Census 2022 – cyber security

March 6, 2024 by No Comments | Category Digital Assurance Office, Digital Scotland, Technology Assurance Framework

Guest blog by Berit Braun, Continuous Improvement team, Digital Assurance Office.

The Digital Assurance Office have been working with the National Records of Scotland (NRS) to capture and share some of their experiences from the delivery of the Census Programme. This is the sixth in a series of case studies. You can read the earlier case studies, and our other insights, on our blog.

For over 200 years Scotland has relied on a ten year Census to underpin national and local decision making. The 2022 Census was the first predominantly digital Census collection. The Census is a long term programme and is undertaken by the NRS.


Carrying out Scotland’s Census 2022 almost wholly online required a wide range of cyber security risks to be managed effectively. The Security, Risk and Resilience team at NRS worked closely with Census programme staff, suppliers and external partners to ensure secure end-to-end delivery.

Key activities

  • Preparedness was a key success factor for delivering a secure Census. NRS carried out extensive testing of systems which allowed issues to be remediated prior to go-live. All tests followed the National Cyber Security Centre’s guidance, guaranteeing a high and consistent standard. To ensure that both systems and people were prepared to respond to cyber security threats, the team developed and extensively exercised a scenario-based Cyber Incident Response Plan.
  • NRS developed a Technical Security Standard for the Census which set out expectations of suppliers and allowed these to be communicated clearly. All suppliers were assessed against this standard, allowing any risks to be identified and issues remediated in time.
  • The Census established a Security Working Group bringing together key suppliers, programme staff and partners to regularly engage in a structured and constructive way.
  • To detect and respond to cyber-attacks, the Census opted for a 24/7 alerting model. Generating automatic alerts in the event of an attempted attack, this model proved resource efficient and an effective alternative to 24/7 monitoring. This model has now been extended within NRS.

Reflections and learning points

  1. Regular reporting to programme leadership helped to build an understanding about what a secure Census looks like and ensure that appropriate investment was made and assurance in place to deliver it.
  2. Planning and preparedness set the Census up for securely collecting Census responses. Ensure that you have effectively timed systems testing, incident response exercises and security assurance of the supply chain in place to allow for issues to be identified and remedial action to be taken.
  3. To support the effective partnership working required to deliver a secure service, you need to make clear communication and transparent plans a priority. NRS’ security team collaborated with programme staff, suppliers and external partners by clearly setting out what a secure Census would look like, defining standards and building in structured opportunities for engagement.
  4. Be mindful that implementing a “secure by design” approach requires continuous commitment, collaboration and resource throughout the lifecycle of a programme or project. NRS found that giving security colleagues “a seat at the table” when changes to the programme were being considered ensured that security considerations were embedded in decision making.

Find out more

The Technology Assurance Framework (TAF) is designed to support programmes and projects to deliver successful outcomes and ensure that the lessons learned from previous experience are reflected and embedded in future practice.

The Digital Assurance Office (DAO) are working with organisations who have had assurance through the TAF to share insights which might help others deliver digital projects. If you want to get involved – or have thoughts on what insights would be helpful to share – contact us at

For more information about this case study contact

Listen to Police Scotland’s Cybercrime Harm Prevention podcast about securing Scotland’s Census 2022 with Heather Lowrie, former Head of Cyber Security, Risk and Resilience for the NRS.

Visit the CyberScotland website for up to the minute cyber services information across Scotland and the National Cyber Security Centre website for advice, guidance and capability support.

Access information on creating secure services and resources to help you embed cyber resilience into the supply chain process from the Scottish Government.

For further information and signposting to advice and support on programme and project management contact the Programme and Project Management Centre for Expertise. The Scottish Government programme and project management principles are available and apply to any project of any size.

For advice on designing and delivering high quality digital services visit Scottish Government Digital Support Hub (DSH).

Tags: , , , ,


Leave a comment

By submitting a comment, you understand it may be published on this public website. Please read our privacy policy to see how the Scottish Government handles your information.

Your email address will not be published. Required fields are marked *