Scoping essential functions

Before you begin your Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) submission, you need to conduct a scoping exercise to understand which information, systems and networks support your essential functions, and should therefore be included in the scope of your DSPT return. 

This guidance explains what essential functions are in the context of health and care, how you should conduct your scoping exercise, and what other important factors you should consider. 

Your essential functions are all the parts of your organisation that are necessary to deliver your organisation’s services. Where relevant, this will include consideration of: 

• any essential services for operators of essential services designated under the Network and Information System (NIS) Regulations 
• any statutory purposes for statutory organisations
• the purposes for which your organisation is constituted 

In practice, your essential functions may equate to all your critical business processes.

Your CAF-aligned DSPT return should cover all your essential functions and critical systems. Some indicative examples of what this means for trusts, integrated care boards (ICBs), commissioning support units (CSUs) and arm's-length bodies (ALBs) are provided at the end of this guidance.

Some elements of the DSPT return will also require consideration of non-essential functions, for example data protection considerations which apply to any service, and underlying information, systems or networks, where personal data is handled.

If the data is subject to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, as will be the case with all confidential patient information, the underlying information, system or network should be included in your DSPT assessment.

You must own and manage the process of scoping essential functions and critical systems. To do this, you need to undertake a scoping exercise which identifies:

• what your essential functions are –  the phrasing of whether it is an essential function, service or critical business process should not matter, it is the fact that the compromise or failure of that function, service or process would lead to unacceptable consequences
• all information, systems and networks which support your essential functions - and which could result in a significant impact on the continuity of an essential service if compromised by an incident

The output of your scoping exercise should be a document which captures your essential functions and the information, systems and networks supporting them. You should maintain a clear, demonstrable and risk-based justification of the scope, which should be considered an evolving document that will change over time in response to increased knowledge, changes in operating systems or following incidents.

The information required for your scoping assessment is likely to already exist in business continuity impact assessments, information assets and flows registers, asset registers, network architecture diagrams, and similar internal documentation which has been required under previous iterations of the DSPT.

We've provided some templates to give a practical example of how organisations can categorise and scope their essential functions. The templates are to be used as an example only. Organisations are encouraged to choose an approach that best suits their environment.

Scoping activities should include multi-disciplinary stakeholders, representative of your whole organisation, who have a deep understanding of your services and systems and any wider touch points.

Third party dependencies which support your essential function should be identified within your scope. Further information on expectations regarding understanding and managing security risks to information, systems and networks supporting the operation of essential functions that arise because of dependencies on external suppliers is set out in contributing outcome A4.a of the CAF-aligned DSPT.

This should be a process of inclusion and exclusion. For example, a trust might undertake a review of its commercial activity, some of which is undertaken for the purposes of NHS healthcare services and some of which is for income generation purposes. If the network and information systems used for letting retail space are:

• properly segmented, such that an attack or failure would not spread or have a cascade effect: the trust could formally de-scope the retail letting space from their essential functions scope
• not properly segmented, such that an attack or failure would spread to other networks and information systems: the trust could not formally de-scope the retail letting space from their essential functions scope

Consideration should be given to varying periods of: 

• service failure – systems or networks being unable to support the operation of the essential function
• degradation - systems or networks suffering a decrease in function or performance
• compromise – unauthorised access to systems or networks
• aggregation of all the above with other services – where the systems or networks are impacted at the same time as the failure, degradation or compromise of other services

Through business tolerance or continuity measures some systems may only come into scope if disrupted for days, weeks or months, rather than hours. This is normally determined through conducting a business impact assessment for each business function and determining criticality. 

If you consider that it would take a considerably long time for a particular system or network to impact your essential function(s), and you have mitigations in place to prevent a disruption of such significant length, you may consider de-scoping that system or network from your DSPT assessment. However, before taking the decision to de-scope the system or network you should consider scenarios where other services are also experiencing outages, which may have a more severe impact. 

Although the focus of the DSPT is your corporate entity, you should consider your essential functions that underpin your organisation’s role in providing services at scale that support other organisations’ essential functions. All organisations that handle NHS patient data and systems must complete and publish a DSPT return setting out how the organisation practices good cyber security and information governance.

Your DSPT auditors, NHS England and the Department of Health and Social Care (DHSC) may ask to review, provide input and where necessary, challenge scoping assessments.

Essential functions and underlying information, systems and networks may have different impacts per organisation given their intended objective, configuration and reliance or available alternatives, hence the importance of local reviews. 

NHS trusts and foundation trusts

Essential services include, but are not limited to, for example, elective care, urgent and emergency care, mental health care and community care. This may be further broken down, for example, diagnostics, surgery and rehabilitative care. Critical systems may include those supporting, for example, access to medical records and imagery, sterilisation, patient transportation, laboratory, administration, finance, HR and payroll services.

Integrated care boards (ICBs)

The Network and Information Systems (NIS) Regulations establish that all services provided by ICBs are considered essential services for the purposes of the NIS Regulations. For example, this includes managing budgets and allocating resources, commissioning services, planning, arranging and tracking services, and providing services such as the system co-ordination centre. Critical systems may include those supporting, for example, accounting and invoicing services and third-party management.

Further information is available in DHSC’s NIS Guide, see the section ‘How the NIS Regulations apply to ICBs’. 

Commissioning support units (CSUs)

CSUs are a delivery partner for a variety of essential functions such as business intelligence, business support, digital, communications and engagement, and procurement services. Critical systems may include those supporting, for example, analytical and transformation support, deployment and ongoing support of information technology for customers in national teams and across the health and care system.

Arm’s length bodies (ALBs)

ALBs deliver a variety of essential functions, such as directly supporting people’s care across the health and care sector, as well as undertaking regulatory compliance activity, delivering HR and financing services and protecting sensitive information. Critical systems may include those supporting, for example, national health and care IT infrastructure, data management and customer relationship management tools.