Technical Review Group - Security

Assessing the cyber security posture of anything new coming through the TRG.

The role of the Security CCC is to assess the cyber security posture of anything new coming through the TRG. This will include understanding whether or not anyone from Cyber Operations's Secure Consulting Team has been engaged in the drafting of the submission, whether risk assessments have been carried out, and if any measures have been proposed to moderate or control any identified risks.

There are a number of documents that it is helpful to complete in the process of drafting a submission:

  • An entry on the Compliance Register. This mandatory document relates to the architecture being used, which version, access (internal vs external), security testing, data encryption and disaster recovery. NOTE: You don’t need a completed entry prior to coming to TRG, but an understanding of what is required is expected.
  • If you plan to use cloud technologies, the Cloud Risk Data Assessment, which will classify your requirement from 1 to 5 (5 being in the most need of protection), based on the type and scale of data being stored, as well as the persistence (long or short-term use). It will then advise the type of controls relevant to each classification.

As an organisation, the strategic direction is to cloud host all solutions where possible. Where your solution is locally hosted, as a result of security or legacy, early engagement with the Secure Consulting Team at Cyber Operations is again key as they can walk you through the more bespoke requirements.

What evidence will they be looking for in your submission?

  • Have you engaged directly with anyone in the Secure Consulting Team for advice when drafting your submission?
  • Have you completed a Cloud Risk Data Assessment?
  • Have you proposed any controls to moderate identified risks, and if not, have you detailed a robust rationale?

Updated: May 2026