The Role of the SIRO in Managing Digital
Continuity
What is digital continuity?
Information is at the heart of good government. Can you be sure that it will
always be available when you need it?
Digital continuity is the ability to use your information in the way you need,
for as long as you need. Losing digital continuity means you are not able to
find, open, work with, understand or trust your information. This loss of
usability is an information loss as significant and potentially damaging as
any other. Loss of digital continuity is an information risk – one it is your
responsibility to manage as SIRO.
Digital continuity is put at risk by change, so information must be managed through change to ensure it remains
usable. Changes that can lead to loss of digital continuity include organisational, process and technical change.
Loss of digital continuity tends not to be a sudden, obvious incident, but rather a steady build up of issues that
lead to your business grinding to a halt. It is therefore crucial that you put processes in place to stop this build up
before it reaches a critical stage.
What is the purpose of this
guidance?
Examples of digital continuity loss

You can’t open a spreadsheet containing vital data,
This guidance will help you to understand
as it has been stored in a format that is no longer
your responsibilities with regards to digital
supported by your technology.
continuity and will enable you to ensure this
information risk is managed effectively in

customers because you have migrated data between
your organisation. It complements the
systems and have lost crucial links between
guidance and training available to SIROs
information about people and information about their
from CESG and the Office of Cyber Security
and Information Assurance (OCSIA) at the
Cabinet Office1, as well as the indicators on
digital continuity in the Information
Assurance Maturity Model (IAMM) and
Assessment Framework.
1
You can’t provide critical public services to your
entitlements

You need to prove a key decision to a Parliamentary
Inquiry but can’t be sure the document you have is
the most recent version, as all your information has
been migrated between storage systems and the
version and ‘date created’ metadata has been lost.
Further information on training available at: www.cesg.gov.uk/products_services/training/training-public.shtml
www.nationalarchives.gov.uk/digitalcontinuity
Why does digital continuity matter to you?
Managing it will bring you benefits
It can help you to realise savings and efficiencies without neglecting
the need to mitigate information risk. For example, managing the risks to
digital continuity also provides opportunities to dispose of the information
and IT that you do not really need, reducing your costs and increasing
operational efficiency. For example, DEFRA is using our file profiling tool
DROID to identify older documents no longer of business use. When
deleted as part of a wider information appraisal process, this is estimated
to yield storage savings of 30%.
In the current climate, change will be the only constant for government
departments and the wider public sector. Organisational change and related changes to ICT systems, for
example, present a serious risk to the continuity of business information. Ensuring digital continuity through such
changes will be considered the responsibility of the SIRO. Proper management of digital continuity will put you in
a strong position to respond positively and manage the risks that change brings.
It is your responsibility
Loss of digital continuity is an information risk. As SIRO, you are required to ensure all information risks are
recognised and managed in your organisation through its information risk policy and assessment process. If there
is a loss of digital continuity, Accounting Officers will look to the SIRO as the owner of that risk. It is therefore
important that you recognise this risk and ensure it is being appropriately managed within your organisation.
What to do
Below are six key actions you can take to manage risks to digital continuity:
1. Ensure your organisation has an information risk management culture which recognises that the
business use of your information should drive decision making about its management
a) Ensure the organisation knows how it needs to use information assets over their full lifecycle and uses
that to inform how the assets are managed.2
b) Ensure training on the value of information is delivered to all staff – you can work with your Knowledge
and Information Management (KIM) team to deliver this.
2
See our specific guidance on Identifying Information Assets and Business Requirements
nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf
www.nationalarchives.gov.uk/digitalcontinuity
2. Ensure there is a multi-disciplinary approach to information risk
management in your organisation
a) Assign a Senior Responsible Owner for implementing digital
continuity across the organisation and ensure they set up a multidisciplinary team (including IA, KIM and IT staff) for managing
digital continuity.3
b) Ensure risk management processes and structures drive
collaboration across your IA, KIM, IT, project and change
management teams.
3. Ensure the risk to digital continuity is being managed efficiently
and effectively
a) Ensure the risk of loss of digital continuity is in your appropriate risk registers and the risks are reported
through existing departmental risk reporting structures.
b) Ensure teams, especially those involved in change projects, are putting risks to digital continuity on their
own risk registers.
4. Ensure your organisation’s Information Asset Register (IAR) is used to manage digital continuity
4
a) Ensure your organisation knows what information assets it has, how it needs to use them and what
technology they are dependent on, and record this information effectively through an IAR.5
b) Ensure there are processes in place to update this IAR and use it to understand the impact of change on
your information assets and manage risks to digital continuity through changes to the business or
technology.
5. Ensure your Information Asset Owners (IAOs) are managing the risks to the digital continuity of their
Information Assets
a) Ensure all information assets in your organisation are assigned an IAO with appropriate levels of
responsibility.
3
See our guidance factsheet on The Digital Continuity SRO nationalarchives.gov.uk/documents/information-
management/the-dc-sro-factsheet.pdf
4
Not just the information systems – for a definition of ‘Information asset’, see guidance on information assets and business
requirement: nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf
5
We’d recommend using an existing IAR to form the basis of this, but as long as this mapping is carried out, it is up to you to
decide the best way to do it in your organisation
www.nationalarchives.gov.uk/digitalcontinuity
b) Ensure your IAOs are properly trained/resourced and understand the usability requirements of their
information assets and risks to the digital continuity of those
assets.6
6. Drive and monitor progress by measuring against the digital
continuity maturity indicators in the IAMM7
a) Ensure that any review of your organisation’s performance against
the IAMM includes digital continuity monitoring.
b) Ensure those responsible for assessing your organisation against
the IAMM are in contact with your multi-disciplinary digital continuity
team.
What we are doing to help
The National Archives has developed a Digital Continuity Service to
support central government and the wider public sector in managing its digital continuity. This includes guidance,
advice and training, a risk and opportunity self-assessment tool and a framework of tools and services. The
National Archives works closely with OCSIA, CESG and the Government Security Secretariat to ensure a
coordinated approach to assist you as SIRO in managing the information risk in your organisation, and this
guidance has been approved by Cabinet Office’s Information Assurance Policy Committee. For further
information on the Digital Continuity Project or managing digital continuity in your organisation, visit:
nationalarchives.gov.uk/digitalcontinuity.
This guidance relates to the following other digital continuity documents:
Managing Digital Continuity - a high-level overview of what you need to do to ensure digital continuity, who you
need to involve and how you measure success.
Identify Information Assets and Business Requirements - tells you how to create or adapt an existing IAR, by
first identifying your information assets and business requirements. Managing Digital Continuity (above) provides
further details on the rationale for doing this.
The Role of the IAO - we have worked with OCSIA to produce guidance on the mandated role of the IAO, which
covers their entire role including their digital continuity responsibilities.
6
See our guidance on The Role of the IAO nationalarchives.gov.uk/documents/information-management/role-of-the-iao.pdf
7
See Information Assurance Maturity Model www.cesg.gov.uk/products_services/iacs/iamm/index.shtml
www.nationalarchives.gov.uk/digitalcontinuity
IAOs and Digital Continuity - a piece of guidance which specifically addresses the IAO’s role and
responsibilities in relation to digital continuity.
The Digital Continuity SRO - outlines the Senior Responsible Owner’s role and responsibilities in relation to
digital continuity.
All digital continuity guidance is available at nationalarchives.gov.uk/dc-guidance.
www.nationalarchives.gov.uk/digitalcontinuity