC 27001:2022 to evaluate controls and guide improvements.
• Conducting root cause analysis of incidents and learning from exercises across the policing and wider MOD sector.
• Embedding Secure by Design principles into system development and operational planning.
• Enhancing governance alignment with frameworks like the Police Information Assurance Board (PIAB), NSIRO structures and the DCPP CSMI Guide.

This approach allows policing organisations to integrate assurance activities into day-to-day operations, ensuring that cyber resilience, operational needs and legal obligations are aligned.

Delivering measurable value through SCORE

Leonardo’s SCORE (Situate, Commence, Obtain, Report and Evolve) audit methodology enables forces to implement this forward-thinking approach effectively:

• Scalable: Customised for local, regional and national policing needs, including PNC/LEDS access and cloud assurance.
• Integrated: Combines cyber audits with operational, legal and regulatory requirements, reducing duplication and increasing efficiency.
• Outcome-Oriented: Goes beyond identifying gaps – provides detailed remediation roadmaps, dashboards and continuous improvement tracking.
• Aligned to Governance: Supports NSIRO, SIRO and IAO responsibilities by aggregating risk views and enabling prioritised responses.
• Future-Ready: Includes assurance models for AI technologies, automated threat detection and adaptive risk modelling, ensuring policing remains safe, ethical and secure.

The SCORE Five-Phase Audit Model

1. Scoping & Engagement
   • Stakeholder mapping and understanding of system environment
   • Define audit scope, objectives and applicable regulatory frameworks
   • Tailor approach to local, regional and national policing systems
2. Current State Assessment
   • Evidence collection and documentation review
   • Evaluation of technical, procedural, and governance controls
   • Risk profiling using frameworks such as NIST CSF, CAF, and IRAM2
3. Observation & Risk Inference
   • Identification of gaps, vulnerabilities and control weaknesses
   • Use of inference models to determine operational and security impact
   • Mapping to national policing risk appetite categories
4. Recommendations & Roadmapping
   • Provide pragmatic and achievable improvement recommendations
   • Integration with Secure by Design and risk-based remediation planning
   • Support alignment with GovAssure, SyAP and cloud hosting guidance
5. Evaluation & Continuous Assurance
   • Establish baseline for continual improvement
   • Provide roadmap for re-audit and ongoing monitoring
   • Tailored dashboards and assurance trackers to assist SIROs and IAOs

SCORE is not just an audit tool; it’s a strategic enabler for UK policing. It helps forces meet today’s cyber challenges while building resilience for tomorrow’s digital threats. In an era of increasing digital complexity, where threats evolve rapidly and regulatory demands continue to rise, traditional compliance-based audits are no longer sufficient.

As police forces adapt to the demands of digital transformation, Leonardo’s SCORE methodology stands ready to support them, delivering deep expertise, robust frameworks, and the confidence needed to operate securely and effectively in a high-threat environment. Leonardo’s SCORE (Security, Compliance, Operational Resilience, and Effectiveness) audit methodology is designed to go beyond compliance, providing a rigorous, structured and risk-based approach that drives resilience, improves operational performance and assures stakeholder confidence across public and private sector domains.

Leonardo’s SCORE methodology is highly scalable within the policing sector, delivering significant value by enhancing cybersecurity assurance, supporting regulatory compliance and strengthening information risk management.

• Enhance cyber resilience
• Enable continuous compliance
• Drive operational efficiency
• Embed security by design (SbD)