The Challenge

The Ministry of Justice (MoJ) operates one of the most complex and sensitive digital estates in government. It manages high volumes of highly sensitive data relating to victims of crime, individuals in the prison and probation system, and organisations across the wider justice system. This responsibility is compounded by significant technical debt, a fragmented technology landscape and more than 1,000 IT services, many of which are legacy and not classed as modern digital services.

Set against a backdrop of rising cyber threats to government, the MoJ set a clear ambition: to be government-leading in the delivery of secure, resilient services. This required a fundamental shift in how cyber security was designed, governed and embedded across the department, its agencies and its extensive supplier ecosystem.

Over a four-year period, RedRock Consulting partnered with the MoJ to strengthen cyber security capability, reduce risk, and embed sustainable security practices across the organisation and its supply chain.

Our Solution

RedRock worked as a trusted client-side delivery partner, supporting MoJ teams across strategy, delivery and capability uplift. Our approach focused on embedding security as a core organisational capability rather than a bolt-on function.

Key principles included:

• Secure by design approaches aligned to government standards
• Proportionate risk management, tailored to service criticality and data sensitivity
• Capability building, enabling MoJ teams to own and sustain outcomes
• Consistency and governance across a highly federated organisation

We worked closely with security, digital, commercial and policy teams, as well as agencies and arms-length bodies, to deliver change at scale.

Our Approach

Building Cyber Security Capability and Culture

RedRock supported the MoJ to establish and mature its Cyber Security Profession, providing guidance, best practice frameworks and hands-on support to upskill teams. We worked across departments, suppliers and partners to promote consistent security behaviours and embed a positive security culture.

This included:

• Developing new frameworks and tools to ensure services were secure by design
• Supporting the MoJ to exceed baseline Cyber Assessment Framework (CAF) profiles
• Helping teams move away from legacy security thinking towards modern, risk-based approaches
• Strengthening governance, roles and responsibilities for cyber risk management

The Dynamic Framework – Securing the Justice Supply Chain

The MoJ shares data with thousands of suppliers and partners, many of which are third-sector organisations with limited cyber security maturity. This created a significant risk of “backdoor” access to MoJ systems and data.

RedRock designed and delivered the Dynamic Framework, a scalable, proportionate cyber assurance model to assess and manage supplier risk.

What we delivered

• A dynamic, risk-based assurance framework aligned to supplier criticality
• A structured onboarding and assessment process covering security posture, gaps and remediation
• Support for suppliers to achieve Cyber Essentials Plus, with advanced assurance (IASME Gold / ISO27001) for higher-risk organisations
• Reusable toolkits, templates, checklists and guidance to support suppliers at scale
• Communities of practice and training materials to reduce burden and improve understanding

The framework enabled suppliers to meet contractual and policy requirements while significantly improving overall security maturity across the justice ecosystem.

Supplier Security Framework and Procurement Integration

In parallel, RedRock helped the MoJ design and embed a Supplier Security Framework to standardise how cyber risk is assessed, managed and monitored throughout the commercial lifecycle.

Key activities included:

• Categorising suppliers and assigning cyber maturity risk scores
• Auditing procurement and contract processes to identify security gaps
• Designing modular security schedules aligned to supplier risk categories
• Embedding security requirements earlier in procurement and tender processes
• Creating dashboards and management information to track risk and improvement
• Defining incident reporting, assurance governance and exception management

The framework was piloted, refined through internal and supplier testing, and successfully embedded into business-as-usual procurement processes.

Legal Aid Agency – Security Architecture Discovery

RedRock also supported the Legal Aid Agency (LAA), which holds highly sensitive data and operates a complex, legacy-heavy digital estate.

We were engaged to deliver the Information Technology Health Check (ITCH) security activity as part of a wider technical debt programme.

Our work included:

• Conducting GDS-aligned discovery and gap analysis against industry standards
• Reviewing data ownership, access controls and governance
• Providing technical input and assurance for ITCH reports
• Recommending best practices to reduce technical debt and improve security posture
• Supporting stronger alignment between MoJ Security, Justice Digital and the LAA

This enabled clearer prioritisation of security improvements and supported longer-term modernisation planning.

The Outcome

RedRock’s work has helped the MoJ make meaningful, sustainable improvements to its cyber security posture:

• Stronger security governance across a complex, federated organisation
• Improved supplier assurance, reducing the risk of third-party compromise
• Security embedded in procurement, not retrofitted later
• Upskilled internal teams able to run frameworks and assurance processes independently
• Reduced cyber risk across legacy estates and sensitive services
• Scalable, repeatable frameworks now used as part of business-as-usual operations

Most importantly, the MoJ is better positioned to protect the sensitive data it holds and ensure that cyber security is embedded in everything it does, now and in the future.