Skip to main content

Part of Objective A – Managing risk

Principle A1: Governance

Previous Chapter

Objective A – Managing risk

Current Chapter

Current chapter – Principle A1: Governance

View all

Next Chapter

Principle A2: Risk management
Page contents

The organisation has appropriate management policies, processes and procedures in place to govern its approach to the security and governance of information, systems and networks.

A1.a Board direction

Description

You have effective organisational information assurance management led at board level and articulated clearly in corresponding policies.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. The security and governance of information, systems and networks related to the operation of essential functions is not discussed or reported on regularly at board level.

NA#2. Board level discussions on the security and governance of information, systems and networks are based on partial or out-of-date information, without the benefit of expert guidance.

NA#3. The security and governance of information, systems and networks supporting your essential functions are not driven effectively by the direction set at board level.

NA#4. Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Your organisation's approach and policy relating to the security and governance of information, systems and networks supporting the operation of your essential function(s) are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.

A#2. Regular board discussions on the security and governance of information, systems and networks supporting the operation of your essential function(s) take place, based on timely and accurate information and informed by expert guidance.

A#3. There are board -level individuals who have overall accountability for the security and governance of information, systems and networks (these may be the same person), who drive regular discussion at board level.

A#4. Direction set at board level is translated into effective organisational practices that direct and control the security and governance of information, systems and networks supporting your essential function(s).

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Information governance and security policies - assess whether the organisation’s information governance and security policies have been clearly documented. The policies should cover:

  1. the approach to the security and governance of information, systems and networks supporting the operation of essential function(s). (A#1)
  2. a communication process to ensure that all relevant staff are aware of the contents of the policies. (A#1)
  3. reporting lines up to the accountable board level member(s). (A#3)

2. Information governance and security groups - obtain evidence that key findings and decisions made by expert groups responsible for information, systems and networks feed into discussions at board level. (A#2)

3. Board meetings - obtain the terms of reference and minutes of the organisation’s board and assess whether security and governance of information, systems and networks is regularly discussed. (A#3)

4. Board strategy and action plans - assess whether action plans relating to the security and governance of information, systems and networks are put in place to implement the direction set by the Board. These action plans should have named owners and clear timelines. Verify that progress is monitored, and timelines are being adhered to. (A#4)

Suggested documentation list

Suggested documentation includes:

  • policies relating to the security and governance of information, systems and networks
  • evidence of information governance and security group findings and decisions being discussed at board level
  • terms of reference and minutes from board meetings
  • board level strategy and action plans relating to the security and governance of information, systems and networks

A1.b Roles and responsibilities

Description

Your organisation has established roles and responsibilities for the security and governance of information, systems and networks at all levels, with clear and well-understood channels for communicating and escalating risks.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.

NA#2. Staff are assigned security or information governance responsibilities but without adequate authority or resources to fulfil them.

NA#3. Staff are unsure what their responsibilities are for the security and governance of the essential function(s).

NA#4. Not all staff contracts clearly set out their responsibilities for the security and governance of information, systems and networks.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Key roles and responsibilities for the security and governance of information, systems and networks supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose. 

A#2. Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.

A#3. There is clarity on who in your organisation has overall accountability for the security and governance of information, systems and networks supporting your essential function(s).

A#4. All staff contracts contain clear clauses confirming their responsibilities for the security and governance of information, systems and networks.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Key roles and responsibilities – assess how the organisation has assigned responsibilities to each key role in a way that ensures there are no gaps in its critical information governance and cyber security activities. (A#1)

2. Regular review - verify that the organisation has a process for reviewing key roles and responsibilities to ensure they remain suitable for maintaining the security and governance of its information, systems and networks. Obtain evidence that the reviews occur in a scheduled or efficiently reactive manner to identify and address potential gaps in the organisation’s cyber security and IG activities without undue delay. (A#1)

3. Job descriptions - obtain the job descriptions of key staff, such as Data Protection Officer (DPO), Senior Information Risk Owner (SIRO), Caldicott Guardian, Information security/cyber security lead. Assess whether appropriate qualifications and/or experience requirements are required for these roles. (A#2)

4. Reporting resourcing issues - assess whether the organisation has procedures in place for reporting risks relating to inadequate time, authority and resources for carrying out information governance and cyber security duties so these can be considered by responsible decision-makers. (A#2)

5. Overall accountability – obtain the name of the individual with overall accountability for the security and governance of information, systems and networks. Verify that their responsibilities have been appropriately documented. (A#3)

6. Staff contracts - obtain an example staff contract and assess whether they contain clear clauses confirming their responsibilities for the security and governance of information, systems and networks. (A#4)

Suggested documentation list

Suggested documentation includes:

  • documentation of key roles and responsibilities
  • evidence of review process for roles and responsibilities
  • job descriptions
  • procedures for reporting resourcing issues
  • name of individual with overall accountability
  • staff contract sample

A1.c Decision-making and approval

Description

You have senior-level accountability for the security and governance of information, systems and networks, and delegate decision-making authority appropriately and effectively. Risks to information, systems and networks related to the operation of your essential function(s) are considered in the context of other organisational risks.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.

NA#2. Risks are resolved informally (or ignored) at a local level when the use of a more formal risk reporting mechanism would be more appropriate.

NA#3. Decision-makers are unsure of what senior management's risk appetite is, or only understand it in vague terms such as 'averse' or 'cautious'.

NA#4. Organisational structure causes risk decisions to be made in isolation for example engineering and IT don't talk to each other about risk.

NA#5. Risk priorities are too vague to make meaningful distinctions between them. (such as almost all risks are rated 'medium' or 'amber').

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Senior management have visibility of key risk decisions made throughout the organisation.

A#2. Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function(s), as set by senior management.

A#3. Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.

A#4. Risk management decisions are regularly reviewed to ensure their continued relevance and validity.

A#5. Risk decisions are joined up between different departments.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Decision-making process - obtain evidence that:

  1. a board-approved risk appetite has been established (A#2)
  2. decision-makers are able to explain how they make effective decisions in the context of the risk appetite (A#2)
  3. it is clear which staff members are responsible for making decisions about which areas of risk (A#2, A#3)

2. Escalation to board - assess whether there are criteria and procedures for escalating key risk decisions to the board, and obtain evidence that this escalation takes place when required. (A#1)

3. Skills, knowledge, tools and authority – verify how the organisation has ensured that staff members responsible for making decisions in different risk areas are most appropriately positioned and equipped to fulfil their decision-making responsibilities. (A#3)

4. Risk registers - obtain the organisation’s risk registers and assess whether their contents align with the organisation’s procedures for decision-making. (A#3)

5. Risk register review - verify that the organisation has a process for reviewing risk management decisions to ensure they remain relevant and valid. Obtain evidence that the reviews occur in a scheduled or efficiently reactive manner to identify and address potential issues with risk decisions. (A#4)

6. Siloed risk decisions - verify that decision-makers have a criterion for deciding where other departments need to be consulted on risk decisions. Obtain evidence that decision-makers have involved other departments where appropriate. (A#5)

Suggested documentation list

Suggested documentation includes:

  • risk appetite statement
  • responsibilities for decision-making in different risk areas
  • procedures for reporting key risk decisions to the board
  • procedures for delegating risk decisions
  • risk registers
  • procedures for risk register review
  • procedures for involving other departments in risk decisions

Last edited: 22 January 2025 10:26 am

Previous Chapter

Objective A – Managing risk

Next Chapter

Principle A2: Risk management

Chapters

  1. Objective A – Managing risk
  2. Principle A1: Governance
  3. Principle A2: Risk management
  4. Principle A3: Asset management
  5. Principle A4: Supply chain