Skip to main content

Part of Objective A – Managing risk

Principle A2: Risk management

Previous Chapter

Principle A1: Governance

Current Chapter

Current chapter – Principle A2: Risk management

View all

Next Chapter

Principle A3: Asset management
Page contents

The organisation takes appropriate steps to identify, assess and understand risks to the security and governance of information, systems and networks supporting the operation of essential functions. This includes an overall organisational approach to risk management.

A2.a Risk management process

Description

Your organisation has effective internal processes for managing risks to the security and governance of information, systems and networks related to the operation of your essential function(s) and communicating associated activities. This includes a process for data protection impact assessments (DPIAs).

The expectation for this contributing outcome is Partially achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Risk assessments are not based on a clearly defined set of threat assumptions.

NA#2. Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers and are not effectively communicated in a clear and timely manner.

NA#3. Risk assessments (including DPIAs) for network and information systems supporting your essential function(s) or high-risk processing activities are a 'one-off' activity (or not done at all).

NA#4. The security and IG elements of projects or programmes are solely dependent on the completion of a risk management assessment without any regard to the outcomes.

NA#5. There is no systematic process in place to identify risks, and then ensure that identified risks are managed effectively, which includes incorporating data protection by design and default.

NA#6. Systems and risks are assessed in isolation, without consideration of dependencies and interactions with other systems or risks in other areas of the business. For example interactions between IT and operational technology environments, or finance risks and the impact on information governance.

NA#7. Security and IG requirements and mitigations are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function(s).

NA#8. Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve. These risks may be out of date or incomplete.

Partially achieved

All the following statements are true:

PA#1. Your organisational process ensures that security and wider Information Governance (IG) risks to information, systems and networks relevant to essential function(s) are identified, analysed, prioritised, and managed. This includes incorporating data protection by design and default into your process.

PA#2. Your risk assessments are informed by an understanding of the information and vulnerabilities in the systems and networks supporting your essential function(s), as well as your other data processing activities.

PA#3. The output from your risk management process is a clear set of security and IG requirements and mitigations that will address the risks in line with your organisational approach to security and IG more widely.

PA#4. Significant conclusions reached in the course of your risk management process are communicated to key decision -makers and accountable individuals.

PA#5. You conduct risk assessments (including DPIAs) when significant events potentially affect the essential function(s), such as replacing a system, commencing new or changing high-risk data processing, or a change in the cyber security threat.

PA#6. You perform threat analysis and understand how generic threats apply to your organisation.

PA#7. Your risk process clearly demonstrates how your organisation’s processing complies with data protection principles and relevant legislation, including the right to a private life.

Achieved

All the following statements are true:

A#1. Your organisational process ensures that security and wider Information Governance (IG) risks to information, systems and networks relevant to essential function(s) are identified, analysed, prioritised, and managed. This includes incorporating data protection by design and default into your process.

A#2. Your approach to risk is focused on the possibility of adverse impact to your essential function(s), leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your information, systems and networks.

A#3. Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function(s) and your sector.

A#4. Your risk assessments are informed by an understanding of the information and vulnerabilities in the systems and networks supporting your essential function(s), as well as a good understanding of your data processing activities in all areas of your organisation. This includes evaluation of repeated or significant near misses.

A#5. The output from your risk management process is a clear set of requirements that will address the risks in line with your organisational approach to security and IG more widely.

A#6. Significant conclusions reached in the course of your risk management process are communicated to key decision-makers and accountable individuals.

A#7. Your risk assessments (including DPIAs) are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use or processing, and new threat information.

A#8. The effectiveness of your information and security risk management process is reviewed regularly, and improvements made as required.

A#9. You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider Critical National Infrastructure.

A#10. Your risk process clearly demonstrates how your organisation’s processing complies with data protection principles and relevant legislation, including the right to a private life.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Risk management process - verify that:

  1. The organisation has comprehensive processes for identifying, analysing, prioritising and managing information governance and cyber security risk. (PA#1, A#1)
  2. There is a specific process which the organisation adheres to for conducting risk assessments when significant events occur that could affect the organisation’s essential functions. (PA#5, A#7)
  3. There is a specific process which the organisation adheres to for conducting DPIAs before beginning any type of processing which is likely to result in a high risk to the rights and freedoms of individuals. (PA#5, A#7)
  4. The organisation’s adherence to agreed processes are reflected in the organisation’s risk management documentation such as risk registers and risk assessments. (PA#1, A#1)

2. Risk management documentation - verify whether the documents show:

  1. Data protection by design and by default, incorporated in the process. (PA#1, A#1)
  2. Consideration of data protection principles and relevant legislation, including the right to private life where applicable. (PA#7, A#10)

3. Understanding information and vulnerabilities – obtain and inspect the organisation’s risk registers and a sample of the organisation’s risk assessments. Verify that:

  1. For projects involving personal information, the nature of personal and sensitive information is appropriately considered as part of risk management processes. (PA#2)
  2. For projects involving changes to systems and networks, vulnerabilities are appropriately considered as part of risk management processes. (PA#2)

4. Risk management actions - obtain the outputs of the risk management process discussed in step 1 and step 3, and assess whether the outputs include clear requirements and mitigation to address risks in line with the organisation’s approach to cyber security and information governance (IG) more widely. (PA#3, A#5)

5. Communicating to accountable individuals - verify that the organisation has established thresholds for situations where outputs of risk management processes should be communicated to key decision-makers and accountable individuals. Obtain evidence that this communication occurs where it is needed. (PA#4, A#6)

6. Threat analysis - assess how the organisation has incorporated threat intelligence into its cyber risk management processes. (PA#6, A#9)

Additional approach to testing – Achieved

1. Risk impact – discuss the process for evaluating the business impact of various scenarios, and assess whether the adverse impacts on the organisation’s essential functions has been understood and documented. Obtain a sample of scenario business impact evaluations and verify that the results are fed into the risk management process. (A#2)

2. Threat assumptions - obtain evidence that the organisation maintains a set of threat assumptions based on threat intelligence it receives and its own threat analysis, and that it has an effective review process to ensure these assumptions remain up-to-date. Verify that the threat assumptions are tailored to the organisation’s individual circumstances and cover a wide range of possible attacks. Assess whether these threat assumptions are appropriately integrated into the organisation’s risk management processes. (A#3)

3. Near misses - obtain a sample of the organisation’s repeated or significant near misses and assess whether the organisation effectively integrates lessons learned from these into its risk management processes. (A#4)

4. Dynamic risk assessments - determine whether there are processes and controls in place to ensure that the risk assessments are updated based on changes in threats, data use or processing and technical changes. Obtain evidence of risk assessments updated following this process. (A#7)

5. Risk management process review - verify what specific criteria the organisation uses to evaluate the effectiveness of its risk management processes. Obtain evidence that evaluations occur on a scheduled or efficiently reactive basis and improvements are made to strengthen risk management processes where appropriate. (A#8)

6. Threat analysis - obtain evidence that the organisation performs ongoing detailed threat analysis to understand the wide range of attacks and threat actors it is subject to at any given time. Verify that threat assumptions are reviewed in response to changes in the threat landscape such as significant geo-political events, knowledge of new cyber-attack campaigns and threat intelligence received from authoritative sources. Obtain evidence that this detailed threat analysis is incorporated into risk management processes. (A#9) 

Suggested documentation – Partially achieved

Suggested documentation includes:

  • procedures for identifying, analysing, prioritising and managing information governance and cyber security risk
  • risk assessments
  • data protection impact assessments (DPIAs)
  • risk registers
  • evidence of data protection by design and by default being incorporated into risk management processes
  • evidence of data protection principles and relevant legislation being incorporated into risk management processes
  • evidence of nature of information being considered as part of risk management processes
  • evidence of vulnerabilities in systems and networks being considered as part of risk management processes
  • procedures for communicating significant conclusions from risk management processes to accountable individuals
  • evidence of threat intelligence being used for cyber risk management processes

Additional documentation - Achieved

Additional documentation includes:

  • evidence of business impact evaluations for multiple scenarios
  • threat assumptions and review process
  • evidence of lessons learned from near misses being integrated into risk management processes
  • evidence of dynamic risk assessments
  • procedures for evaluation and improvement of risk management processes
  • evidence of ongoing detailed threat analysis

A2.b Assurance

Description

You have gained confidence in the effectiveness of the security and governance of your technology, people, and processes relevant to your essential function(s).

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. A particular product or service is seen as a 'silver bullet' and vendor claims are taken at face value.

NA#2. Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.

NA#3. Assurance is assumed because there have been no known problems to date.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. You validate that the security and governance measures in place to protect information, systems and networks are effective and remain effective for the lifetime over which they are needed.

A#2. You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential function(s).

A#3. Your confidence in the security and governance as it relates to your technology, people, and processes can be justified to, and verified by, a third party.

A#4. Security and governance deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.

A#5. The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Mandatory policy requirement

Assurance policy – it's mandated via the NHS Standard Contract and the Data Security and Protection Toolkit (DSPT) requirement that organisations annually complete a DSPT audit/independent assessment. Organisations must have due regard to the findings and provide them to their board and within their DSPT submission. The provision of an independent assessment following the guidance in this document meets this directive policy requirement.

Suggested approach to testing

1. Security and governance measures - assess how the organisation validates that its cyber security and IG controls are working effectively. Obtain evidence that the organisation’s validation processes can effectively identify weak points, and that plans are put in place to remedy those weak points. (A#1)

2. Selection of assurance methods – discuss the various assurance methods in use at the organisation, and understand how they were assessed against other methods and validated as the appropriate methods to be used. (A#2)

3. Independent assurance - obtain evidence of how the organisation uses third-parties to assure its technology, people and processes, for example, by inspecting documentation of previous DSPT audits. (A#3)

4. Deficiency remediation - assess whether deficiencies identified by assurance activities are assessed by responsible decision-makers, and clear remediation actions are delegated to named owners. Obtain evidence that this process leads to remediation of deficiencies identified without undue delay. (A#4)

5. Review of assurance methods - verify that the organisation has a scheduled or efficiently reactive process for reviewing its assurance methods which ensures that they remain appropriate. (A#5)

Suggested documentation

Suggested documentation includes:

  • procedures for assurance of cyber security and information governance controls
  • evidence of validation and selection of assurance methods
  • evidence of previous DSPT audits or equivalent independent assurance
  • action plans for remediating deficiencies
  • procedures for reviewing assurance methods

Last edited: 15 May 2025 8:29 am

Previous Chapter

Principle A1: Governance

Next Chapter

Principle A3: Asset management

Chapters

  1. Objective A – Managing risk
  2. Principle A1: Governance
  3. Principle A2: Risk management
  4. Principle A3: Asset management
  5. Principle A4: Supply chain