Police-Assured Secure Facilities (PASF) United Kingdom

About PASF

The National Policing Information Risk Management Team (NPIRMT) of the UK Home Office (the ministry responsible for security, immigration, and law and order) is charged with ensuring that the storage of and access to police information meet its standards. Through the National Policing Information Risk Management Policy, it sets the central standards and controls for law enforcement agencies across the UK that are assessing the risk of moving police information systems to the cloud. The policy requires that all national police services in the UK that store and process protectively marked or other sensitive law enforcement information take an extra step in their risk assessment: a physical inspection of the datacenter where their data will be stored. The successful assessment of a datacenter determines that it is PASF.

To assist local police services with their due-diligence review, the NPIRMT performed a PASF audit of Azure datacenters and has determined that they are compliant. Local police services can use this NPIRMT assessment to support their own review. Using the NPIRMT policy guidelines, the senior information risk owner for each police service is responsible for assessing the suitability of an individual datacenter in the context of their particular application, which they then submit to the NPIRMT for approval.

Microsoft and PASF

The UK National Policing Information Risk Management Team (NPIRMT) completed a comprehensive security assessment of the physical infrastructure of Microsoft Azure datacenters in the UK and concluded that they are in compliance with NPIRMT requirements without any remedial actions. This successful physical audit means that Microsoft business cloud services can now support police forces across the UK who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud.

Microsoft takes a holistic defense-in-depth approach to security. Our UK datacenters (like all Microsoft datacenters) are certified to comply with the most comprehensive portfolio of internationally recognized standards of any cloud service provider and consistently meet those requirements. This includes certification for our implementation of the ISO/IEC 27001 Information Security Management Standards and the ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud.

These certifications are backed by the measures that we take to protect the physical security of our datacenters. We adopt a layered approach that starts with how we design, build, and operate datacenters to strictly control physical access to the areas where customer data is stored. Datacenters managed by Microsoft have extensive levels of protection with access approval required at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. This reduces the risk of unauthorized users gaining physical access to data and datacenter resources.

Microsoft in-scope cloud services

Audits, reports, and certificates

The NPIRMT audits one Azure datacenter each year, annually cycling through the four Microsoft datacenters in the UK. The NPIRMT assessment that Microsoft datacenters are PASF is available through the Home Office for law enforcement customers who are conducting their own risk assessment of Azure and other Microsoft cloud services.

How to implement

Frequently asked questions

Can police departments in the UK use the Azure PASF assessment as part of their own risk assessments?

Yes. Law enforcement can use the NPIRMT assessment of Azure to support their own local risk assessment before a move to the cloud.

Resources