Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.
Ways to meet our expectations:
- An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
- You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
- You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
- You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
- If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
- You put in place measures to mitigate the risks identified within risk categories and you test these regularly to maintain effectiveness.
Can you answer yes to the following questions?
- Do staff know how to report and escalate concerns and risks?
- Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?