Skip to main content

Current Chapter

Current chapter – Principle B6: Staff awareness


Page contents

Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to information, systems and networks supporting the operation of essential functions.


B6.a Culture

Description

You develop and maintain a positive culture around information assurance.

The expectation for this contributing outcome is Partially achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. People in your organisation don’t understand what they contribute to the security and governance of the essential function(s).

NA#2. People in your organisation don’t know how to raise a concern about the security and governance of information, systems and networks.

NA#3. People believe that reporting issues may get them into trouble.

NA#4. Your organisation’s approach to the security and governance of information, systems and networks is perceived by staff as hindering the business of the organisation.

Partially achieved

All the following statements are true:

PA#1. Your executive management understand and widely communicate the importance of a positive culture around information assurance. Positive attitudes, behaviours and expectations are described for your organisation.

PA#2. All people in your organisation understand the contribution they make to the security and governance of information, systems and networks supporting your essential function(s).

PA#3. All individuals in your organisation know who to contact and where to access more information about information assurance. They know how to raise a security issue.

Achieved

All the following statements are true:

A#1. Your executive management clearly and effectively communicates the organisation's priorities and objectives around information assurance to all staff. Your organisation displays positive security and governance attitudes, behaviours and expectations.

A#2. People in your organisation raising potential security incidents and issues are treated positively.

A#3. Individuals at all levels in your organisation routinely report concerns or issues about information assurance and are recognised for their contribution to keeping the organisation and its information secure.

A#4. Your management is seen to be committed to and actively involved in information assurance.

A#5. Your organisation communicates openly about information assurance with any concern being taken seriously.

A#6. People across your organisation participate in activities to improve information assurance, building joint ownership and bringing knowledge of their area of expertise.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Culture - obtain evidence of how the organisation’s executive management communicates the importance of a positive culture around information assurance, for example, through campaigns they have sponsored, initiatives they have supported and communications they have issued. Assess whether the organisation’s methods of promotion ensure that all levels of staff are made aware of these information assurance endorsements. (PA#1)

2. Staff contribution - discuss with a sample of staff members what things they need to do and be aware of in their role in order to keep information safe, and whether they understand the contribution they make to securing and protecting patient information, including appropriate use of IT systems. This understanding could come from training for information governance and security, communication from management, clauses in their contracts or policies detailing their responsibilities. (PA#2)

3. Raising a security issue - discuss with the organisation their process for raising a security issue, including potential incidents, near misses or general concerns.

  1. Verify that this process is documented. (PA#3)
  2. Establish whether this process is widely shared with staff, for example through official communication, training or as part of a new joiner pack of policies. (PA#3)

4. Accessing important information - assess what methods the organisation uses to make clear to staff members:

  1. Where they can locate important information relating to cyber security and IG procedures. For example, a procedural document telling them how to securely send information to external organisations and patients. (PA#3)
  2. Who they can speak to when they are unsure about cyber security and IG procedures. For example, details of the organisation’s IT team or Data Protection Officer. (PA#3)

Additional approach to testing – Achieved

1. Priorities and objectives for information assurance - in addition to step 1 of Partially achieved, obtain evidence that:

  1. Priorities and objectives for information assurance have been defined and documented (A#1)
  2. Positive security and governance attitudes, behaviours and expectations are displayed by executive management and the organisation, for example through championing of information governance and cyber security achievements and encouraging a culture of improvement (A#1, A#4).

2. Positive treatment of staff raising incidents and issues - discuss with the organisation how they encourage positive treatment of people who raise concerns about potential security or data protection incidents. Ask a sample of staff members whether they feel they would be treated positively if they raised a concern about a potential security or data protection incident. (A#2)

3. Process for reporting concerns or issues - discuss with management the process for staff to report concerns or issues about information assurance, and obtain evidence that it is followed appropriately. Assess whether the process is sufficient to ensure that:

  1. Concerns or issues are investigated and acted on quickly, and communication takes place with the person that raised the alert initially. (A#3, A#5)
  2. The person raising the alert is recognised for their contribution to keeping the organisation and its information secure. (A#3)
  3. Staff are protected from retaliation or negative treatment for raising an issue or concern. (A#2, A#3)

4. Activities to improve information assurance - discuss with the organisation the opportunities available for staff to participate in activities to improve information assurance, for example lunch-and-learns, official training and blogs. Obtain evidence that those activities are not just an occasional one-off, and are attended by all levels of staff. (A#6)

Suggested documentation – Partially achieved

Suggested documentation includes:

  • evidence of executive management endorsements and communications promoting the importance of a positive culture around information assurance
  • list of all staff members and the relevant training, communications and procedures they have access to
  • procedures for raising security issues
  • procedures for informing staff where to find important cyber security and IG-related information and contacts

Additional documentation – Achieved

Additional documentation includes:

  • documentation showing information governance priorities and objectives
  • evidence of campaigns and initiatives showing positive security governance attitudes, behaviours and expectations from executive management
  • evidence of encouragement of positive staff treatment following reports of security issues
  • evidence of concerns being taken seriously, recognition of positive behaviours and protection from retaliations being incorporated into procedures for raising concerns
  • evidence of activities to promote information assurance awareness

B6.b Training

Description

The people who support the operation of your essential function(s) are appropriately trained in information assurance. A range of approaches to information assurance training, awareness and communications are employed.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. There are teams who operate and support your essential function(s) that lack any information assurance training.

NA#2. Information assurance training is restricted to specific roles in your organisation.

NA#3. Information assurance training records for your organisation are lacking or incomplete.

Partially achieved

All the following statements are true:

PA#1. You have defined appropriate information assurance training and awareness activities for all roles in your organisation, from executives to the most junior roles.

PA#2. You use a range of teaching and communication techniques for information assurance training and awareness to reach the widest audience effectively.

PA#3. Information assurance information is easily available.

Achieved

All the following statements are true:

A#1. All people in your organisation, from the most senior to the most junior, follow appropriate information assurance training paths.

A#2. Each individual’s information assurance training is tracked and refreshed at suitable intervals.

A#3. You routinely evaluate your information assurance training and awareness activities to ensure they reach the widest audience and are effective.

A#4. You make information assurance information and good practice guidance easily accessible, widely available and you know it is referenced and used within your organisation.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Information assurance training and awareness - assess whether appropriate training and awareness activities have been defined for each role, or groups of roles, based on their activities and responsibilities within the organisation. (PA#1)

2. Range of teaching and communication - obtain evidence that the organisation has, as part the development of the training needs analysis, ensured its methods of training and raising awareness are appropriate for the staff groups they need to reach. Where specific methods have been chosen, for example digital modules, activity-based training or certified courses, verify that the organisation understands its rationale for their effectiveness which takes into account the roles and responsibilities of the target audience. (PA#2)

3. Obtaining information assurance information - verify whether the organisation has made it easy for staff to find relevant cyber security and IG information, such as by having a centrally accessible repository or an easily navigable intranet hub with signposting to relevant topics. (PA#3)

Additional approach to testing – Achieved

1. Staff training paths - in addition to step 1 in Partially achieved, verify that skills and knowledge are identified for staff to achieve over time as part of undertaking the training activities designated by the organisation. (A#1)

2. Tracking of training completion - obtain evidence that the organisation has a way of tracking which training has been undertaken by which staff members, and alerting those staff members to refresh their training at suitable intervals. (A#2)

3. Evaluating effectiveness of training - discuss with the organisation the process for evaluating the effectiveness of training and awareness activities, which can be scheduled or efficiently reactive. For example, evaluations could be informed by staff feedback, new national requirements or changes in the technology used by the organisation. Obtain the results of the latest evaluation process and verify that actions resulting from the evaluation were assigned to an owner and are being progressed. (A#3)

4. Availability and use of information and good practice guidance - in addition to step 3 of Partially achieved, through discussions with the organisation, assess whether they have made good practice guidance available on topics identified as being important for staff members to understand for good data security and protection. Verify that the organisation is able to give examples it is aware of where these resources have been referenced or used by colleagues. (A#4)

Suggested documentation – Partially achieved

Suggested documentation includes:

  • documented training and awareness activities for all staff roles
  • procedures for considering and approving training methods
  • evidence of easily available information assurance information

Additional documentation – Achieved

Additional documentation includes:

  • evidence of specific training goals, skills, knowledge being identified
  • procedures for tracking and refreshing individuals’ training cycles
  • procedures for evaluating effectiveness of training and awareness activities
  • evidence of good practice guidance being made available on key topics and used by staff members

Last edited: 2 January 2025 12:33 pm