The ICO exists to empower you through information.

16 April 2024

Overall rating

Your overall rating was green.

  • 0: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 21: Successfully implemented
  • 1: Not applicable

GREEN: successfully implemented

Your business identifies, assesses and manages information security risks.


Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.


Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.

Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.

Your business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.

Your business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.

Your business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.

Your business has a process to securely dispose of records and equipment when no longer required.

Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities

Your business ensures the security of mobile working and the use of mobile computing devices.

Your business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.

Your business has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.

Your business has established effective anti-malware defences to protect computers from malware infection.

Your business routinely backs-up electronic information to help restore information in the event of disaster.

Your business logs and monitors user and system activity to identify and help prevent data breaches.

Your business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.

Your business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.

Your business has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.

Your business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.

Your business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.

Not applicable

Your business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.

You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.