6 December 2023
Information security checklist report
Your overall rating was green.
- 0: Not yet implemented or planned
- 5: Partially implemented or planned
- 17: Successfully implemented
- 0: Not applicable
AMBER: partially implemented or planned
Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- identify a person or department in your business and assign day-to-day responsibility for information security;
- ensure they have the necessary authority and resources to fulfil this responsibility effectively; and
- for larger organisations, appoint 'owners' with day-to-day responsibility for the security and use of business systems.
Guidance
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
Your business has a process to securely dispose of records and equipment when no longer required.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- use locked waste bins for any paper records that contain personal data and require confidential and secure disposal;
- store equipment or hardware that contains personal data in a secure location whilst awaiting destruction/disposal;
- securely dispose of paper records by shredding - ideally using a cross cut shredder;
- if you use a third party provider to shred paper records, erase data or dispose of/recycle your equipment or hardware, make sure they do it adequately and you have appropriate assurances in place to confirm compliance; and
- keep a log of all equipment and confidential waste that you sent for disposal or destruction and, where possible, retain certificates of destruction.
Guidance
- Safe computer disposal, Get safe online website
Your business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- minimise and encrypt personal data stored on mobile devices; and
- implement access controls or software solutions to mobile devices such as pin controlled access, data/disc encryption and limited systems access.
Guidance
- Removable media controls, in 10 steps to cyber security, National Cyber Security Centre
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
- Cyber Essentials
Your business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- use the latest versions of operating systems, web browsers and applications; and
- update these regularly to help prevent the exploitation of unpatched vulnerabilities.
Guidance
- Patch management, in Cyber security essentials, GOV.UK website
- Cyber Essentials
Your business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify the breach to the ICO and inform affected individuals;
- monitor the type, volume and cost of incidents to identify trends and help prevent recurrences; and
- document all breaches, even if you don’t need to report them.
Guidance
- Incident management, in 10 steps to cyber security, National Cyber Security Centre
- Guide to the UK GDPR – Personal Data Breaches, ICO website
GREEN: successfully implemented
Your business identifies, assesses and manages information security risks.
Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.
Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.
Your business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.
Your business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.
Your business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.
Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities
Your business ensures the security of mobile working and the use of mobile computing devices.
Your business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.
Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.
Your business has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.
Your business has established effective anti-malware defences to protect computers from malware infection.
Your business routinely backs-up electronic information to help restore information in the event of disaster.
Your business logs and monitors user and system activity to identify and help prevent data breaches.
Your business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.
Your business has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.
Your business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.
You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.