Questions for the board

To understand how good your executive and board’s cyber security governance is, you may wish to ask the following questions:

Who manages the organisation’s cyber security risk on a day-to-day basis?

Who is the Senior Information Risk Owner (SIRO)?

(All NHS organisations must have a SIRO to take responsibility for Information Assurance (IA) issues).

Is there an executive and non-executive lead for cyber security on the board?

Does the appropriate governance structure exist between the executive team and the cyber security function?

If cyber security is considered in a board sub-committee, such as the audit and risk committee, how much time and cyber security expertise does it have to examine cyber security and how effective is the governance?

When did the board last receive a briefing on the cyber security threat to healthcare?

When did the board last participate in cyber security awareness activities?

Has the executive team identified the most critical assets and data?

How is cyber security risk integrated into wider business risks?

How frequently does the board review cyber security risk and is this appropriate to the increased cyber risk?

How are risks presented in performance dashboards?

Has the board reviewed the data from the Data Security and Protection Toolkit (DSPT) to inform board risk discussion?

How prepared is the Board to respond to an incident where cyber is the cause?

In the event of a cyber security incident, how can the board ensure critical services can be maintained over a potentially extended period?