NHS DSPT Managing Risk - A1 Governance

(Updated 2025)

A1.a Board Direction

Key Point:
Effective information security management must be led at board level and embedded in organisational strategy and policy.

Overview:
To ensure strong governance, the board must actively oversee cyber security and information governance (IG). Board-level leadership is crucial in setting the tone for risk management, resource allocation, and organisational priorities.

How to Meet the Requirement:

• The board or senior management must be actively engaged in cyber security and IG.

• The board is responsible for:

  • Setting strategic direction.

  • Defining the organisation’s risk appetite.

  • Ensuring security and governance are embedded into culture, policies, and projects.

• In health and social care, these responsibilities are led by the Senior Information Risk Owner (SIRO), who ensures risks are escalated and addressed at board level.

• Board members must also receive regular cyber security and IG training to ensure they remain informed about current threats and regulatory changes.

Evidence to Provide:

• Minutes from board meetings showing discussion of cyber and IG risks.

• Policies or frameworks demonstrating board oversight.

• Risk registers and board-level risk appetite statements.

• Training records for board members in cyber security and IG.

Indicators of Good Practice:

• The board takes ownership of information security policies and ensures they are communicated effectively.

• Cyber security and IG risks are standing items on board agendas.

• Board members are accountable for security and governance, with clear reporting lines to SIRO and DPO.

• The organisation conducts annual board-level reviews of cyber security posture.

A1.b Roles and Responsibilities

Key Point:
Clearly defined roles and responsibilities are essential for effective information security and governance.

Overview:
Strong governance requires assigning roles and responsibilities to a knowledgeable team. Roles must be clearly documented, regularly reviewed, and communicated to ensure that risk ownership is clear across the organisation.

How to Meet the Requirement:

• Document roles and responsibilities through policies, job descriptions, and governance frameworks.

• Ensure that staff in key roles receive appropriate training and support.

• Review resources regularly to ensure there are no gaps in coverage.

• Embed role accountability into performance objectives and contracts.

Key Roles to Include:

• Data Protection Officer (DPO)

• Senior Information Risk Owner (SIRO)

• Caldicott Guardian

• Information Governance Lead

• Cyber Security Lead / CISO

Evidence to Provide:

• Organisational charts showing roles and responsibilities.

• Job descriptions and contracts covering IG and cyber roles.

• Records of training and ongoing professional development.

• Policy documents assigning accountability for cyber and IG.

Indicators of Good Practice:

• Regular reviews ensure roles remain aligned with organisational needs.

• Clear processes exist for risk escalation.

• Resource gaps are addressed promptly with board oversight.

• Staff understand who is accountable for security and IG within the organisation.

A1.c Decision-Making

Key Point:
Senior management must ensure that cyber security and IG risk decisions are made consistently, transparently, and aligned with organisational priorities.

Overview:
Decision-making around cyber and IG risks should be guided by board-approved risk appetite statements and involve the appropriate stakeholders. Risks should be regularly reviewed in light of changes in the threat landscape, compliance requirements, and NHS guidance.

How to Meet the Requirement:

• Define and publish the organisation’s risk appetite, approved at board level.

• Involve relevant departments (e.g., IT, IG, clinical, HR) in risk decisions.

• Review and update risk assessments at least annually or when major changes occur.

• Ensure change management processes include security and IG impact assessments.

Evidence to Provide:

• Records of risk management decisions tied to risk appetite.

• Documented change management and approval processes.

• Risk assessments and audit trail of decisions taken.

Indicators of Good Practice:

• Staff understand their role in making risk-informed decisions.

• Risk decisions are formally documented, reviewed, and aligned with the organisation’s appetite.

• The board and SIRO review risks regularly, ensuring decisions remain current with emerging threats and NHS DSPT updates.

Embedding governance at board level ensures that cyber security and IG are not treated as operational issues but as strategic risks. By clearly defining roles, setting risk appetite, and establishing transparent decision-making processes, organisations can demonstrate compliance with NHS DSPT v7 and wider regulatory frameworks such as NIS2.

Need support? Periculo can help boards establish governance frameworks, train SIROs and DPOs, and ensure DSPT compliance across your organisation.