The ICO exists to empower you through information.

15 October 2024

Overall rating

Your overall rating was amber.

  • 1: Not yet implemented or planned
  • 18: Partially implemented or planned
  • 3: Successfully implemented
  • 0: Not applicable

RED: not implemented or planned

Your business has a process to securely dispose of records and equipment when no longer required.

 

Suggested actions

You should:

  • use locked waste bins for any paper records that contain personal data and require confidential and secure disposal;
  • store equipment or hardware that contains personal data in a secure location whilst awaiting destruction/disposal;
  • securely dispose of paper records by shredding - ideally using a cross cut shredder;
  • if you use a third party provider to shred paper records, erase data or dispose of/recycle your equipment or hardware, make sure they do it adequately and you have appropriate assurances in place to confirm compliance; and
  • keep a log of all equipment and confidential waste that you sent for disposal or destruction and, where possible, retain certificates of destruction.

Guidance

 

AMBER: partially implemented or planned

Your business identifies, assesses and manages information security risks.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • consider all processes involved as you collect, store, use, share and dispose of personal data; and
  • consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.

With this clearer view of the risks you can then implement the following:

  • document your information risk management process in an information risk policy;
  • ensure that you create either a stand-alone information risk register or incorporate information risks in a central risk register; and
  • regularly assess and update, treat, tolerate, or mitigate risks, as appropriate.

Guidance

Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • implement an information security policy that covers all aspects of information security within your organisation;
  • ensure the policy clearly sets out your approach to security together with responsibilities for implementing the policy and monitoring compliance; and
  • set review dates and ensure policies and procedures are reviewed and updated in line with agreed timescales or when required.

Guidance

Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • identify a person or department in your business and assign day-to-day responsibility for information security;
  • ensure they have the necessary authority and resources to fulfil this responsibility effectively; and
  • for larger organisations, appoint 'owners' with day-to-day responsibility for the security and use of business systems.

Guidance

 

Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • ensure processors treat your information securely - establish written data processing contracts and ensure they contain compulsory data protection-related clauses;
  • establish protocols to allow periodic security reviews of the security arrangements in place to provide assurances of compliance to contract/agreement; and
  • if you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You may be held responsible if personal data collected by you is extracted from your old equipment when it is resold.

Guidance

Your business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment;
  • train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report personal data breaches;
  • ensure staff are trained on or shortly after appointment with updates at regular intervals thereafter or when required; and
  • reinforce training using other methods including intranet articles, circulars, team briefings and posters.

Guidance

 

Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • identify and document all the hardware assets you use within a central hardware inventory or register;
  • identify and document all the software assets you use within a central software inventory or register;
  • assign ownership and security classifications to all identified hardware and software assets;
  • define rules for the acceptable use of your hardware and software by staff and communicate these rules; and
  • undertake periodic risk assessments of hardware and software asset inventories / registers and physical checks to ensure the accuracy of the hardware asset inventory.

 

Your business ensures the security of mobile working and the use of mobile computing devices.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • assess the risks of mobile working (including remote working where mobile devices can connect to the corporate network);
  • establish a mobile working policy (based on the outcomes of the risk assessment) to assist in ensuring the security of mobile working and the use of mobile computing devices;
  • implement a process that sets out procedures to follow for authorising and managing mobile working; and
  • keep a log of all mobile devices used in your business and who they are allocated to.

Guidance

 

Your business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • establish a process to configure new and existing hardware to reduce vulnerabilities and provide only the functionality and services required; and
  • maintain an up-to-date inventory of ICT equipment.

Guidance

 

Your business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • minimise and encrypt personal data stored on mobile devices; and
  • implement access controls or software solutions to mobile devices such as pin controlled access, data/disc encryption and limited systems access.

Guidance

 

Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • implement a process to ensure that access to systems holding personal data is authorised by management;
  • restrict user permissions to the absolute minimum (or 'least privilege');
  • assign each user with their own username and password to ensure accountability;
  • implement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
  • review all network and application user access lists at least annually; and
  • ensure you have robust starter, mover and leaver processes in place to avoid the risk of unauthorised access or the accrual of unnecessary access levels.

Guidance

Your business has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • limit the number of failed login attempts;
  • enable and actively encourage your staff to choose a strong password;
  • monitor user activity to detect any anomalous use (see Monitoring);
  • reinforce that passwords are not written down or recorded in accessible locations/systems logs; and
  • promptly disable passwords when staff change duties or leave the business.

Guidance

 

Your business routinely backs-up electronic information to help restore information in the event of disaster.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • routinely back-up electronic information to help restore information in the event of disaster;
  • keep back-ups in a secure location away from your business premises; and
  • test the restoration of personal data regularly to check its effectiveness

Guidance

Your business logs and monitors user and system activity to identify and help prevent data breaches.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • log and monitor user and system activity to identify and help prevent data breaches;
  • continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate an attack;
  • implement a mechanism to log user access to systems holding personal data in support of an access control policy;
  • ensure all monitoring and logging complies with any legal or regulatory constraints; and
  • make staff aware of any monitoring you undertake.

Guidance

  • Monitoring, 10 steps to cyber security, National Cyber Security Centre

Your business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • use the latest versions of operating systems, web browsers and applications; and
  • update these regularly to help prevent the exploitation of unpatched vulnerabilities.

Guidance

Your business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • install a firewall to monitor and restrict network traffic based on an agreed set of rules; and
  • minimise the impact of data breaches by segmenting and limiting access to network components that contain personal data. For example, you should separate your web server from your main file server. If your website is compromised then the attacker will not have direct access to your central data store.

Guidance

Your business has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • have a process to enable staff to report breaches to management as soon as they become aware of them, and to investigate and implement recovery plans;
  • ensure your data protection and security training includes what constitutes a personal data breach and what to do should one occur; and
  • deliver this training to staff on a regular basis and use awareness materials to raise staff awareness eg posters, emails, newsletters etc.

Guidance

Your business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify the breach to the ICO and inform affected individuals;
  • monitor the type, volume and cost of incidents to identify trends and help prevent recurrences; and
  • document all breaches, even if you don’t need to report them.

Guidance

Your business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.

 

Where measures have only been partially implemented, please select the appropriate actions from the detail below: 

Suggested actions

You should:

  • ensure management are made aware of all personal data breaches;
  • establish processes to ensure all personal data breaches are fully investigated to determine the root cause and decide on any remedial actions that you may need to take; and
  • log, monitor and analyse all incidents to identify trends and help prevent recurrences.

Guidance

 

GREEN: successfully implemented

Your business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.

Your business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.

Your business has established effective anti-malware defences to protect computers from malware infection.


You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.