Thank you for your email dated 30 July 2021 requesting the following information in relation to the ‘ISO 27001 STANDARD’
We have considered your request and in accordance with S.1 (1) of the Freedom of Information Act 2000 (FOIA) and can confirm that we do hold some of the information that you have requested.
“Do you adhere to ISO 27001 standard for risk assessment process yes/no
- If yes please state the criteria you use
- If no please state which ISO Standard is used
Internally our risk management policy aligns with the UK government Orange Book (Management of Risk – Principles and Concepts), associated guidance material and ISO 31000 (Risk Management Standard).
What standard do you go by for risk assessment
- ISO 27001
- Governance, Risk, Compliance (GRC)
- OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
- NIST RMF (National Institute of Standards and Technology\u2019s Risk Management Framework)
- National Cyber Security Centre guidance
Organisations (data controllers and data processors) requesting NHS Digital data must provide evidence of their security certification. All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security. The Data Security and Protection Toolkit allows organisations to measure their performance against the National Data Guardian’s team data security standards. The DSPT supports organisations to meet the requirements of the General Data Protection Regulations (GDPR). The organisation must have completed the latest available version of the DSPT assessment or must have produced the previous version of the DSPT within the last 12 months and the assessment must not have exceeded its expiry date.
If an organisation does not have a DSPT then they need to provide evidence of either a valid and in date ISO 27001 certification or a System Level Security Policy, both are reviewed and agreed by NHS Digital Security Team as relevant and appropriate to the application for NHS Digital data.
Do you carry out a full risk assessment on the organisations you release the data to.
Can I please see your risk acceptance criteria information security risks arising from non-compliance with the acceptable use policy
How do you reduce or limit the risk to the data subjects
Do you have an acceptable usage criteria policy for data released by NHS Digital
How do you measure compliance ? What are the potential penalties for non-compliance
All requests for data must meet the NHS Digital Data Access Request Service standards and provide evidence of how they meet the standard’s criteria, they must comply with data protection legislation, including GDPR and DPA and be for the benefit of health and social care and comply with the Health and Social Care Act.
The guidance on the criteria required to meet the standards can be accessed here: Data Access Request Service (DARS) guidance - NHS Digital
And details on what is required before making an application for data can be found here: Data Access Request Service (DARS) - NHS Digital
All organisations requesting data must have a Data Sharing Framework Contract in place with NHS Digital and individual requests for data will be covered by a Data Sharing Agreement. NHS Digital carry out data sharing audits to check that organisations are meeting the obligations of the Data Sharing Framework Contract and the Data Sharing Agreement, and each audit and post audit review carried out results in the publication of a formal audit report. Audit reports are published here: Data Sharing Audits - NHS Digital
Our rights for remediation are set out within our Data Sharing Framework contract details of which can be found here Data Access Request Service (DARS): pre-application checklist - NHS Digital