The Ambulance Radio Programme (ARP) is a £390m Department of Health initiative to replace outdated and poorly networked analogue communications systems within the UK's Ambulance service.

Central to this aim was the delivery of two Data Centres plus a new suite of applications for the Control Room and responder communication applications and devices to the Ambulance Trusts. The ARP will introduce new ways of working, connectivity, communication devices and bearers to replace the Airwave System, aiming to utilise the Emergency Services Network (ESN) when it comes online.

Capabilities Employed

The Challenge

The Data Centres need to be accredited for airwave use and future proofed in their security architecture, becoming capable to be accredited for use on the Emergency Services Network. SA Group were asked to deliver:

  • Risk Assessment Plan. Review, define scope of and create the Risk Assessment with Third Party Suppliers
  • Security Plan. Review and Update
  • Accreditation scope for IT Health Check, to be agreed with the Home Office
  • Security Design Assurance review
  • 3rd Party Access Controls review
  • Handover and knowledge transfer to our client

The Solution

Requirements scoping
We worked to establish the accreditation requirements that are to be placed upon ARP by the Airwave and ESN accreditors. This required an end to end understanding of the entire IER plus a sound current knowledge of the system architecture, the vendor products and ongoing support functions.

Third party security risk assessments
The vendor Security Risk Assessments were scrutinised, revised and managed to fulfil the requirements of the ARP. Stakeholders were managed to ensure timely implementation of the SRA within the delivery phase of the programme.

Accreditation scope
SA Group quickly recognised the role of the ARP, the BAU aspects post-delivery and a route to accreditation – and worked to develop a plan to succeed. We worked with the ARP to evolve their Security Plan into a Policy and subordinate plans as the programme moves forwards. Access profiles and controls have all be aligned to NCSC, CPNI and Home Office best practice. We also advised the ARP on the issues surrounding the external governance that would be applied to the secure communication programme.

The Result

The ARP is now fully prepared to achieve ISO27001 and Cyber Essentials Plus to ensure their reputation within Emergency Services Communication projects and the Ambulance Trusts.

The ARP's profile has been significantly raised within the wider Airwave, ESN, Home Office and NHS Digital stakeholder communities.

Security issues surrounding the programme are scoped and understood by the ARP team; information assurance and due diligence are embedded as an integral part of the programme. This will ensure a smooth transition from the current systems to the ARP service.

Download this case study