Questions

#QuestionCreatedLast Modified
Inaert Question27/04/2023 17:30:3427/04/2023 17:30:34

A1.1 What is your organisation's name (for companies: as registered with Companies House)?

03/12/2020 12:17:4908/03/2023 17:51:05

Your business documents procedures to determine, collect and analyse appropriate data to demonstrate the suitability, adequacy and effectiveness of the Quality Management System. These procedures include the determination of appropriate methods, statistical techniques and the extent of their use.

The analysis of data includes data generated as a result of monitoring and measurement, and from other relevant sources include, at a minimum, input from:

  • feedback;
  • conformity to product requirements;
  • characteristics and trends of processes and product, including opportunities for improvement;  
  • suppliers;
  • audits; and,
  • service reports, as appropriate.

Your business ensures that if analysis of data shows that the Quality Management System is not suitable, adequate or effective, then this analysis is used to the improve production processes as required. 

Your business maintains records of the results of any analysis.

20/01/2021 14:40:3529/01/2021 15:57:07

Your business performs rework in accordance with documented procedures that takes into account the potential adverse effect of the rework on the product. These procedures undergo the same review and approval as the original procedure. 

Your business ensures that after the completion of any rework, the product is verified to ensure that it meets all applicable acceptance criteria and regulatory requirements. 

Your business ensures that all records of rework are maintained.

20/01/2021 14:40:3429/01/2021 15:12:27

Your business ensures that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. Your organisation documents a procedure to define the controls and related responsibilities and authorities for the identification, documentation, segregation, evaluation and disposition of the nonconforming product.

Your business, as part of the evaluation of nonconformity, determines the need for an investigation and notification of any external party responsible for the nonconformity.

Your business maintains records of the nature of all nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for any decisions taken.

20/01/2021 14:40:3429/01/2021 14:59:27

Your business maintains evidence to demonstrate the product conforms to the acceptance criteria. The identity of the person authorising release of product is recorded. As appropriate, records identify the test equipment used to perform measurement activities.

Product release and service delivery does not proceed until the planned and documented arrangements have been satisfactorily completed.

For implanted medical devices your business records the identify of personnel performing any inspection or testing.

20/01/2021 14:40:3329/01/2021 14:49:37

Your business has management responsible for the area being audited who ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities include the verification of the actions taken and the reporting of verification results.

29/01/2021 14:15:4529/01/2021 14:21:02

Your business conducts internal audits at planned intervals to determine whether the Quality Management System:

  • conforms to planned and documented arrangements, requirements of this International Standard, and Quality Management System requirements established by your organisation, and applicable regulatory requirements;
  • additionally, is effectively implemented and maintained.

Your business documents the procedure to describe the responsibilities and requirements for planning and conducting internal audits and recording and reporting audit results.

20/01/2021 14:40:3329/01/2021 14:06:54

If your business is governed by regulatory requirements that require notification of complaints that meet specified reporting criteria of adverse events or the issue of advisory notices, your business has documented procedures for providing notification to the appropriate Regulatory authorities.

Records of the reporting to the regulatory authorities are maintained.

20/01/2021 14:40:3329/01/2021 14:03:20

The procedures for complaint handling include at a minimum, requirements and responsibilities for:

  • receiving and recording information;
  • evaluating information to determine if the feedback constitutes a complaint;
  • investigating complaints;
  • determining the need to report the information to the appropriate regulatory authorities;
  • handling of complaint-related product; and,
  • determining the need to initiate corrections or corrective actions.

If any complaint is not investigated, the justification for the decision is documented. Any correction or corrective action resulting from the complaint handling process is also be documented.

If an investigation determines activities outside your organisation contributed to the complaint, relevant information should be exchanged between your organisation and the external party involved, a record of the investigation/exchange are maintained.

All complaint handling records are maintained.

20/01/2021 14:40:3329/01/2021 13:43:57

Your business, as one of the measurements of the effectiveness of the quality management system, gathers and monitors information relating to whether your organisation has met its customer requirements. The methods for obtaining and using this information are documented.

Your business documents procedures for the feedback process. This feedback process includes provisions to gather data from production as well as post-production activities.

The information gathered in the feedback process serves as potential input into risk management for monitoring and maintaining the product requirements as well as the product realisation or improvement processes.

If applicable, regulatory requirements may require your organisation to gain specific experience from postproduction activities, your review of this experience should form part of the feedback process.

20/01/2021 14:40:3229/01/2021 13:27:51

Your business plans and implements the monitoring, measurement, analysis and improvement processes needed to:

  • demonstrate conformity of product;
  • ensure conformity of the Quality Management System; and to,
  • maintain the effectiveness of the Quality Management System.

This includes the determination of appropriate methods, including statistical techniques, and the extent of their use.

20/01/2021 14:40:3229/01/2021 13:18:21

Your business plans and documents arrangements for the control of contaminated or potentially contaminated product in order to prevent contamination of the work environment, personnel, or product.

Where sterile medical devices are used, your business documents requirements for control of contamination with microorganisms or particulate matter, and maintains the required cleanliness during assembly or packaging processes.

08/01/2021 16:02:0528/01/2021 19:16:58

Your business documents the requirements for health, cleanliness and clothing of personnel if contact between such personnel and the product, or work environment, could affect medical device safety or performance.

08/01/2021 16:02:0428/01/2021 19:10:12

Your business ensures that all personnel who are required to work temporarily under special environmental conditions within the work environment, are competent or supervised by a competent person.

08/01/2021 16:02:0528/01/2021 19:09:51

Your business documents the requirements for the work environment needed to achieve conformity to product requirements.

Where the conditions in the work environment can have an adverse effect on product quality, your business also documents the requirements for the work environment, and the procedures to monitor and control the work environment.

08/01/2021 16:02:0428/01/2021 19:08:35

Your business provides training or takes other actions to achieve or maintain the necessary competences. The provision of training or other actions taken is evaluated to ensure it is effective.

 

08/01/2021 16:02:0428/01/2021 18:56:41

Your business documents the requirements for the infrastructure needed to:

  • achieve conformity to product requirements;
  • prevent product mix-up; and,
  • ensure orderly handling of product.

Infrastructure includes:

  • buildings, workspace and associated utilities;
  • process equipment (both hardware and software);
  • supporting services (such as transport, communication, or information systems).
08/01/2021 16:02:0428/01/2021 18:56:32

Your business documents the requirements for infrastructure maintenance activities, including the interval of performing the maintenance activities, when such maintenance activities, or lack thereof, that can affect product quality. These requirements apply to equipment used in production, the control of the work environment, and monitoring and measurement.

These infrastructure maintenance records are maintained.

08/01/2021 16:02:0428/01/2021 18:56:22

Sufficient resources are determined and provided to implement the Quality Management System and to maintain its effectiveness. 

08/01/2021 16:02:0328/01/2021 18:28:37

Records of the results and conclusion of all validation arising from the control of monitoring and measuring equipment, and necessary actions from the validation, including the validation of computer software used for monitoring and measurement of requirement, are maintained.

15/01/2021 14:02:4928/01/2021 17:48:22

To ensure valid results, your business ensures measuring equipment:

  • is calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards. When no such standards exist, the basis used for calibration or verification is recorded;
  • is adjusted or re-adjusted as necessary. Such adjustments or re-adjustments are recorded;
  • has identification in order to determine its calibration status;
  • is safeguarded from adjustments that would invalidate the measurement result; and
  • is protected from damage and deterioration during handling, maintenance and storage.

Your business performs calibration or verification in accordance with the documented procedures.

Additionally, your business assesses and records the validity of the previous measuring results when the equipment is found not to conform to requirements and takes appropriate action in regard to the equipment and any product affected.

Records of the results of calibration and verification are maintained.

15/01/2021 14:02:4828/01/2021 17:43:40

Your business determines the monitoring and measurements to be undertaken, and the monitoring and measuring equipment needed to provide evidence of conformity of product to determined requirements.

Your business documents procedures to ensure that monitoring and measurements can be carried out, and are carried out in a manner that is consistent with the monitoring and measurement requirements.

15/01/2021 14:02:4828/01/2021 17:27:27

Your business requires suppliers of distribution services or distributors to maintain records of the distribution of medical devices, to allow traceability and that these records are available for inspection.

Your business requires these organisations to record the names and addresses of the shipping package consignees, and these records are maintained.

15/01/2021 14:02:4728/01/2021 17:16:22

Your business identifies, verifies, protects, and safeguards customer property provided for use, or incorporation into the product, while it is under your organisation’s control or being used by your organisation. If any customer property is lost, damaged or otherwise found to be unsuitable for use, your business reports this to the customer and maintains records.

15/01/2021 14:02:4728/01/2021 17:16:12

Your business documents procedures for preserving the conformity of product to specific requirements during processing, storage, handling, and distribution. Preservation applies to all the constituent parts of a medical device.

Your business protects products from alteration, contamination or damage when exposed to expected conditions and hazards during processing, storage, handling, and distribution by:

  • designing and constructing suitable packaging and shipping containers;
  • documenting requirements for special conditions needed if packaging alone cannot provide preservation.

If special conditions are required, they are controlled and recorded with the appropriate records being maintained.

15/01/2021 14:02:4828/01/2021 17:16:01

Your business documents procedures for traceability. These procedures define the extent of traceability in accordance with applicable regulatory requirements and the records maintained. The records required for traceability include records of components, materials, and conditions for the work environment used, where these could cause the medical device not to satisfy its specified safety and performance requirements.

Your business records the names and addresses of the shipping package consignees, and these records are maintained.

15/01/2021 14:02:4728/01/2021 16:59:07

Your business documents procedures for product identification, and identifies products by suitable means throughout product realisation.

Your business identifies product status with respect to monitoring and measurement requirements throughout product realisation. Identification of product status is maintained throughout production, storage, installation and servicing of product to ensure that only product that has passed the required inspections and tests, or released under an authorised concession, are dispatched, used or installed.

If required by applicable regulatory requirements, your business documents a system to assign unique device identification to the medical device.

15/01/2021 14:02:4728/01/2021 16:43:38

Your Business documents procedures for the validation of processes for sterilisation and sterile barrier systems.

Processes for sterilisation and sterile barrier systems are validated prior to implementation and following product or process changes, as appropriate.

Records of the results and, conclusion of validation and necessary actions from the validation are maintained.

15/01/2021 14:02:4628/01/2021 16:33:57

Your business undertakes validation for any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered. Validation demonstrates the ability of these processes to achieve planned results consistently. 

Documented procedures for validation of processes, include:

  • a defined criteria for review and approval of the processes;
  • equipment qualification and qualification of personnel;
  • use of specific methods, procedures and acceptance criteria;
  • where appropriate, statistical techniques documenting the rationale for sample sizes;
  • requirements for records;
  • revalidation, including criteria for revalidation; and,
  • approval of changes to the processes.

Records of the results and conclusions of validation and the necessary actions from the validation are maintained.

15/01/2021 14:02:4628/01/2021 16:29:50

Your business documents procedures for the validation of the application of computer software used in production and service provision. Such software applications are validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation are proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.

Your business records of the results and conclusions of validation of processes for production and service provision, and the necessary actions resulting from the validation are be maintained.

15/01/2021 14:02:4628/01/2021 16:26:54

Your business documents the requirements for medical device installation and as well as the acceptance criteria for verification of installation.

If your agreed customer requirements allow installation of the medical device to be performed by an external party (other than your business or its supplier), you provide documented requirements for medical device installation and verification of installation.

Your business maintains records of medical device installation and verification of installation performed by your business or its supplier.

15/01/2021 14:02:4528/01/2021 14:39:28

If servicing of the medical device is a specified requirement, then servicing procedures, reference materials, and reference measurements, as necessary, for performing servicing activities, and procedures for verifying that the product requirements are met, are all documented.

Your business analyses records of servicing activities carried out by your business or its supplier:

  • to determine if the information is to be handled as a complaint; and,
  • as appropriate, for input to the improvement process.

Records of servicing activities carried out by your business or its supplier are maintained.

15/01/2021 14:02:4528/01/2021 14:39:18

Your business documents procedures to control design and development changes. Your business determines the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use.

Your business identifies changes to design and development changes, before they are implemented the changes are:

  • reviewed;
  • verified;
  • validated (as appropriate), and;
  • approved.

The review of design and development changes include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realisation processes.

Records of changes, their review and any necessary actions are maintained.

15/01/2021 14:02:4328/01/2021 14:10:32

Your business establishes and implements the inspection or other activities necessary for ensuring that purchased product meets specified purchasing requirements. The extent of verification activities are based on the supplier evaluation results and are proportionate to the risks associated with the purchased product.

Purchasing information that allows traceability of product is maintained by your business, which includes relevant purchasing information in the form of documents and records.

15/01/2021 14:02:4428/01/2021 14:10:18

Your business plans production and service provision, which is carried out, monitored and controlled to ensure that product conforms to specification. Production controls include (where appropriate), but are not limited to:

  • documentation of procedures and methods for the control of production;
  • qualification of infrastructure;
  • implementation of monitoring and measurement of process parameters and product characteristics;
  • availability and use of monitoring and measuring equipment;
  • implementation of defined operations for labelling and packaging; 
  • implementation of product release, delivery and post-delivery activities.
15/01/2021 14:02:4528/01/2021 14:09:47

Your business has established and maintains a record for each medical device, or batch of medical devices, that provides traceability, identifies the amount manufactured and amount approved for distribution. These records are verified and approved.

15/01/2021 14:02:4528/01/2021 14:09:15

Your business has a system in place to identify any changes to the purchased product, and when these changes to the purchased product are identified, it can determined whether these changes will affect the product realisation process or the medical device. This determination is documented.

15/01/2021 14:02:4428/01/2021 12:25:41

Your business undertakes planned monitoring and re-evaluation of suppliers. Supplier performance in meeting requirements for the purchased product is also monitored.

The results of the monitoring provide an input into the supplier re-evaluation process. 

Your business monitors and addresses the non-fulfilment of purchasing requirements with the supplier proportionately to the risk associated with the purchased product and compliance with applicable regulatory requirements.

As part of the purchase process, your business maintains records of the results of any evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities.

15/01/2021 14:02:4427/01/2021 14:55:43

Your business documents procedures for transfer of design and development outputs to manufacturing. These procedures must ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications and that production capability can meet product requirements.

The results and conclusions of the transfer is recorded and these records are maintained. 

15/01/2021 14:02:4327/01/2021 14:55:35

Your business documents the procedures to ensure that purchased product conforms to specific purchasing information.

Your business has an established criteria for the evaluation and selection of suppliers. The evaluation and selection of suppliers is based on the:

  • supplier’s ability to provide product that meets your business’s requirements;
  • performance of the supplier;
  • effect of the purchased product on the quality of the medical device; and,
  • be proportionate to the risk associated with the medical device.
15/01/2021 14:02:4327/01/2021 14:43:42

In planning product realisation, your business determines the following (where appropriate):

  • quality objectives and requirements for the product;
  • the need to establish processes and documents, and provides resources specific to the product, including infrastructure and work environment;
  • the required verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities specific to the product together with the criteria for product acceptance; 
  • the records needed to provide evidence that the realisation processes and resulting product meet requirements.

Your business documents the output of this planning in a form suitable for the business's method of operations.

15/01/2021 14:02:4027/01/2021 14:11:01

Your business determines the requirements related to the product (customer related processes):

  • the requirements specified by the customer, including the requirements for delivery and post-delivery activities;
  • requirements not stated by the customer but necessary for the specification or intended use, as known;
  • any applicable regulatory requirements related to the product;
  • any user training necessary to ensure specified performance and safe use of the medical device; and,
  • any additional requirements determined by the business.
15/01/2021 14:02:4027/01/2021 14:10:51

Your business undertakes design and development validation which is performed in accordance with planned and documented arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use.

Your business documents validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with the rationale for sample size.

15/01/2021 14:02:4227/01/2021 14:10:43

Your business reviews the requirements related to the product (customer related requirements). These reviews are conducted prior to your business's commitment to supply the product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders).

Your business ensures that these reviews ensure that:

  • product requirements are defined and documented;
  • contract or order requirements differing from those previously expressed are resolved;
  • any applicable regulatory requirements are met;
  • any user training that has been identified is available or planned for; and,
  • your business has the ability to meet the defined requirements.

Your business records of the results of the review and any actions arising from the review, these are maintained.

When the customer provides no documented statement of requirement, the customer requirements are confirmed by the business before acceptance. 

15/01/2021 14:02:4027/01/2021 14:04:37

Your business maintains records to identify the inputs needed to meet the product requirements, and how these are determined.

These design and development inputs include:

  • functional, performance, usability and safety requirements, according to the intended use;
  • applicable regulatory requirements and standards;
  • applicable output(s) of risk management;
  • information derived from previous similar designs (where appropriate); and,
  • other requirements essential for design and development of the product and processes.

These inputs are reviewed for adequacy and approved.

15/01/2021 14:02:4127/01/2021 14:04:05

Your business ensures that the design and development inputs are complete, unambiguous, able to be verified or validated, and not in conflict with each other.

15/01/2021 14:02:4127/01/2021 14:03:57

Your business has a suitable system in place to monitor design and development outputs, to ensure they:

  • meets the input requirements for design and development;
  • provide the appropriate information for purchasing, production and service provision;
  • contain or reference product acceptance criteria; and,
  • specify the characteristics of the product that are essential for its safe and proper use.
15/01/2021 14:02:4127/01/2021 14:03:48

Your business ensures that the outputs of design and development are in a form suitable for verification against the design and development inputs, and are approved prior to release.

Your business documents and maintains records of the design and development outputs.

15/01/2021 14:02:4127/01/2021 14:03:39

Your business, at suitable stages, systematically reviews design and development, in accordance with planned and documented arrangements, to evaluate the ability of the results of design and development to meet requirements, and to identify and propose any necessary actions.

Participants involved in such reviews include representatives of functions concerned with the design and development stage being reviewed, as well as other specialist personnel.

Your business maintains records of the results of Design and Development Reviews and any necessary actions, this includes the identification of the design under review, the participants involved and the date of the review.

15/01/2021 14:02:4227/01/2021 14:03:30

Your business undertakes design and development verification in accordance with planned and documented arrangements to ensure that the design and development outputs have met the design and development input requirements.

Your business documents verification plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.

Where the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), verification includes confirmation that the design outputs meet design inputs when connected or interfaced.

Your business records and maintains results and conclusions of any verifications undertaken, together with any necessary actions undertaken.

15/01/2021 14:02:4227/01/2021 14:03:18

As part of design and development validation, your business performs clinical evaluations or performance evaluations of the medical device in accordance with applicable regulatory requirements. A medical device used for clinical evaluation or performance evaluation is not considered to be released for use to the customer.

If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), validation includes confirmation that the requirements for the specified application or intended use have been met when so connected or interfaced.

Validation is completed prior to release for the use of the product to the customer.

Records of the results and conclusions of validation and necessary actions are maintained.

15/01/2021 14:02:4227/01/2021 14:02:58

Your business documents validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with the rationale for sample size.

15/01/2021 14:02:4227/01/2021 13:53:12

When product requirements are changed (customer related process), your business has processes in place to ensure that the relevant documents are amended, and that relevant personnel are made aware of the changed requirements.

15/01/2021 14:02:4027/01/2021 12:14:25

Your business reviews the requirements related to the product. These reviews are conducted prior to your business's commitment to supply the product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders).

15/01/2021 14:02:4027/01/2021 11:51:11

Your business plans and develops the processes needed for product realisation. Planning of product realisation is consistent with the requirements of the other processes of the Quality Management System.

15/01/2021 14:02:4027/01/2021 11:06:45

The output from Management Reviews are recorded, this includes the inputs reviewed, any decisions and actions relating to:

  • improvements needed to maintain the suitability, adequacy, and effectiveness of the Quality Management System and its processes;
  • improvement of product related to customer requirements;
  • any changes needed to respond to applicable new or revised regulatory requirements; and,
  • any resources needs.
07/01/2021 12:16:5126/01/2021 17:53:53

The Management Review, includes as a minimum, reviewing information arising from: feedback, complaint handling, reporting to regulatory authorities, audits, monitoring and measurement of processes, monitoring and measurement of product, corrective action, preventive action, follow-up actions from previous management reviews, changes that could affect the Quality Management System, recommendations for improvement, and applicable new or revised regulatory requirements.

07/01/2021 12:16:5126/01/2021 17:50:47

The procedures for Management Reviews are documented. Top management reviews the business’s Quality Management System at documented planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The Review includes an assessment of the opportunities for improvement and the need to change to the Quality Management System, including quality policy and quality objectives.

Records from management reviews are maintained. 

07/01/2021 12:16:5126/01/2021 17:46:58

Top management ensures that appropriate communication processes are established within the busines, and that communication takes place regarding the effectiveness of the Quality Management system.

07/01/2021 12:16:5126/01/2021 17:42:16

Top management have appointed a member of management who, irrespective of other responsibility, has the responsibility and authority for ensuring that processes needed for the Quality Management System are documented. They report to top management on the effectiveness of the Quality Management System and any need for improvement. They also ensure the promotion of awareness of the applicable regulatory requirements and Quality Management System requirements throughout the organisation.

07/01/2021 12:16:5126/01/2021 17:40:04

Top management ensures that responsibilities and authorities of personnel are defined, documented and communicated within the organisation.

Additionally, top management documents the interrelation of all personnel who manage, perform and verify work affecting quality. They also safeguard the independence and authority necessary to perform these tasks.

07/01/2021 12:16:5126/01/2021 17:36:11

Your top management ensures that the planning of the Quality Management System is carried out in order to meet the general requirements of the Quality Management System as well as the quality objectives.

The integrity of the Quality Management System is maintained when changes to the Quality Management System are planned and implemented.

07/01/2021 12:16:5026/01/2021 17:31:10

Your top management ensures that quality objectives, including those needed to meet applicable regulatory requirements and requirements for product, are established at the relevant functions and levels within the organisation.

The quality objectives are measurable and consistent with the quality policy.

07/01/2021 12:16:5026/01/2021 17:27:17

Your top management ensures that the Quality Policy:

  • is applicable to the purpose of the organisation;
  • it includes a commitment to comply with any requirements and to maintain the effectiveness of the Quality Management System;
  • provides a framework for establishing and reviewing quality objectives;
  • is communicated and understood within your business; and,
  • is reviewed for continuing suitability.
07/01/2021 12:16:5026/01/2021 17:23:59

Your top management provides evidence of its commitment to the development and implementation of the Quality Management System, and the maintenance of its effectiveness by:

  • communicating to the business on the importance of meeting customer as well as applicable regulatory requirements;
  • establishing the quality policy;
  • ensuring that quality objectives are established;
  • conducting management reviews; and,
  • ensuring the availability of resources.
07/01/2021 12:16:5026/01/2021 17:19:20

Records are maintained to provide evidence of conformity to the requirements, and the effective operation, of the Quality Management System.

Your business documents the procedures that define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records.

Procedures are defined and implemented for protecting confidential health information contained in the records in accordance with the applicable regulatory requirements.

Your business ensures that records are retained for at least the lifetime of the medical device as defined by the organisation, or as specified by the applicable regulatory requirements, but not less than two years from the medical device is released. 

Records must remain legible, readily identifiable and retrievable. Changes to a record must remain identifiable. 

06/01/2021 11:45:2926/01/2021 15:15:19

The documents required by your Quality Management System are controlled. Records are a special type of document and are controlled. A document in the Quality Management System defines the controls needed to:

  • review and approve documents for adequacy prior to issue;
  • review, update as necessary and re-approve documents;
  • ensure that the current revision status of and changes to documents are identified;
  • ensure that relevant versions of applicable documents are available at points of use;
  • ensure that documents remain legible and readily identifiable;
  • ensure that documents of external origin, determined by your business to be necessary for the planning and operation of the Quality Management System, are identified and their distribution controlled;
  • prevent deterioration or loss of documents;
  • prevent the unintended use of obsolete documents and apply suitable identification to them.
06/01/2021 19:18:2426/01/2021 14:55:21

Your business has for each medical device type or medical device family, one or more Medical Device files. Your Medical Device file/s contain or reference documents that demonstrate conformity to this International Standard and compliance with applicable regulatory requirements. These files should be accurately maintained and kept up to date.

Your Medical Device files include the following:

  • a general description of the medical device, its intended use or purpose, the labelling, and any instructions for use;
  • product specifications;
  • specifications or procedures for manufacturing, packaging, storage, handling, and distribution;
  • procedures for measuring and monitoring;
  • any requirements for installation as appropriate; and,
  • procedures for servicing, if appropriate.
06/01/2021 12:27:0126/01/2021 14:38:30

Your Quality Manual includes:

  • the scope of the Quality Management System, and includes details of and the justification for any exclusions or non-applications;
  • the documented procedures for the Quality Management System, or reference to them;
  • the procedures for the Quality Management System, or references to them; and,
  • a description of the interaction between the various processes in the Quality Management System.

Your Quality Manual outlines the structure of the documentation used in the Quality Management System.

06/01/2021 12:27:0026/01/2021 14:23:42

Your Quality Management System includes the following documented sections:

  • statements of your quality policy and quality objectives;
  • a quality manual;
  • procedures and records required by the International Standard;
  • together with any other documents, including records, which your business has determined to be necessary to ensure the effective planning, operation, and control of its processes; and,
  • additionally, any other documentation specified by the applicable regulatory requirements.
06/01/2021 12:27:0026/01/2021 14:12:09

Your business documents the procedures required for the validation of the application of computer software used in the Quality Management System. Such software applications are validated prior to initial use and, as appropriate, after changes to the software of its application.

The specific approach and activities associated with software validation and revalidation are proportionate to the risk associated with the use of the software.  

Records of such activities are maintained

06/01/2021 12:27:0026/01/2021 14:04:32

When your business chooses to outsource any process that affects product conformity requirements, your business monitors and ensures control over such processes. Additionally, your business retains responsibility of conformity to this International Standard, and to customer and applicable regulatory requirements for outsourced processes. The controls are proportionate to the risk involved and the ability of the external party to meet with requirements. These controls include written quality agreements.

06/01/2021 12:27:0026/01/2021 14:04:24

Your business manages the Quality Management Systems processes in accordance with the requirements of this International Standards and the applicable regulatory requirements. Changes to be made to the processes in your business's Quality Management System are considered and evaluated against:

  • their impact on the Quality Management System;
  • their impact on the medical devices produced under the Quality Management System; and,
  • are controlled in accordance with the requirements of this International Standard and any applicable regulatory requirements.
06/01/2021 12:27:0026/01/2021 13:42:00

For each Quality Management System process, your business:

  • determines the criteria and methods needed to ensure that both the operation and control of these processes are effective;
  • ensures there is availability of resources and information necessary to support the operation and monitoring of these processes;
  • implements the necessary actions to achieve planned results and maintain the effectiveness of these processes;
  • monitors, measures (as appropriate), and analyses these processes; and,
  • establishes and maintains the records needed to demonstrate conformance and compliance with ISO 13485 and applicable regulatory requirements.
06/01/2021 12:27:0022/01/2021 12:28:29

Your business determines the processes needed for the Quality Management System and the application of these processes throughout the whole organisation, taking into account of the roles undertaken by the organisation.

03/01/2021 12:30:5422/01/2021 12:14:31

Your business documents the role(s) undertaken by the business under the applicable regulatory requirements.

Roles undertaken by the business can include manufacturer, authorised representative, importer or distributor.

03/01/2021 12:30:5422/01/2021 11:51:29

Your business establishes, implements and maintains any requirement, procedure, activity or arrangement required to be documented by this International Standard or applicable regulatory requirements.

03/01/2021 12:30:5422/01/2021 11:43:24

Your business documents preventative action procedures to describe requirements for:

  • determining potential nonconformities and their causes;
  • evaluating the need for action to prevent occurrence of nonconformities;
  • planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;
  • verifying that the action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device;
  • reviewing the effectiveness of the preventive action taken, as appropriate.

Your business maintains results of any investigations and of any action taken. 

20/01/2021 14:40:3520/01/2021 15:10:15

Your business takes corrective action to eliminate the cause of nonconformities in order to prevent recurrence. Any necessary corrective actions are taken without undue delay. Corrective actions are proportionate to the effects of the nonconformities encountered.

Your business documents procedures to define requirements for:

  • reviewing nonconformities (including complaints);
  • determining the causes of nonconformities;
  • evaluating the need for action to ensure that nonconformities do not recur;
  • planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;
  • verifying that the corrective action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; and,
  • reviews the effectiveness of corrective action taken.

Your organisation maintains records of the results of any investigation, and of any actions taken.

20/01/2021 14:40:3520/01/2021 15:07:51

Your business ensures that nonconforming product is accepted by concession only, if the justification is provided, approval is obtained and applicable regulatory requirements are met. Records of the acceptance by concession and the identity of the person authorising the concession must be maintained.

20/01/2021 14:40:3420/01/2021 15:03:36

Your business deals with nonconforming product before delivery by one or more of the following ways:

  • taking action to eliminate the detected nonconformity;
  • taking action to preclude its original intended use or application;
  • authorising its use, release or acceptance under concession.
20/01/2021 14:40:3420/01/2021 15:02:41

Your business maintains records of the nature of all nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for any decisions taken.

20/01/2021 14:40:3420/01/2021 15:00:32

Your business, as part of the evaluation of nonconformity, determines the need for an investigation and notification of any external party responsible for the nonconformity.

20/01/2021 14:40:3420/01/2021 14:59:05

Your business has a planned internal audit program, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods is defined and recorded. The selection of auditors and conduct of audits ensure objectivity and impartiality of the audit process. Your auditors do not audit their own work.

20/01/2021 14:40:3320/01/2021 14:54:53

Your business documents procedures for the timely handling of complaints in accordance with any applicable regulatory requirements.

20/01/2021 14:40:3220/01/2021 14:50:46

Your business, as one of the measurements of the effectiveness of the quality management system, gathers and monitors information relating to whether your organisation has met its customer requirements. The methods for obtaining and using this feedback information is documented.

20/01/2021 14:40:3220/01/2021 14:47:07
Your business has established preventative actions to eliminate the causes of potential nonconformities to prevent their occurrence. Preventive actions are proportionate to the effects of the potential problems.20/01/2021 14:40:3520/01/2021 14:40:35
Your business identifies and implements any changes necessary to ensure and maintain the continued suitability, adequacy and effectiveness of the Quality Management System, as well as medical device safety and performance through the use of the quality policy, quality objectives, audit results, post-market surveillance, analysis of data, corrective actions, preventive actions and management reviews.20/01/2021 14:40:3520/01/2021 14:40:35
Your business maintains records of the results of any analysis.20/01/2021 14:40:3520/01/2021 14:40:35
Your business ensures that if analysis of data shows that the quality management system is not suitable, adequate or effective, then this analysis is used to the improve production processes as required.20/01/2021 14:40:3520/01/2021 14:40:35
The analysis of data includes data generated as a result of monitoring and measurement, and from other relevant sources include, at a minimum, input from: feedback; conformity to product requirements; characteristics and trends of processes and product, including opportunities for improvement; suppliers; audits; and service reports, as appropriate.20/01/2021 14:40:3520/01/2021 14:40:35
Your business ensures that after the completion of any rework, the product is verified to ensure that it meets all applicable acceptance criteria and regulatory requirements.20/01/2021 14:40:3520/01/2021 14:40:35
Your business documents procedures for issuing advisory notices in accordance with any applicable regulatory requirements. These procedures should be capable of being put into effect at any time. Records of actions relating to the issuance of advisory notices are maintained.20/01/2021 14:40:3420/01/2021 14:40:34
Your business takes the appropriate action when nonconforming product is detected either after delivery or after use has started. Your business takes the appropriate action to the effects or potential effects, of the nonconformity. Records of all actions taken are maintained.20/01/2021 14:40:3420/01/2021 14:40:34
Your business ensures that product release and service delivery does not proceed until the planned and documented arrangements have been satisfactorily completed.20/01/2021 14:40:3320/01/2021 14:40:33
Your business monitors and measures the characteristics of the product to verify that product requirements have been met. This should be carried out at applicable stages of the product realisation process in accordance with the planned and documented arrangements and documented procedures.20/01/2021 14:40:3320/01/2021 14:40:33
Your business applies suitable methods for monitoring and, as appropriate, measurement of the Quality Management System processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action should be taken, as appropriate, and the decisions recorded.20/01/2021 14:40:3320/01/2021 14:40:33
Your business has management responsible for the area being audited who ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities include the verification of the actions taken and the reporting of verification results.20/01/2021 14:40:3320/01/2021 14:40:33
Your business maintains records of the internal audits and the results, including identification of the processes and areas audited and the conclusions.20/01/2021 14:40:3320/01/2021 14:40:33
Your organisation documents the procedure to describe the responsibilities and requirements for planning and conducting internal audits and recording and reporting audit results.20/01/2021 14:40:3320/01/2021 14:40:33

Your business performs calibration or verification in accordance with documented procedures.

Additionally, your business assesses and records the validity of the previous measuring results when the equipment is found not to conform to requirements and takes appropriate action in regard to the equipment and any product affected.

15/01/2021 14:02:4815/01/2021 18:26:28

Your business documents procedures for preserving the conformity of product (preservation of product) to specific requirements during processing, storage, handling, and distribution. Preservation applies to all the constituent parts of a medical device.

15/01/2021 14:02:4815/01/2021 17:47:16

Your business validates any processes used for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement, and therefore as a consequence, deficiencies may only become apparent after the product is in use or the service has been delivered.

Your business demonstrates the ability of these processes to achieve planned results consistently.

15/01/2021 14:02:4615/01/2021 17:40:11

Your business documents the requirements for cleanliness of product and/or contamination control of product if the:

  • product is cleaned by your business prior to sterilisation or its use;
  • product is supplied non-sterile and is to be subjected to a cleaning process prior to sterilisation or its use;
  • product cannot be cleaned prior to sterilisation or its use, and its cleanliness is of significance in use;
  • product is supplied to be used non-sterile, and its cleanliness is of significance in use;
  • process agents are to be removed from product during manufacture.

Note, if product is cleaned by your business prior to sterilisation or its use, or, the product is supplied non-sterile and is to be subjected to a cleaning process prior to sterilisation or its use; then the requirement that your business documents health cleanliness and clothing of personnel, if contact between such personnel and the product or work environment could affect medical device safety or performance, does not apply prior to the cleaning process. 

15/01/2021 14:02:4515/01/2021 17:35:37

When your business or its customers intends to perform verification at the supplier’s premises, your business can state in advance what the intended verification activities will be and method of product release in the purchasing information.

The records of verification of purchased product methods and activities are maintained.

15/01/2021 14:02:4415/01/2021 17:30:32

Your business ensures that purchasing information is available that describes or references the product to be purchased. Project purchasing information includes the following:

  • products specifications;
  • the requirements for product acceptance, procedures, processes and equipment;
  • the requirements for qualification of supplier personnel; 
  • the quality management system requirements.
15/01/2021 14:02:4415/01/2021 17:27:11

Your business identifies changes to design and development and before they are implemented the changes are:

reviewed;

verified;

validated (as appropriate); and,

approved.

15/01/2021 14:02:4315/01/2021 17:16:26

Your business plans and documents arrangements for communicating with customers in relation to: product information; enquiries, contracts or order handling, and any amendments; customer feedback, including complaints; and advisory notices.

15/01/2021 14:02:4115/01/2021 17:03:34

During design and development planning, your business documents the following:

  • the design and development stages;
  • the review(s) needed at each design and development stage;
  • the verification, validation, and design transfer activities that are appropriate at each design and development stage;
  • the responsibilities and authorities for design and development;
  • the methods to ensure traceability of design and development outputs to design and development inputs; and,
  • the resources needed, including necessary competence of personnel.
15/01/2021 14:02:4115/01/2021 17:02:37

Your business documents the output of this planning of product realisation in a form suitable for the businesses' method of operations.

15/01/2021 14:02:4015/01/2021 16:44:08

Your business documents one or more processes for risk management in product realisation.

Records of risk management activities are maintained.

15/01/2021 14:02:4015/01/2021 16:38:53
Your business documents procedures for the validation of the application of computer software used for the monitoring and measurement of requirements. Such software applications are validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation are proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.15/01/2021 14:02:4915/01/2021 14:02:49
Records of the results of calibration and verification are maintained.15/01/2021 14:02:4815/01/2021 14:02:48
Your business documents procedures to ensure that monitoring and measurements can be carried out, and are carried out in a manner that is consistent with the monitoring and measurement requirements.15/01/2021 14:02:4815/01/2021 14:02:48
Your business records the names and addresses of the shipping package consignees, and these records are maintained.15/01/2021 14:02:4715/01/2021 14:02:47
Your business documents procedures to ensure that any medical devices returned to your organisation are identified and distinguished from conforming product.15/01/2021 14:02:4715/01/2021 14:02:47
Your business document procedures for product identification and identifies products by suitable means throughout product realisation.15/01/2021 14:02:4715/01/2021 14:02:47
Your business records of the results and conclusions of validation of processes for production and service provision, and the necessary actions resulting from the validation are be maintained.15/01/2021 14:02:4615/01/2021 14:02:46
Your business maintains records of the sterilisation process parameters used for each sterilisation batch. Sterilisation records must be traceable to each production batch of medical devices.15/01/2021 14:02:4615/01/2021 14:02:46
Your business and your suppliers maintain records of servicing activities that they carry out.15/01/2021 14:02:4615/01/2021 14:02:46
If servicing of a medical device is a specified requirement, your business documents servicing procedures, reference materials, and reference measurements, as necessary, for performing servicing activities and verifying that the product requirements are met.15/01/2021 14:02:4515/01/2021 14:02:45
Your business maintains records of medical device installation and verification of installation performed by your business or its supplier.15/01/2021 14:02:4515/01/2021 14:02:45
If your agreed customer requirements allow installation of the medical device to be performed by an external party (other than your business or its supplier), your business provides documented requirements for medical device installation and verification of installation.15/01/2021 14:02:4515/01/2021 14:02:45
Your business holds purchasing information which includes, as applicable, a written agreement that the supplier will notify your organisation of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements.15/01/2021 14:02:4415/01/2021 14:02:44
Your business ensures the adequacy of specified purchasing requirements prior to their communication to the supplier.15/01/2021 14:02:4415/01/2021 14:02:44
As part of the purchase process, your business maintains records of the results of any evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities.15/01/2021 14:02:4415/01/2021 14:02:44
Your business monitors and addresses the non-fulfilment of purchasing requirements with the supplier proportionately to the risk associated with the purchased product and compliance with applicable regulatory requirements.15/01/2021 14:02:4415/01/2021 14:02:44
Your business documents the procedures to ensure that purchased product conforms to specific purchasing information.15/01/2021 14:02:4315/01/2021 14:02:43
Your business maintains a design and development file for each medical device type or medical device family. This file includes or references records generated to demonstrate conformity to the requirements for design and development, and records for design and development changes.15/01/2021 14:02:4315/01/2021 14:02:43
Your business records and maintains records of the results and conclusions of any control of design and development change, together with any necessary actions undertaken.15/01/2021 14:02:4315/01/2021 14:02:43
Your business reviews the design and development changes, and evaluates the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realisation processes. These reviews are recorded and the records maintained.15/01/2021 14:02:4315/01/2021 14:02:43
Your business maintains records of the results and conclusions of any design and development transfer, together with any necessary actions undertaken.15/01/2021 14:02:4315/01/2021 14:02:43
Your business undertakes product validation prior to release of the product to the customer. The results and conclusions of this validation, and any actions is recorded and the records maintained.15/01/2021 14:02:4215/01/2021 14:02:42
Your business ensures that design validation is conducted on representative product. Representative product includes initial production units, batches or their equivalents. The rationale for the choice of product used for validation is recorded.15/01/2021 14:02:4215/01/2021 14:02:42
Your business maintains Design and Development Verification records of the results and conclusions of any verifications undertaken, together with any necessary actions undertaken.15/01/2021 14:02:4215/01/2021 14:02:42
Your business undertakes Design and Development Verification which is performed in accordance with planned and documented arrangements, to ensure that the design and development outputs have met the design and development input requirements.15/01/2021 14:02:4215/01/2021 14:02:42
Your business maintains records of the results of Design and Development Reviews and any necessary actions, this includes the identification of the design under review, the participants involved and the date of the review.15/01/2021 14:02:4215/01/2021 14:02:42
Your business documents and maintains records of the design and development outputs.15/01/2021 14:02:4115/01/2021 14:02:41
Your business reviews design and development inputs for adequacy and approval.15/01/2021 14:02:4115/01/2021 14:02:41
Your business plans, controls and documents, the design and development planning process of the product, and where appropriate, the design and development planning documents are maintained and updated as the design and development progresses.15/01/2021 14:02:4115/01/2021 14:02:41
Your business documents procedures for design and development.15/01/2021 14:02:4115/01/2021 14:02:41
Your business communicates with regulatory authorities in accordance with applicable regulatory requirements.15/01/2021 14:02:4115/01/2021 14:02:41
Your business confirms, in the case of where the customer provides no documented statement of requirement, the customer requirements before acceptance.15/01/2021 14:02:4015/01/2021 14:02:40
Your business maintains records of the results of the review and any actions arising from the review.15/01/2021 14:02:4015/01/2021 14:02:40

Your business maintains records of education, training, skills and experience, as identifed in the Quality Management System for those personnel performing work affecting the product quality.

08/01/2021 16:02:0408/01/2021 16:19:41
Where sterile medical devices are used, your business documents requirements for control of contamination with microorganisms or particulate matter and maintain the required cleanliness during assembly or packaging processes.08/01/2021 16:02:0508/01/2021 16:02:05
Where the conditions in the work environment can have an adverse effect on product quality, your business also document the requirements for the work environment, and the procedures to monitor and control the work environment.08/01/2021 16:02:0408/01/2021 16:02:04
Your business ensures that personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives.08/01/2021 16:02:0408/01/2021 16:02:04
Your business has determined the necessary competences for personnel performing work affecting product quality.08/01/2021 16:02:0408/01/2021 16:02:04
Your business documents the process/processes for establishing competence, providing needed training, and ensuring awareness of personnel.08/01/2021 16:02:0408/01/2021 16:02:04
Your business ensures that all personnel performing work affecting product quality are competent on the basis of appropriate education, training, skills and experience.08/01/2021 16:02:0408/01/2021 16:02:04
Sufficient resources are provided to meet applicable regulatory and customer requirements.08/01/2021 16:02:0308/01/2021 16:02:03

Your business documents the procedures that define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records.

06/01/2021 11:45:2907/01/2021 17:01:17
The Management Reviews are documented to provide evidence of conformity to requirements and of the operation of the Quality Management System.07/01/2021 12:16:5107/01/2021 12:16:51
Top management documents the interrelation of all personnel who manage, perform and verify work affecting quality. They also safeguard the independence and authority necessary to perform these tasks.07/01/2021 12:16:5107/01/2021 12:16:51
Top management ensures that the integrity of the Quality Management System is maintained when changes to the Quality Management System are planned and implemented.07/01/2021 12:16:5007/01/2021 12:16:50
Top management shall ensure that customer requirements and applicable regulatory requirements are determined and met.07/01/2021 12:16:5007/01/2021 12:16:50

Your Medical Device files include the following:

  • a general description of the medical device, its intended use or purpose, the labelling, and any instructions for use;
  • product specifications;
  • any procedures or specifications for manufacturing, storage or any handling, any packaging or distribution information;
  • the procedures for measuring and monitoring; and,
  • any requirements for installation or servicing etc, if appropriate."
06/01/2021 18:36:1406/01/2021 18:53:18

Your business uses a risk based approach to control the appropriate processes required for the Quality Management System, and your business determines the sequence and interactions of these processes.

03/01/2021 12:30:5406/01/2021 18:45:43

Your business identifies the period for which at least one copy of obsolete documents should be retained for. This period should ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device, as set out by your organisation, but not less than the retention period of any resulting record or as specified by any applicable regulatory requirements.

06/01/2021 11:45:2906/01/2021 12:21:48

Procedures are defined and implemented for protecting confidential health information contained in the records, in accordance with the applicable regulatory requirements.

06/01/2021 11:45:2906/01/2021 12:13:19

Your business ensures that records are retained for at least the lifetime of the medical device as defined by your organisation, or as specified by the applicable regulatory requirements.

06/01/2021 11:45:3006/01/2021 12:11:35
Your business ensures that changes to documents are reviewed and approved either by the original approving function, or another designated function that has access to pertinent background information upon which to base its decisions.06/01/2021 11:45:2906/01/2021 11:45:29
Your business has a documented Quality Management System in place, and maintain its effectiveness in accordance with the requirements of the International Standard and applicable regulatory requirements.03/01/2021 12:27:4703/01/2021 12:27:47

A3.2 If you have answered "yes" to the last question then your company is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here.

03/12/2020 12:17:5303/12/2020 15:17:23

A3.3 What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance.

03/12/2020 12:17:5303/12/2020 15:17:11

A3.4 Is the company or its subsidiaries any of the following: medical, call centre, telemarketing, data processing (outsourcers), internet service provider, telecommunications or an organisation regulated by the FCA? You only need to answer this question if you are taking the insurance.

03/12/2020 12:17:5303/12/2020 15:16:58

A3.5 Does the company have any domiciled operation or derived revenue from the territory or jurisdiction of Canada and / or USA?

03/12/2020 12:17:5303/12/2020 15:16:47

A3.6 What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.

03/12/2020 12:17:5303/12/2020 15:16:39

A2.7 Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices.

03/12/2020 12:17:5303/12/2020 15:15:57

A2.8 Please provide a list of the networks that will be in the scope for this assessment

03/12/2020 12:17:5303/12/2020 15:15:45

A2.9 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

03/12/2020 12:17:5303/12/2020 15:15:38

A2.10 Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment?

03/12/2020 12:17:5303/12/2020 15:15:28

A3.1 Is your head office domiciled in the UK and is your gross annual turnover less than £20m?

03/12/2020 12:17:5303/12/2020 15:15:18

A2.2 If it is not the whole organisation, then what scope description would you like to appear on your certificate and website?

03/12/2020 12:17:5203/12/2020 15:14:27

A2.3 Does your organisation hold or process personal data (as defined by your country's data protection legislation)?

03/12/2020 12:17:5203/12/2020 15:14:14

A2.4 Is your usage of personal data subject to the EU GDPR?

03/12/2020 12:17:5203/12/2020 15:14:05

A2.5 Please describe the geographical locations of your business which are in the scope of this assessment.

03/12/2020 12:17:5203/12/2020 15:13:56

A2.6 Please list the quantities of laptops, computers and servers within the scope of this assessment. You must include model and operating system versions for all devices.

03/12/2020 12:17:5203/12/2020 15:13:47

A1.6 What is the size of your organisation?

03/12/2020 12:17:5103/12/2020 15:13:11

A1.7 How many staff are home workers?

03/12/2020 12:17:5203/12/2020 15:13:02

A1.8 Is this application a renewal of an existing certification or is it the first time you have applied for certification?

03/12/2020 12:17:5203/12/2020 15:12:55

A1.9 What is your main reason for applying for certification?

03/12/2020 12:17:5203/12/2020 15:12:48

A2.1 Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer "No" to this question you will not be invited to apply for insurance.

03/12/2020 12:17:5203/12/2020 15:12:38

A1.2 What is your organisation's registration number (if you have one)?

03/12/2020 12:17:5103/12/2020 15:11:36

A1.3 What is your organisation's address (for companies: as registered with Companies House)?

03/12/2020 12:17:5103/12/2020 15:11:25

A1.4 What is your main business?

03/12/2020 12:17:5103/12/2020 15:11:17

A1.5 What is your website address?

03/12/2020 12:17:5103/12/2020 15:11:10

10.8.1 You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.

20/11/2020 15:31:4602/12/2020 20:47:07

10.8.2 The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.

20/11/2020 15:31:4602/12/2020 20:47:02

10.8.3 Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.

20/11/2020 15:31:4602/12/2020 20:46:57

10.7.1 You have Key Performance Indicators (KPIs) regarding SAR performance (the volume of requests and the percentage completed within statutory timescales).

20/11/2020 15:31:4602/12/2020 20:46:31

10.7.2 You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who have complete the training.

20/11/2020 15:31:4602/12/2020 20:46:23

10.7.3 You have KPIs regarding information security, including the number of security breaches, incidents and near misses.

20/11/2020 15:31:4602/12/2020 20:46:18

10.7.4 You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules, and the performance of the system in place to index and track paper files containing personal data.

20/11/2020 15:31:4602/12/2020 20:46:12

10.6.1 You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.

20/11/2020 15:31:4502/12/2020 20:45:39

10.6.2 Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.

20/11/2020 15:31:4502/12/2020 20:45:35

10.6.3 You routinely conduct informal, ad-hoc monitoring and spot checks.

20/11/2020 15:31:4502/12/2020 20:45:29

10.6.4 You make sure that your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.

20/11/2020 15:31:4502/12/2020 20:45:22

10.6.5 There is a central audit plan/schedule in place evidencing the planning of data protection and information governance internal audits.

20/11/2020 15:31:4502/12/2020 20:45:15

10.6.6 Audit reports are produced to document the findings.

20/11/2020 15:31:4502/12/2020 20:45:10

10.6.7 You have a central action plan in place to take forward the outputs from data protection and information governance audits.

20/11/2020 15:31:4502/12/2020 20:45:04

10.5.1 Your organisation completes externally-provided self-assessment tools to provide assurances on compliance with data protection and information security compliance.

20/11/2020 15:31:4402/12/2020 20:44:04

10.5.2 Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.

20/11/2020 15:31:4402/12/2020 20:44:00

10.5.3 Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).

20/11/2020 15:31:4402/12/2020 20:43:52

10.5.4 You produce audit reports to document the findings.

20/11/2020 15:31:4402/12/2020 20:43:45

10.5.5 You have a central action plan in place to take forward the outputs from data protection and information governance audits.

20/11/2020 15:31:4402/12/2020 20:43:39

10.4.1 You analyse all personal data breach reports to prevent a recurrence.

20/11/2020 15:31:4302/12/2020 20:43:01

10.4.2 Your organisation monitors the type, volume and cost of incidents.

20/11/2020 15:31:4402/12/2020 20:42:56

10.4.3 You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.

20/11/2020 15:31:4402/12/2020 20:42:51

10.4.4 Groups with oversight for data protection and information governance review the outputs.

20/11/2020 15:31:4402/12/2020 20:42:44

10.3.1 You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.

20/11/2020 15:31:4302/12/2020 20:41:55

10.3.2 You tell individuals about personal data breaches in clear, plain language without undue delay.

20/11/2020 15:31:4302/12/2020 20:41:49

10.3.3 The information you provide to individuals includes the DPO's details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).

20/11/2020 15:31:4302/12/2020 20:41:45

10.3.4 You provide individuals with advice to protect themselves from any effects of the breach.

20/11/2020 15:31:4302/12/2020 20:41:40

10.2.1 You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.

20/11/2020 15:31:4202/12/2020 20:41:03

10.2.2 You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.

20/11/2020 15:31:4202/12/2020 20:40:58

10.2.3 The procedure includes details of what information must be given to the ICO about the breach.

20/11/2020 15:31:4302/12/2020 20:40:52

10.2.4 If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.

20/11/2020 15:31:4302/12/2020 20:40:47

10.1.1 You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.

20/11/2020 15:31:4102/12/2020 20:40:00

10.1.2 A dedicated person or team manages security incidents and personal data breaches.

20/11/2020 15:31:4202/12/2020 20:39:52

10.1.3 Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.

20/11/2020 15:31:4202/12/2020 20:39:47

10.1.4 Procedures and systems facilitate the reporting of security incidents and breaches.

20/11/2020 15:31:4202/12/2020 20:39:42

10.1.5 Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.

20/11/2020 15:31:4202/12/2020 20:39:35

10.1.6 You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).

20/11/2020 15:31:4202/12/2020 20:39:30

10.1.7 The log documents the facts relating to the near miss or breach including: its causes; what happened; the personal data affected; the effects of the breach; and any remedial action taken and rationale.

20/11/2020 15:31:4202/12/2020 20:39:22

9.12.1 You have a risk-based business continuity plan to manage disruption and a disaster recovery plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.

20/11/2020 15:31:4102/12/2020 20:37:22

9.12.2 You take back-up copies of electronic information, software and systems (and ideally store them off-site).

20/11/2020 15:31:4102/12/2020 20:37:17

9.13.3 The frequency of backups reflects the sensitivity and importance of the data.

20/11/2020 15:31:4102/12/2020 20:37:12

9.13.4 You regularly test back-ups and recovery processes to make sure that they remain fit for purpose.

20/11/2020 15:31:4102/12/2020 20:37:06

9.11.1 You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.

20/11/2020 15:31:4002/12/2020 20:36:29

9.11.2 You have visitor protocols in place such as signing-in procedures, name badges and escorted access.

20/11/2020 15:31:4002/12/2020 20:36:22

9.11.3 You implement additional protection against external and environmental threats in secure areas such as server rooms.

20/11/2020 15:31:4002/12/2020 20:36:17

9.11.4 Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.

20/11/2020 15:31:4002/12/2020 20:36:12

9.11.5 You store paper records securely and control access to them.

20/11/2020 15:31:4002/12/2020 20:36:07

9.11.6 You operate a clear desk policy across the organisation where personal data is processed.

20/11/2020 15:31:4102/12/2020 20:36:01

9.11.7 You have regular clear desk 'sweeps' or checks and issues are fed back appropriately

20/11/2020 15:31:4102/12/2020 20:35:56

9.11.8 You operate a 'clear screen' policy across your organisation where personal data is processed.

20/11/2020 15:31:4102/12/2020 20:35:48

9.10.1 You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.

20/11/2020 15:31:3902/12/2020 20:34:37

9.10.2 You have protections in place to avoid the unauthorised access to, or disclosure of, the information processed by mobile devices, for example encryption and remote wiping capabilities.

20/11/2020 15:31:3902/12/2020 20:34:32

9.10.3 You implement security measures to protect information processed when home or remote working, for example VPN and two factor authentication.

20/11/2020 15:31:4002/12/2020 20:34:27

9.10.4 Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.

20/11/2020 15:31:4002/12/2020 20:34:21

9.10.5 Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices, as well as an entire class of devices.

20/11/2020 15:31:4002/12/2020 20:34:16

9.10.6 You do not allow equipment, information or software to be taken off-site without prior authorisation, and you have a log of all mobile devices and removeable media used and who they are allocated to.

20/11/2020 15:31:4002/12/2020 20:34:11

9.9.1 You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).

20/11/2020 15:31:3802/12/2020 20:33:09

9.9.2 You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.

20/11/2020 15:31:3802/12/2020 20:33:04

9.9.3 You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).

20/11/2020 15:31:3802/12/2020 20:32:57

9.9.4 Emails content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.

20/11/2020 15:31:3802/12/2020 20:32:51

9.9.5 You log and monitor user and system activity to detect anything unusual.

20/11/2020 15:31:3802/12/2020 20:32:46

9.9.6 You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.

20/11/2020 15:31:3802/12/2020 20:32:41

9.9.7 Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.

20/11/2020 15:31:3802/12/2020 20:32:36

9.9.8 Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.

20/11/2020 15:31:3802/12/2020 20:32:31

9.9.9 You regularly run vulnerability scans.

20/11/2020 15:31:3902/12/2020 20:32:26

9.9.10 You deploy URL or web content filtering to block specific websites or entire categories.

20/11/2020 15:31:3902/12/2020 20:32:21

9.9.11 You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.

20/11/2020 15:31:3902/12/2020 20:32:16

9.9.12 You have external and internal firewalls and intrusion detection systems in place as appropriate, to make sure that the information in networks and systems is protected from unauthorised access or attack, for example denial of service attacks.

20/11/2020 15:31:3902/12/2020 20:32:11

9.9.13 You do not have unsupported operating systems in use, for example Windows XP, Windows Server 2003.

20/11/2020 15:31:3902/12/2020 20:32:06

9.8.1 You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.

20/11/2020 15:31:3702/12/2020 20:29:07

9.8.2 You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.

20/11/2020 15:31:3702/12/2020 20:28:48

9.8.3 You restrict and control the allocation and use of privileged access rights.

20/11/2020 15:31:3702/12/2020 20:25:57

9.8.4 You keep a log of user access to systems holding personal data.

20/11/2020 15:31:3802/12/2020 20:25:52

9.8.5 You regularly review users' access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.

20/11/2020 15:31:3802/12/2020 20:25:41

9.7.1 You have Acceptable Use or terms and conditions of use procedures in place.

20/11/2020 15:31:3702/12/2020 20:25:01

9.7.2 You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.

20/11/2020 15:31:3702/12/2020 20:24:57

9.7.3 Your organisation monitors compliance with Acceptable Use rules and makes sure that staff are aware of any monitoring.

20/11/2020 15:31:3702/12/2020 20:24:51

9.6.1 Your organisation has an asset register that holds details of all information assets (software and hardware) including: asset owners; asset location; retention periods; and security measures deployed.

20/11/2020 15:31:3702/12/2020 20:24:25

9.6.2 You review the register periodically to make sure it remains up-to-date and accurate.

20/11/2020 15:31:3702/12/2020 20:24:21

9.6.3 You periodically risk-assess assets within the register and you carry out physical checks to make sure that the hardware asset inventory remains accurate.

20/11/2020 15:31:3702/12/2020 20:24:15

9.5.1 For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.

20/11/2020 15:31:3602/12/2020 20:23:39

9.5.2 For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.

20/11/2020 15:31:3602/12/2020 20:23:35

9.5.3 You either hold, collect or send away securely confidential waste awaiting destruction.

20/11/2020 15:31:3602/12/2020 20:23:30

9.5.4 You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have disposed of the data securely, for example through audit checks and destruction certificates.

20/11/2020 15:31:3602/12/2020 20:23:26

9.5.5 You have a log of all equipment and confidential waste sent for disposal or destruction.

20/11/2020 15:31:3602/12/2020 20:23:22

9.4.1 You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).

20/11/2020 15:31:3502/12/2020 20:22:08

9.4.2 The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.

20/11/2020 15:31:3602/12/2020 20:22:01

9.4.3 You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.

20/11/2020 15:31:3602/12/2020 20:21:57

9.4.4 You regularly review retained data to identify opportunities for minimisation, pseudonymisation, or anonymisation, and you document this in the schedule.

20/11/2020 15:31:3602/12/2020 20:21:52

9.3.1 You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.

20/11/2020 15:31:3502/12/2020 20:19:58

9.3.2 You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.

20/11/2020 15:31:3502/12/2020 20:19:53

9.3.3 Records containing personal data (whether 'active' or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.

20/11/2020 15:31:3502/12/2020 20:19:43

9.2.1 You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.

20/11/2020 15:31:3502/12/2020 20:18:01

9.2.2 You minimise data transferred off-site and keep it secure in transit.

20/11/2020 15:31:3502/12/2020 20:17:56

9.2.3 When you transfer data off site, you use an appropriate form of transport, (for example, secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)), and you check to make sure that the information has been received.

20/11/2020 15:31:3502/12/2020 20:17:50

9.2.4 You have agreements in place with any third parties used to transfer business information between your organisation and third parties.

20/11/2020 15:31:3502/12/2020 20:17:40

9.1.1 You have policies and procedures to make sure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.

20/11/2020 15:31:3402/12/2020 20:17:05

9.1.2 You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.

20/11/2020 15:31:3402/12/2020 20:17:00

9.1.3 You know the whereabouts of records at all times, you track their movements, and you attempt to trace records that are missing or not returned.

20/11/2020 15:31:3502/12/2020 20:16:53

9.1.4 You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.

20/11/2020 15:31:3502/12/2020 20:16:49

8.5.1 You have a procedure to consult the ICO if you cannot mitigate residual high risks.

20/11/2020 15:31:3302/12/2020 17:54:35

8.5.2 You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.

20/11/2020 15:31:3402/12/2020 17:54:30

8.5.3 You do not start high risk processing until mitigating measures are in place following the DPIA.

20/11/2020 15:31:3402/12/2020 17:54:26

8.5.4 You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.

20/11/2020 15:31:3402/12/2020 17:54:21

8.5.5 You consider actively publishing DPIAs where possible, removing sensitive details if necessary.

20/11/2020 15:31:3402/12/2020 17:54:17

8.5.6 You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

20/11/2020 15:31:3402/12/2020 17:54:14

8.4.1 Your organisation has a standard, well-structured DPIA template which is written in plain English.

20/11/2020 15:31:3302/12/2020 17:53:38

8.4.2 DPIAs include: the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

20/11/2020 15:31:3302/12/2020 17:53:34

8.4.3 DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.

20/11/2020 15:31:3302/12/2020 17:53:30

8.4.4 DPIAs identify measures that can be put in place to eliminate, mitigate or reduce high risks.

20/11/2020 15:31:3302/12/2020 17:53:26

8.4.5 You have a documented process, with appropriate document controls, that you review periodically to make sure that it remains up-to-date.

20/11/2020 15:31:3302/12/2020 17:53:22

8.4.6 You record your DPO's advice and recommendations, and the details of any other consultations.

20/11/2020 15:31:3302/12/2020 17:53:18

8.4.7 Appropriate people sign off DPIAs, such as a project lead or senior manager.

20/11/2020 15:31:3302/12/2020 17:53:13

8.3.1 You have a DPIA policy which includes: clear procedures to decide whether you conduct a DPIA; what the DPIA should cover; who will authorise it; and how you will incorporate it into the overall planning.

20/11/2020 15:31:3202/12/2020 17:52:36

8.3.2 You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.

20/11/2020 15:31:3202/12/2020 17:52:31

8.3.3 If the screening checklist indicates that you do not need a DPIA, you document this.

20/11/2020 15:31:3202/12/2020 17:52:27

8.3.4 Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.

20/11/2020 15:31:3202/12/2020 17:52:23

8.3.5 Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.

20/11/2020 15:31:3202/12/2020 17:52:19

8.3.6 Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data, and where relevant, you train staff in how to carry out a DPIA.

20/11/2020 15:31:3202/12/2020 17:52:15

8.3.7 You assign responsibility for completing DPIAs to a member of staff who has enough authority over a project to effect change, eg a project lead or manager.

20/11/2020 15:31:3202/12/2020 17:52:11

8.2.1 You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.

20/11/2020 15:31:3202/12/2020 17:51:32

8.2.2 Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.

20/11/2020 15:31:3202/12/2020 17:51:27

8.2.3 You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the: intended processing activities; risks that these may pose to the rights and freedoms of individuals; and possible measures available to mitigate the risks.

20/11/2020 15:31:3202/12/2020 17:51:23

8.1.1 An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.

20/11/2020 15:31:3102/12/2020 17:50:56

8.1.2 You have a process to help staff report and escalate data protection and information governance concerns and risks to a central point, for example staff forums.

20/11/2020 15:31:3102/12/2020 17:50:52

8.1.3 You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.

20/11/2020 15:31:3102/12/2020 17:50:48

8.1.4 You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.

20/11/2020 15:31:3102/12/2020 17:50:43

8.1.5 If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.

20/11/2020 15:31:3102/12/2020 17:50:38

8.1.6 You put measures in place to mitigate the risks identified within risk categories and you test these regularly to make sure that they remain effective.

20/11/2020 15:31:3102/12/2020 17:50:34

7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.

20/11/2020 15:31:3002/12/2020 14:57:27

7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.

20/11/2020 15:31:3102/12/2020 14:57:24

7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.

20/11/2020 15:31:3102/12/2020 14:57:13

7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose.

20/11/2020 15:31:3102/12/2020 14:57:04

7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.

20/11/2020 15:31:3102/12/2020 14:56:58

7.5.1 The contract or other legal act includes terms or clauses stating that the processor must:
• only act on the controller’s documented instructions, unless required by law to act without such instructions;
• make sure that the people processing the data are subject to a duty of confidence; 
•  help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections.

20/11/2020 15:31:3002/12/2020 14:56:25

7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).

20/11/2020 15:31:3002/12/2020 14:56:20

7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.

20/11/2020 15:31:3002/12/2020 14:56:16

7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.

20/11/2020 15:31:3002/12/2020 14:56:12

7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.

20/11/2020 15:31:3002/12/2020 14:56:05

7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests.

20/11/2020 15:31:3002/12/2020 14:56:01

7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights.

20/11/2020 15:31:3002/12/2020 14:55:56

7.4.1 You have written contracts with all processors.

20/11/2020 15:31:2902/12/2020 14:55:09

7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.

20/11/2020 15:31:2902/12/2020 14:55:02

7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.

20/11/2020 15:31:2902/12/2020 14:54:57

7.4.4 Each contract (or other legal act) sets out details of the processing including the:
• subject matter of the processing;
• duration of the processing;
• nature and purpose of the processing;
• type of personal data involved;
• categories of data subject; and
• controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR.

20/11/2020 15:31:2902/12/2020 14:54:50

7.4.5 You keep a record or log of all current processor contracts, which you update when processors change.

20/11/2020 15:31:2902/12/2020 14:54:46

7.4.6 You review contracts periodically to make sure they remain up-to-date.

20/11/2020 15:31:3002/12/2020 14:54:41

7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.

20/11/2020 15:31:3002/12/2020 14:54:37

7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).

20/11/2020 15:31:2902/12/2020 14:53:55

7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR.

20/11/2020 15:31:2902/12/2020 14:53:50

7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off.

20/11/2020 15:31:2802/12/2020 14:53:19

7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children).

20/11/2020 15:31:2802/12/2020 14:53:14

7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements.

20/11/2020 15:31:2902/12/2020 14:53:09

7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals.

20/11/2020 15:31:2902/12/2020 14:53:03

7.2.6 There is a central log of the current data sharing agreements.

20/11/2020 15:31:2902/12/2020 14:52:50

7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing.

20/11/2020 15:31:2802/12/2020 14:52:11

7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them.

20/11/2020 15:31:2802/12/2020 14:52:05

7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.

20/11/2020 15:31:2802/12/2020 14:52:00

7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.

20/11/2020 15:31:2802/12/2020 14:51:55

6.10.1 The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.

20/11/2020 15:31:2802/12/2020 14:50:45

6.10.2 The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals' and considers the following issues:
• not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason;
• protecting the interests of vulnerable groups such as people with learning disabilities or children;
• whether you could introduce safeguards to reduce any potentially negative impact;
• whether you could offer an opt-out; and
• whether you require a DPIA.

20/11/2020 15:31:2802/12/2020 14:50:40

6.10.3 You clearly document the decision and the assessment.

20/11/2020 15:31:2802/12/2020 14:50:36

6.10.4 You complete the LIA prior to the start of the processing.

20/11/2020 15:31:2802/12/2020 14:50:30

6.10.5 You keep the LIA under review and refresh it if changes affect the outcome.

20/11/2020 15:31:2802/12/2020 14:50:25

6.9.1 Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.

20/11/2020 15:31:2702/12/2020 14:49:56

6.9.2 You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.

20/11/2020 15:31:2702/12/2020 14:49:50

6.9.3 When providing online services to children, your organisation has risk-based age checking systems in place to establish age with a level of certainty that is appropriate based on the risks to children's rights and freedoms.

20/11/2020 15:31:2702/12/2020 14:49:46

6.9.4 When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are reviewed regularly, and you make reasonable efforts to verify that the person giving consent has parental or guardian responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.

20/11/2020 15:31:2702/12/2020 14:49:40

6.8.1 You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.

20/11/2020 15:31:2702/12/2020 14:49:11

6.8.2 Your organisation has a procedure to refresh consent at appropriate intervals.

20/11/2020 15:31:2702/12/2020 14:49:04

6.8.3 Your organisation uses privacy dashboards or other preference-management tools to help people manage their consent.

20/11/2020 15:31:2702/12/2020 14:49:00

6.6.1 You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category data or criminal offence data publicly available in your organisation's privacy notice(s).

20/11/2020 15:31:2602/12/2020 14:47:07

6.6.2 You provide information in an easily understandable format.

20/11/2020 15:31:2702/12/2020 14:47:02

6.6.3 If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unantipated purpose, you inform individuals in a timely manner and record the changes.

20/11/2020 15:31:2702/12/2020 14:46:59

6.7.1 Consent requests: are kept separate from other terms and conditions; require a positive opt-in and do not use pre-ticked boxes; are clear and specific (not a pre-condition of signing up to a service); inform individuals how to withdraw consent in an easy way; and give your organisation's name as well as the names of any third parties relying on consent.

20/11/2020 15:31:2702/12/2020 14:46:46

6.7.2 You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.

20/11/2020 15:31:2702/12/2020 14:46:40

6.7.3 You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt in-tick boxes, and paper-based forms.

20/11/2020 15:31:2702/12/2020 14:46:37

6.5.1 Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.

20/11/2020 15:31:2602/12/2020 14:45:49

6.5.2 You document the lawful basis (or bases) relied upon and the reasons why.

20/11/2020 15:31:2602/12/2020 14:45:43

6.5.3 If your organisation processes special category data or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data only, you identify the official authority to process).

20/11/2020 15:31:2602/12/2020 14:45:38

6.5.4 In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.

20/11/2020 15:31:2602/12/2020 14:45:35

6.5.5 Where Schedule 1 requires it, there is an appropriate policy document including: which schedule 1 conditions you are relying on; what procedures you have in place to ensure compliance with the data protection principle; how special category or criminal offence data will be treated for retention and erasure purposes; a review date; and details of an individual assigned responsibility for the processing.

20/11/2020 15:31:2602/12/2020 14:45:30

6.5.6 You identify the lawful basis before starting any new processing.

20/11/2020 15:31:2602/12/2020 14:45:26

6.3.2 You have an internal record of all processing activities carried out by any processors on behalf of your organisation.

20/11/2020 15:31:2602/12/2020 14:44:48

6.3.1 The ROPA includes (as a minimum):
•Your organisation's name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
•the purposes of the processing;
•a description of the categories of individuals and personal data;
•the categories of recipients of personal data;
•details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
•retention schedules; and
•a description of the technical and organisational security measures in place.

20/11/2020 15:31:2602/12/2020 14:44:44

6.4.1 The ROPA also includes, or links to documentation covering:
•information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
•records of consent;
•controller-processor contracts;
•the location of personal data;
• DPIA reports;
•records of personal data breaches;
•information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
•retention and erasure policy documents.

20/11/2020 15:31:2602/12/2020 14:44:26

6.1.1 Your organisation carries out Information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.

20/11/2020 15:31:2502/12/2020 14:43:53

6.1.2 The data map is kept up-to-date and you clearly assign the responsibilities for maintaining and amending it.

20/11/2020 15:31:2502/12/2020 14:43:49

6.1.3 You consult staff across your organisation to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.

20/11/2020 15:31:2502/12/2020 14:43:45

6.2.1 You record processing activities in electronic form so you can add, remove or amend information easily.

20/11/2020 15:31:2502/12/2020 14:43:37

6.2.2 Your organisation regularly reviews the record against processing activities, policies and procedures to make sure that it remains accurate and up-to-date, and you clearly assign responsibilities for doing this.

20/11/2020 15:31:2502/12/2020 14:43:32

6.2.3 You regularly review the processing activities and types of data you process for data minimisation purposes.

20/11/2020 15:31:2502/12/2020 14:43:27

5.7.1 Privacy policies are clear and easy for members of the public to access.

20/11/2020 15:31:2502/12/2020 14:41:51

5.7.2 You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how you use their personal data.

20/11/2020 15:31:2502/12/2020 14:41:46

5.7.3 Your organisation offers strong privacy defaults and user-friendly options and controls.

20/11/2020 15:31:2502/12/2020 14:41:41

5.7.4 You help children to exercise their data protection rights, where relevant, in an easily accessible way that they understand.

20/11/2020 15:31:2502/12/2020 14:41:37

5.7.5 You implement appropriate measures to protect children using digital services.

20/11/2020 15:31:2502/12/2020 14:41:32

5.6.1 You review privacy information against the records of processing activities, to make sure it remains up-to-date and that it actually explains what happens with individuals’ personal data.

20/11/2020 15:31:2402/12/2020 14:40:58

5.6.2 You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information was provided to individuals and when.

20/11/2020 15:31:2402/12/2020 14:40:53

5.6.3 Your organisation carries out user-testing to evaluate how effective their privacy information is.

20/11/2020 15:31:2402/12/2020 14:40:47

5.6.4 You analyse complaints from the public about how you use personal data, and in particular, any complaints about how you explain that use.

20/11/2020 15:31:2402/12/2020 14:40:35

5.6.5 If you plan to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.

20/11/2020 15:31:2402/12/2020 14:40:19

5.5.1 You arrange organisation-wide staff training about privacy information.

20/11/2020 15:31:2402/12/2020 14:39:36

5.5.2 Front-line staff receive more specialised or specific training.

20/11/2020 15:31:2402/12/2020 14:39:29

5.5.3 Staff are aware of the various ways in which the organisation provides privacy information.

20/11/2020 15:31:2402/12/2020 14:39:23

5.4.1 You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit if needed.

20/11/2020 15:31:2402/12/2020 14:38:53

5.4.2 If the decision is solely automated and has legal or similarly significant effects, you tell individuals about the processing - including what information you are using, why and what the impact is likely to be.

20/11/2020 15:31:2402/12/2020 14:38:48

5.4.3 If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.

20/11/2020 15:31:2402/12/2020 14:38:43

5.4.4 If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.

20/11/2020 15:31:2402/12/2020 14:38:38

5.3.4 You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.

20/11/2020 15:31:2302/12/2020 14:38:03

5.3.3 You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.

20/11/2020 15:31:2302/12/2020 14:37:59

5.3.2 You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.

20/11/2020 15:31:2302/12/2020 14:37:54

5.3.1 You proactively make individuals aware of privacy information and have a free, easy way to access it.

20/11/2020 15:31:2302/12/2020 14:37:49

5.2.2 If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals within a reasonable period no later than one month of obtaining the data.

20/11/2020 15:31:2302/12/2020 14:37:34

5.2.1 Individuals receive privacy information when their personal data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).

20/11/2020 15:31:2302/12/2020 14:37:29

5.1.1 Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO's contact details.

20/11/2020 15:31:2202/12/2020 14:36:42

5.1.2 Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).

20/11/2020 15:31:2202/12/2020 14:36:36

5.1.3 Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.

20/11/2020 15:31:2302/12/2020 14:36:30

5.1.4 Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.

20/11/2020 15:31:2302/12/2020 14:36:25

5.1.5 Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.

20/11/2020 15:31:2302/12/2020 14:36:19

5.1.6 Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.

20/11/2020 15:31:2302/12/2020 14:36:13

5.1.7 Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).

20/11/2020 15:31:2302/12/2020 14:36:08

5.1.8 You provide individuals with privacy information about the source of the processed personal data if you don't obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register and Companies House.

20/11/2020 15:31:2302/12/2020 14:36:03

4.11.1 You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.

20/11/2020 15:31:2202/12/2020 14:34:51

4.11.2 The DPO's contact details or alternative contact points are publicly available if individuals wish to make a complaint about the use of their personal data.

20/11/2020 15:31:2202/12/2020 14:34:46

4.11.3 You tell individuals about their right to make a complaint to the ICO in your privacy information.

20/11/2020 15:31:2202/12/2020 14:34:42

4.10.1 You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling.

20/11/2020 15:31:2202/12/2020 14:34:15

4.10.2 Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.

20/11/2020 15:31:2202/12/2020 14:34:11

4.10.3 If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to make sure that these decisions only occur in accordance with Article 22 of the GDPR. If this applies, your organisation must carry out a data protection impact assessment (DPIA).

20/11/2020 15:31:2202/12/2020 14:34:06

4.10.4 Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion, and challenge decisions.

20/11/2020 15:31:2202/12/2020 14:34:02

4.10.5 You conduct regular checks for accuracy and bias to make sure that systems are working as intended, and you feed this back into the design process.

20/11/2020 15:31:2202/12/2020 14:33:56

4.8.1 Your organisation restricts personal data in a way that is appropriate for the type of processing and the system, eg temporarily moving the data to another system or removing it from a website.

20/11/2020 15:31:2102/12/2020 14:33:26

4.8.2 If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction (unless this is impossible or involves disproportionate effort).

20/11/2020 15:31:2102/12/2020 14:33:20

4.8.3 If asked to, your organisation tells the data subject which third parties have received the personal data.

20/11/2020 15:31:2202/12/2020 14:33:16

4.9.1 When requested, you provide personal data in a structured, commonly used and machine readable format.

20/11/2020 15:31:2202/12/2020 14:33:06

4.9.2 Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.

20/11/2020 15:31:2202/12/2020 14:33:02

4.7.1 You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their personal data.

20/11/2020 15:31:2102/12/2020 14:32:25

4.7.2 If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.

20/11/2020 15:31:2102/12/2020 14:32:19

4.7.3 If asked to, your organisation tells the data subject which third parties have received the personal data.

20/11/2020 15:31:2102/12/2020 14:32:15

4.7.4 If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.

20/11/2020 15:31:2102/12/2020 14:32:10

4.7.5 Your organisation gives particular weight to a request for erasure where the processing is or was based on a child's consent, especially when processing any personal data on the internet.

20/11/2020 15:31:2102/12/2020 14:32:03

4.6.1 Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.

20/11/2020 15:31:2102/12/2020 14:31:30

4.6.2 If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.

20/11/2020 15:31:2102/12/2020 14:31:26

4.6.3 If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.

20/11/2020 15:31:2102/12/2020 14:31:21

4.6.4 If asked, your organisation tells the data subject which third parties have received the personal data.

20/11/2020 15:31:2102/12/2020 14:31:16

4.5.1 The staff responsible for managing requests meet regularly to discuss any issues.

20/11/2020 15:31:2002/12/2020 14:30:48

4.5.2 You produce regular reports on performance and case quality assessments to make sure that requests are handled appropriately.

20/11/2020 15:31:2002/12/2020 14:30:46

4.5.3 You share reports with senior management, that they review and action as appropriate at meetings.

20/11/2020 15:31:2002/12/2020 14:30:41

4.5.4 Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.

20/11/2020 15:31:2102/12/2020 14:30:37

4.4.1 You action all requests within statutory timescales.

20/11/2020 15:31:2002/12/2020 14:30:05

4.4.2 The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.

20/11/2020 15:31:2002/12/2020 14:30:01

4.4.3 If you need an extension, you update individuals on the progress of their request and keep them informed.

20/11/2020 15:31:2002/12/2020 14:29:57

4.4.4 If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.

20/11/2020 15:31:2002/12/2020 14:29:53

4.3.1 You have processes in place to make sure that the log is accurate and updated as appropriate.

20/11/2020 15:31:2002/12/2020 14:29:22

4.3.2 The log shows the due date for requests, the actual date of the final response and the action taken.

20/11/2020 15:31:2002/12/2020 14:29:18

4.3.3 A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.

20/11/2020 15:31:2002/12/2020 14:29:14

4.3.4 You have records of your organisation's request responses, and any information disclosed to, or withheld from, individuals.

20/11/2020 15:31:2002/12/2020 14:29:09

4.2.1 A specific person/s or team are responsible for managing and responding to requests.

20/11/2020 15:31:1902/12/2020 14:28:35

4.2.2 Staff receive specialised training to handle requests, including regular refresher training.

20/11/2020 15:31:1902/12/2020 14:28:30

4.2.3 You have sufficient resources to deal with requests.

20/11/2020 15:31:1902/12/2020 14:28:26

4.2.4 If a staff member is absent, other staff are trained to carry out key tasks.

20/11/2020 15:31:2002/12/2020 14:28:18

4.1.1 You give individuals clear and relevant information about their rights and how to exercise them.

20/11/2020 15:31:1902/12/2020 14:27:46

4.1.2 Your policies and procedures set out processes for dealing with requests from individuals about their rights.

20/11/2020 15:31:1902/12/2020 14:27:42

4.1.3 All staff receive training and guidance about how to recognise requests and where to send them.

20/11/2020 15:31:1902/12/2020 14:27:38

3.5.1 Your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts, and blogs.

20/11/2020 15:31:1902/12/2020 14:26:24

3.5.2 You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.

20/11/2020 15:31:1902/12/2020 14:26:19

3.4.1 You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.

20/11/2020 15:31:1902/12/2020 14:25:56

3.4.2 You keep copies of the training material provided on record as well as details of who receives the training.

20/11/2020 15:31:1902/12/2020 14:25:52

3.4.3 You monitor training completion in line with organisationl requirements at all levels of the organisation, and you follow up with staff who do not complete the training.

20/11/2020 15:31:1902/12/2020 14:25:47

3.4.4 staff are able to provide feedback on the training they receive.

20/11/2020 15:31:1902/12/2020 14:25:42

3.3.1 You complete a training needs analysis for data protection and information governance staff to inform the training plan and to make sure it is specific to the individual's responsibilities.

20/11/2020 15:31:1802/12/2020 14:25:16

3.3.2 You set out training and skills requirements in job descriptions.

20/11/2020 15:31:1802/12/2020 14:25:12

3.3.3 You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they receive proportionate refresher training.

20/11/2020 15:31:1802/12/2020 14:25:08

3.3.4 You keep on record copies of the training material provided as well as details of who receives the training.

20/11/2020 15:31:1902/12/2020 14:25:03

3.2.1 Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.

20/11/2020 15:31:1802/12/2020 14:24:30

3.2.2 All staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status, or grade.

20/11/2020 15:31:1802/12/2020 14:24:24

3.2.3 Your staff receive induction training prior to accessing personal data and within one month of their start date.

20/11/2020 15:31:1802/12/2020 14:24:20

3.2.4 Your staff complete refresher training at appropriate intervals.

20/11/2020 15:31:1802/12/2020 14:24:17

3.1.1 The programme incorporates national and sector-specific requirements.

20/11/2020 15:31:1802/12/2020 14:23:44

3.1.2 The programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.

20/11/2020 15:31:1802/12/2020 14:23:38

3.1.3 You consider the training needs of all staff and use this information to compile the training programme.

20/11/2020 15:31:1802/12/2020 14:23:31

3.1.4 You assign responsibilities for managing data protection and information governance training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.

20/11/2020 15:31:1802/12/2020 14:23:25

3.1.5 You have dedicated and trained resources available to deliver training to all staff.

20/11/2020 15:31:1802/12/2020 14:23:21

3.1.6 You regularly review your programme to make sure that it remains accurate and up-to-date.

20/11/2020 15:31:1802/12/2020 14:23:17

3.1.7 Senior management sign off your programme.

20/11/2020 15:31:1802/12/2020 14:23:12

2.4.1 Where relevant, you consider policies and procedures across your organisation with data protection in mind.

20/11/2020 15:31:1702/12/2020 14:21:56

2.4.2 You have policies and procedures to make sure that data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.

20/11/2020 15:31:1702/12/2020 14:21:51

2.4.3 Your organisation's approach to implementing the data protection principles and safeguarding individuals' rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.

20/11/2020 15:31:1702/12/2020 14:21:47

2.4.4 The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.

20/11/2020 15:31:1802/12/2020 14:21:44

2.3.1 Your staff read and understand the policies and procedures, including why they are important to implement and comply with.

20/11/2020 15:31:1702/12/2020 14:21:16

2.3.2 You tell staff about updated policies and procedures.

20/11/2020 15:31:1702/12/2020 14:21:11

2.3.3 You make policies and procedures readily available for all staff on your organisation's intranet site (or equivalent shared area) or provide them in other ways that are easy to access.

20/11/2020 15:31:1702/12/2020 14:21:08

2.3.4 Guidelines, posters or publications help to emphasise key messages and raise staff awareness of policies and procedures.

20/11/2020 15:31:1702/12/2020 14:21:04

2.2.1 All policies and procedures follow an agreed format and style.

20/11/2020 15:31:1702/12/2020 14:20:18

2.2.2 An appropriately senior staff member reviews and approves all new and existing policies and procedures.

20/11/2020 15:31:1702/12/2020 14:20:14

2.2.3 Existing policies and procedures are reviewed in line with documented review dates, are up-to-date and fit for purpose.

20/11/2020 15:31:1702/12/2020 14:20:08

2.2.4 You update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions, or changes in regulatory guidance.

20/11/2020 15:31:1702/12/2020 14:20:05

2.2.5 All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.

20/11/2020 15:31:1702/12/2020 14:20:00

2.1.1 The policy framework stems from strategic business planning for data protection and information governance, which the highest management level endorses.

20/11/2020 15:31:1602/12/2020 14:19:28

2.1.2 Policies cover data protection, records management and information security.

20/11/2020 15:31:1702/12/2020 14:19:24

2.1.3 You make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.

20/11/2020 15:31:1702/12/2020 14:19:19

2.1.4 Policies and procedures clearly outline roles and responsibilities.

20/11/2020 15:31:1702/12/2020 14:19:15

1.6.1 The groups meet and are attended by relevant staff regularly.

20/11/2020 15:31:1602/12/2020 14:16:13

1.6.2 The groups produce minutes of the meetings and action plans.

20/11/2020 15:31:1602/12/2020 14:16:09

1.6.3 The agenda shows the groups discuss appropriate data protection and information governance issues regularly.

20/11/2020 15:31:1602/12/2020 14:16:04

1.6.4 Any data protection and information governance issues and risks that arise are reported to the oversight group.

20/11/2020 15:31:1602/12/2020 14:16:01

1.5.1 Key staff, eg the DPO, regularly attend the oversight group meetings.

20/11/2020 15:31:1602/12/2020 14:14:54

1.5.2 An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).

20/11/2020 15:31:1602/12/2020 14:14:49

1.5.3 Clear terms of reference set out the group's aims.

20/11/2020 15:31:1602/12/2020 14:14:45

1.5.4 The group's meeting minutes record what takes place.

20/11/2020 15:31:1602/12/2020 14:14:36

1.5.5 The group covers a full range of data protection related topics including Key Performance Indicators (KPIs), issues and risks.

20/11/2020 15:31:1602/12/2020 14:14:32

1.5.6 The group has a work or action plan that is monitored regularly.

20/11/2020 15:31:1602/12/2020 14:14:28

1.5.7 The board, or highest management level, considers data protection and information governance issues and risks reported by the oversight group.

20/11/2020 15:31:1602/12/2020 14:14:25

1.4.4 Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.

20/11/2020 15:31:1602/12/2020 14:13:38

1.4.1 Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.

20/11/2020 15:31:1502/12/2020 14:13:34

1.4.2 Your staff manage all records effectively and they keep information secure.

20/11/2020 15:31:1502/12/2020 14:13:30

1.4.3 A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.

20/11/2020 15:31:1602/12/2020 14:13:26

1.3.1 Staff know who the DPO is, what their role is and how to contact them.

20/11/2020 15:31:1502/12/2020 14:12:51

1.3.2 All data protection issues involve the DPO in a timely manner.

20/11/2020 15:31:1502/12/2020 14:12:45

1.3.3 Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.

20/11/2020 15:31:1502/12/2020 14:12:41

1.3.4 The DPO performs their tasks independenly, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.

20/11/2020 15:31:1502/12/2020 14:12:37

1.3.5 The DPO directly advises senior decision-makers and raises concerns with the highest management level.

20/11/2020 15:31:1502/12/2020 14:12:33

1.3.6 The DPO provides regular updates to senior management about data protection compliance.

20/11/2020 15:31:1502/12/2020 14:12:28

1.2.1 The DPO has specific responsibilities in line with Article 39 of the GDPR for data protection compliance, data protection policies, awareness raising, training, and audits.

20/11/2020 15:31:1502/12/2020 14:11:45

1.2.2 The DPO has expert knowledge of data protection law and practices.

20/11/2020 15:31:1502/12/2020 14:11:41

1.2.3 The DPO has the authority, support and resources to do their job effectively.

20/11/2020 15:31:1502/12/2020 14:11:36

1.2.4 If your organisation is not required to appoint a DPO, you record the decision.

20/11/2020 15:31:1502/12/2020 14:11:30

1.2.5 If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.

20/11/2020 15:31:1502/12/2020 14:11:26

1.1.2 Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.

20/11/2020 15:31:1402/12/2020 14:10:27

1.1.3 You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.

20/11/2020 15:31:1402/12/2020 14:10:23

1.1.4 Policies clearly set out the organisational structure for managing data protection and information governance.

20/11/2020 15:31:1402/12/2020 14:10:19

1.1.5 Job descriptions clearly set out responsibilities and reporting lines to management.

20/11/2020 15:31:1402/12/2020 14:10:14

1.1.6 Job descriptions are up-to-date, fit for purpose and are reviewed regularly.

20/11/2020 15:31:1402/12/2020 14:10:10

1.1.7 Data Protection and information governance staff understand the organisational structure and their responsibilities.

20/11/2020 15:31:1502/12/2020 14:10:06

1.1.1 The board, or highest senior management level, has overall responsibility for data protection and information governance.

20/11/2020 15:31:1402/12/2020 14:09:35

4.2.5 Your organisation can deal with any increase in requests or reduction in staffing levels.

20/11/2020 15:31:2030/11/2020 21:11:13

B13.3 Do you test the business continuity and disaster recovery plans at least once per year by running a simulation exercise that includes cyber incidents?

26/11/2020 17:20:4430/11/2020 15:14:03

B13.3 Do you test the business continuity and disaster recovery plans at least once per year by running a simulation exercise that includes cyber incidents?

26/11/2020 17:36:5230/11/2020 15:13:59

B13.2 Do you review the business continuity and disaster recovery plans at least once per year? Who is involved in the review?

26/11/2020 17:20:4430/11/2020 15:13:47

B13.2 Do you review the business continuity and disaster recovery plans at least once per year? Who is involved in the review?

26/11/2020 17:36:5230/11/2020 15:13:42

B13.1 Do you ensure that business impact assessments, business continuity and disaster recovery plans are produced for your critical information, applications, systems and networks?

26/11/2020 17:20:4430/11/2020 15:12:39

B13.1 Do you ensure that business impact assessments, business continuity and disaster recovery plans are produced for your critical information, applications, systems and networks?

26/11/2020 17:36:5230/11/2020 15:12:33

B12.8 Do you test your incident response process at least once per year?

26/11/2020 17:20:4430/11/2020 15:12:15

B12.8 Do you test your incident response process at least once per year?

26/11/2020 17:36:5230/11/2020 15:12:11

B12.7 Do all staff involved with incident management have clear roles and responsibilities and have they all received appropriate training?

26/11/2020 17:36:5230/11/2020 15:11:51

B12.6 Is a record kept of the outcome of all security incident investigations to ensure all lessons have been learned from each event?

26/11/2020 17:20:4330/11/2020 15:09:58

B12.6 Is a record kept of the outcome of all security incident investigations to ensure all lessons have been learned from each event?

26/11/2020 17:36:5230/11/2020 15:09:54

B12.5 Do you report incidents to external bodies as required, such as law enforcement for criminal activity and the relevant authorities (such as the UK ICO) for personal data breaches?

26/11/2020 17:20:4330/11/2020 15:09:37

B12.5 Do you report incidents to external bodies as required, such as law enforcement for criminal activity and the relevant authorities (such as the UK ICO) for personal data breaches?

26/11/2020 17:36:5230/11/2020 15:09:32

B12.4 If required as a result of an incident, is data isolated to facilitate forensic examination? How is this done?

26/11/2020 17:20:4330/11/2020 15:09:20

B12.4 If required as a result of an incident, is data isolated to facilitate forensic examination? How is this done?

26/11/2020 17:36:5230/11/2020 15:09:16

B12.3 Do you formally investigate information security incidents to establish their cause and their impact with a view to avoiding similar events?

26/11/2020 17:20:4330/11/2020 15:08:19

B12.3 Do you formally investigate information security incidents to establish their cause and their impact with a view to avoiding similar events?

26/11/2020 17:36:5130/11/2020 15:08:14

B12.2 Are users who install software or other active code on the organisation’s systems without permission subject to disciplinary action?

26/11/2020 17:20:4330/11/2020 15:07:43

B12.2 Are users who install software or other active code on the organisation’s systems without permission subject to disciplinary action?

26/11/2020 17:36:5130/11/2020 15:07:37

B12.1 Are all information security incidents or suspected weaknesses reported and recorded, and do you provide a method for all employees and contractors to report security incidents without risk of recrimination (or anonymously)?

26/11/2020 17:20:4330/11/2020 15:07:28

B12.1 Are all information security incidents or suspected weaknesses reported and recorded, and do you provide a method for all employees and contractors to report security incidents without risk of recrimination (or anonymously)?

26/11/2020 17:36:5130/11/2020 15:07:23

B11.3 Is a backup copy held in a different physical location?

26/11/2020 17:20:4330/11/2020 15:04:33

B11.3 Is a backup copy held in a different physical location?

26/11/2020 17:36:5130/11/2020 15:04:29

B11.2 How do you ensure all backups are secured with an appropriate level of protection for the type of data they contain?

26/11/2020 17:20:4330/11/2020 15:04:15

B11.2 How do you ensure all backups are secured with an appropriate level of protection for the type of data they contain?

26/11/2020 17:36:5130/11/2020 15:04:07

B11.1 Are data stored on the business premises backed up regularly (at least weekly) and restores tested at appropriate intervals (at least monthly)?

26/11/2020 17:20:4330/11/2020 15:03:55

B11.1 Are data stored on the business premises backed up regularly (at least weekly) and restores tested at appropriate intervals (at least monthly)?

26/11/2020 17:36:5130/11/2020 15:03:46

B10.2 Is an audit trail of system access and/or data use by staff maintained in a central location for all relevant systems and reviewed on a regular basis? Describe how you achieve this.

26/11/2020 17:36:5130/11/2020 15:02:59

B10.2 Is an audit trail of system access and/or data use by staff maintained in a central location for all relevant systems and reviewed on a regular basis? Describe how you achieve this.

26/11/2020 17:20:4330/11/2020 15:02:45

B10.3 Do you ensure all you devices have their time set accurately to ensure logs and audit trails are in sync with each other?

26/11/2020 17:36:5130/11/2020 15:02:25

B10.3 Do you ensure all you devices have their time set accurately to ensure logs and audit trails are in sync with each other?

26/11/2020 17:20:4330/11/2020 15:02:21

B10.4 Do you ensure that any event logs and audit trails are kept secure and do not expose sensitive information to unauthorised users?

26/11/2020 17:36:5130/11/2020 15:02:01

B10.4 Do you ensure that any event logs and audit trails are kept secure and do not expose sensitive information to unauthorised users?

26/11/2020 17:20:4330/11/2020 15:01:58

B10.1 Does the organisation review event logs (including alerts and errors) at least weekly?

26/11/2020 17:20:4330/11/2020 15:00:38

B10.1 Does the organisation review event logs (including alerts and errors) at least weekly?

26/11/2020 17:36:5130/11/2020 15:00:34

B9.2 Where identified as necessary in your risk assessment, when was the last time you had a penetration test carried out on your critical business systems?

26/11/2020 17:20:4230/11/2020 15:00:10

B9.2 Where identified as necessary in your risk assessment, when was the last time you had a penetration test carried out on your critical business systems?

26/11/2020 17:36:5130/11/2020 15:00:06

B9.1 When was the last time you had a vulnerability scan on your system?

26/11/2020 17:20:4230/11/2020 14:59:03

B9.1 When was the last time you had a vulnerability scan on your system?

26/11/2020 17:36:5130/11/2020 14:58:55

A8.6 (C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

26/11/2020 17:20:4230/11/2020 14:58:43

A8.6 (C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

26/11/2020 17:36:5030/11/2020 14:58:35

A8.5 (B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

26/11/2020 17:20:4230/11/2020 14:58:15

A8.5 (B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

26/11/2020 17:36:5030/11/2020 14:58:11

A8.4 (B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?

26/11/2020 17:20:4230/11/2020 14:56:47

A8.4 (B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?

26/11/2020 17:36:5030/11/2020 14:56:42

A8.3 (A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

26/11/2020 17:20:4230/11/2020 14:56:27

A8.3 (A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

26/11/2020 17:36:5030/11/2020 14:56:06

A8.2 (A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

26/11/2020 17:20:4230/11/2020 14:55:51

A8.2 (A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

26/11/2020 17:36:5030/11/2020 14:55:43

A7.11 If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

26/11/2020 17:20:4230/11/2020 14:54:46

A7.11 If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

26/11/2020 17:36:5030/11/2020 14:54:38

A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)?

26/11/2020 17:20:4230/11/2020 14:54:26

A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)?

26/11/2020 17:36:5030/11/2020 14:53:27

A7.10 Have you enabled two-factor authentication for access to all administrative accounts?

26/11/2020 17:20:4230/11/2020 14:51:16

A7.10 Have you enabled two-factor authentication for access to all administrative accounts?

26/11/2020 17:36:5030/11/2020 14:51:09

A7.9 Do you review who should have administrative access on a regular basis?

26/11/2020 17:20:4230/11/2020 14:50:52

A7.9 Do you review who should have administrative access on a regular basis?

26/11/2020 17:36:5030/11/2020 14:50:45

A7.8 Do you formally track which users have administrator accounts in your organisation?

26/11/2020 17:20:4230/11/2020 14:50:31

A7.8 Do you formally track which users have administrator accounts in your organisation?

26/11/2020 17:36:5030/11/2020 14:50:23

A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing?

26/11/2020 17:20:4230/11/2020 14:48:40

A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing?

26/11/2020 17:36:5030/11/2020 14:48:29

A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

26/11/2020 17:20:4230/11/2020 14:48:15

A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

26/11/2020 17:36:5030/11/2020 14:48:08

A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

26/11/2020 17:20:4230/11/2020 14:47:56

A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

26/11/2020 17:36:5030/11/2020 14:47:48

A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

26/11/2020 17:20:4130/11/2020 14:46:48

A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

26/11/2020 17:36:5030/11/2020 14:46:21

A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

26/11/2020 17:20:4130/11/2020 14:46:06

A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

26/11/2020 17:36:4930/11/2020 14:45:47

A7.2 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

26/11/2020 17:20:4130/11/2020 14:45:31

A7.2 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

26/11/2020 17:36:4930/11/2020 14:45:26

A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

26/11/2020 17:20:4130/11/2020 14:44:07

A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

26/11/2020 17:36:4930/11/2020 14:43:44

B8.11 Do you have Data Processing Agreements in place with all suppliers that process personal data on your behalf?

26/11/2020 17:20:4130/11/2020 14:39:46

B8.11 Do you have Data Processing Agreements in place with all suppliers that process personal data on your behalf?

26/11/2020 17:36:4930/11/2020 14:39:28

B8.10 How do you ensure that all your suppliers (including cloud providers and sub-contractors) follow information security procedures that are certified to be the same as, or more comprehensive than, the information security procedures followed by your own organisation for the data involved in that contract?

26/11/2020 17:20:4130/11/2020 14:39:17

B8.9 If, after assessing all the risks in the DPIA, there is a high level risk left, do you have processes for reporting this to your country's data protection office?

26/11/2020 17:20:4130/11/2020 14:38:53

B8.10 How do you ensure that all your suppliers (including cloud providers and sub-contractors) follow information security procedures that are certified to be the same as, or more comprehensive than, the information security procedures followed by your own organisation for the data involved in that contract?

26/11/2020 17:36:4930/11/2020 14:38:35

B8.9 If, after assessing all the risks in the DPIA, there is a high level risk left, do you have processes for reporting this to your country's data protection office?

26/11/2020 17:36:4930/11/2020 14:38:22

B8.8 Do you ensure that a Data Protection Impact Assessment (DPIA) is carried out for new systems and projects?

26/11/2020 17:20:4130/11/2020 14:37:40

B8.7 Do you use firewalls or other technology to block and monitor access to malicious internet locations/domains at the boundary of your networks?

26/11/2020 17:20:4130/11/2020 14:37:22

B8.8 Do you ensure that a Data Protection Impact Assessment (DPIA) is carried out for new systems and projects?

26/11/2020 17:36:4930/11/2020 14:37:07

B8.7 Do you use firewalls or other technology to block and monitor access to malicious internet locations/domains at the boundary of your networks?

26/11/2020 17:36:4930/11/2020 14:36:54

"B8.6 When you deploy wireless and wired networks, do you ensure that access is restricted only to authorised users? "

26/11/2020 17:20:4130/11/2020 14:36:32

"B8.6 When you deploy wireless and wired networks, do you ensure that access is restricted only to authorised users? "

26/11/2020 17:36:4930/11/2020 14:36:07

B8.5 Where identified as necessary in your risk assessment, have you identified and segregated critical business systems and applied appropriate network security controls to them? Explain how this has been achieved.

26/11/2020 17:20:4130/11/2020 14:35:18

B8.5 Where identified as necessary in your risk assessment, have you identified and segregated critical business systems and applied appropriate network security controls to them? Explain how this has been achieved.

26/11/2020 17:36:4930/11/2020 14:34:59

B8.4 Are changes to information systems, applications or networks reviewed and approved, and are users disallowed from making changes without approval? Describe the approval process.

26/11/2020 17:20:4130/11/2020 14:34:46

B8.3 Are all computers and servers provisioned only with approved software from a list of authorised applications that you maintain? Explain how you achieve this.

26/11/2020 17:20:4130/11/2020 14:34:26

B8.4 Are changes to information systems, applications or networks reviewed and approved, and are users disallowed from making changes without approval? Describe the approval process.

26/11/2020 17:36:4930/11/2020 14:34:01

B8.3 Are all computers and servers provisioned only with approved software from a list of authorised applications that you maintain? Explain how you achieve this.

26/11/2020 17:36:4930/11/2020 14:33:46

B8.2 Does the organisation ensure that all new and modified information systems, applications and networks include security provisions, are correctly sized, comply with security requirements, are compatible with existing systems and are approved before they commence operation? Describe how you achieve this.

26/11/2020 17:20:4130/11/2020 14:33:06

B8.2 Does the organisation ensure that all new and modified information systems, applications and networks include security provisions, are correctly sized, comply with security requirements, are compatible with existing systems and are approved before they commence operation? Describe how you achieve this.

26/11/2020 17:36:4930/11/2020 14:32:44

B8.1 Is management of computers and networks controlled using documented procedures that have been authorised? Describe how you achieve this.

26/11/2020 17:20:4130/11/2020 14:32:31

B8.1 Is management of computers and networks controlled using documented procedures that have been authorised? Describe how you achieve this.

26/11/2020 17:36:4930/11/2020 14:32:08

A6.6 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems?

26/11/2020 17:20:4130/11/2020 14:31:47

A6.6 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems?

26/11/2020 17:36:4830/11/2020 14:31:27

A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

26/11/2020 17:20:4130/11/2020 14:30:29

A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

26/11/2020 17:36:4830/11/2020 14:30:04

A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

26/11/2020 17:20:4030/11/2020 14:29:52

A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

26/11/2020 17:36:4830/11/2020 14:29:33

A6.3 Is all software licensed in accordance with the publisher’s recommendations?

26/11/2020 17:20:4030/11/2020 14:29:21

A6.3 Is all software licensed in accordance with the publisher’s recommendations?

26/11/2020 17:36:4830/11/2020 14:29:03

A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

26/11/2020 17:20:4030/11/2020 14:28:17

A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

26/11/2020 17:36:4830/11/2020 14:27:51

A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

26/11/2020 17:20:4030/11/2020 14:27:34

A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

26/11/2020 17:36:4830/11/2020 14:27:09

A5.10 Is "auto-run" or "auto-play" disabled on all of your systems?

26/11/2020 17:20:4030/11/2020 14:26:54

A5.10 Is "auto-run" or "auto-play" disabled on all of your systems?

26/11/2020 17:36:4830/11/2020 14:26:32

A5.9 If yes, do you have a password policy that guides all your users?

26/11/2020 17:20:4030/11/2020 14:25:30

A5.9 If yes, do you have a password policy that guides all your users?

26/11/2020 17:36:4830/11/2020 14:25:11

A5.8 If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

26/11/2020 17:20:4030/11/2020 14:24:47

A5.8 If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

26/11/2020 17:36:4830/11/2020 14:18:13

A5.7 If yes, do you ensure that you change passwords if you believe that they have been compromised?

26/11/2020 17:20:4030/11/2020 14:18:01

A5.7 If yes, do you ensure that you change passwords if you believe that they have been compromised?

26/11/2020 17:36:4830/11/2020 14:17:11

A5.6 If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

26/11/2020 17:20:4027/11/2020 18:19:07

A5.6 If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

26/11/2020 17:36:4827/11/2020 18:18:47

A5.5 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?

26/11/2020 17:20:4027/11/2020 18:18:27

A5.5 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?

26/11/2020 17:36:4827/11/2020 18:18:05

A5.4 Do all your users and administrators use passwords of at least 8 characters?

26/11/2020 17:20:4027/11/2020 18:17:48

A5.4 Do all your users and administrators use passwords of at least 8 characters?

26/11/2020 17:36:4827/11/2020 18:17:26

A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

26/11/2020 17:20:4027/11/2020 18:16:37

A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

26/11/2020 17:36:4827/11/2020 18:16:20

A5.2 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

26/11/2020 17:20:4027/11/2020 18:16:07

A5.2 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

26/11/2020 17:36:4827/11/2020 18:15:50

A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

26/11/2020 17:20:4027/11/2020 18:15:38

A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

26/11/2020 17:36:4827/11/2020 18:15:07

A4.12 If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

26/11/2020 17:20:3927/11/2020 18:14:42

A4.11 Do you have software firewalls enabled on all of your computers and laptops?

26/11/2020 17:20:3927/11/2020 18:14:18

A4.12 If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

26/11/2020 17:36:4727/11/2020 18:13:58

A4.11 Do you have software firewalls enabled on all of your computers and laptops?

26/11/2020 17:36:4727/11/2020 18:13:46

A4.10 If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

26/11/2020 17:20:3927/11/2020 18:12:54

A4.9 If yes, is there a documented business requirement for this access?

26/11/2020 17:20:3927/11/2020 18:12:26

A4.8 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

26/11/2020 17:20:3927/11/2020 18:11:59

A4.10 If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

26/11/2020 17:36:4727/11/2020 18:11:36

A4.9 If yes, is there a documented business requirement for this access?

26/11/2020 17:36:4727/11/2020 18:10:55

A4.8 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

26/11/2020 17:36:4727/11/2020 18:10:44

A4.7 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

26/11/2020 17:20:3927/11/2020 18:10:12

A4.7 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

26/11/2020 17:36:4727/11/2020 18:09:35

A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.

26/11/2020 17:20:3927/11/2020 18:09:24

A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

26/11/2020 17:20:3927/11/2020 18:09:05

A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.

26/11/2020 17:36:4727/11/2020 18:08:44

A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

26/11/2020 17:36:4727/11/2020 18:08:31

A4.3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?

26/11/2020 17:20:3927/11/2020 18:07:46

A4.3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?

26/11/2020 17:36:4727/11/2020 18:07:27

"A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this? "

26/11/2020 17:20:3927/11/2020 18:07:14

A4.1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?

26/11/2020 17:20:3927/11/2020 18:06:54

A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?

26/11/2020 17:36:4727/11/2020 18:05:45

A4.1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?

26/11/2020 17:36:4727/11/2020 18:05:33

B7.5 Do all business premises have effective physical protection and, if indicated by a risk assessment, surveillance and monitoring?

26/11/2020 17:20:3927/11/2020 18:04:48

B7.5 Do all business premises have effective physical protection and, if indicated by a risk assessment, surveillance and monitoring?

26/11/2020 17:36:4727/11/2020 18:04:01

B7.4 Are devices which require particular working conditions (such as heating and cooling) provided with a suitable environment within the guidelines set out by their respective manufacturers? How do you achieve this?

26/11/2020 17:20:3927/11/2020 18:03:49

B7.4 Are devices which require particular working conditions (such as heating and cooling) provided with a suitable environment within the guidelines set out by their respective manufacturers? How do you achieve this?

26/11/2020 17:36:4727/11/2020 18:03:30

B7.3 Where indicated as necessary in your risk assessment, do you have dedicated machines to scan physical media for viruses and malware?

26/11/2020 17:20:3927/11/2020 18:02:36

B7.3 Where indicated as necessary in your risk assessment, do you have dedicated machines to scan physical media for viruses and malware?

26/11/2020 17:36:4727/11/2020 18:02:10

B7.2 Is the use of physical media on your systems controlled either by physical access restrictions or by a technical solution (such as by configuring devices to blocking USB storage devices)?

26/11/2020 17:20:3827/11/2020 18:01:58

B7.2 Is the use of physical media on your systems controlled either by physical access restrictions or by a technical solution (such as by configuring devices to blocking USB storage devices)?

26/11/2020 17:36:4727/11/2020 18:01:39

B7.1 Are only authorised personnel who have a justified and approved business case given access to restricted areas containing information systems or stored data? How do you achieve this?

26/11/2020 17:20:3827/11/2020 18:01:20

B7.1 Are only authorised personnel who have a justified and approved business case given access to restricted areas containing information systems or stored data? How do you achieve this?

26/11/2020 17:36:4727/11/2020 18:00:59

B6.24 If yes to above, are the systems that you use to store credit card information compliant to PCI-DSS regulation?

26/11/2020 17:20:3827/11/2020 17:58:24

B6.24 If yes to above, are the systems that you use to store credit card information compliant to PCI-DSS regulation?

26/11/2020 17:36:4627/11/2020 17:57:49

B6.23 Do you store credit card information?

26/11/2020 17:20:3827/11/2020 17:57:28

B6.23 Do you store credit card information?

26/11/2020 17:36:4627/11/2020 17:57:02

B6.22 List any local or international laws relating to risk treatment or information security which apply to your business.

26/11/2020 17:20:3827/11/2020 17:56:43

B6.22 List any local or international laws relating to risk treatment or information security which apply to your business.

26/11/2020 17:36:4627/11/2020 17:56:12

B6.21 List any business sector-specific regulations relating to risk treatment or information security which apply to your business.

26/11/2020 17:20:3827/11/2020 17:55:28

B6.21 List any business sector-specific regulations relating to risk treatment or information security which apply to your business.

26/11/2020 17:36:4627/11/2020 17:55:06

B6.20 Do the contracts with all your suppliers ensure that they meet a set of security requirements that you have defined around handling data and keeping information secure? Please explain the requirements you have set and the reasons why you have chosen them.

26/11/2020 17:20:3827/11/2020 17:54:53

B6.20 Do the contracts with all your suppliers ensure that they meet a set of security requirements that you have defined around handling data and keeping information secure? Please explain the requirements you have set and the reasons why you have chosen them.

26/11/2020 17:36:4627/11/2020 17:54:27

B6.19 Are your information security policies part of all employees’ contractual obligations?

26/11/2020 17:20:3827/11/2020 17:53:55

B6.19 Are your information security policies part of all employees’ contractual obligations?

26/11/2020 17:36:4627/11/2020 17:53:24

B6.18 Are your information security policies distributed to all employees?

26/11/2020 17:20:3827/11/2020 17:53:10

B6.18 Are your information security policies distributed to all employees?

26/11/2020 17:36:4627/11/2020 17:52:36

B6.17 Do your policies refer to handling personal data (and, where appropriate, reference your data protection policy)?

26/11/2020 17:20:3827/11/2020 17:52:15

B6.17 Do your policies refer to handling personal data (and, where appropriate, reference your data protection policy)?

26/11/2020 17:36:4627/11/2020 17:51:42

B6.16 Do your policies refer to home and mobile working?

26/11/2020 17:20:3827/11/2020 17:51:21

B6.16 Do your policies refer to home and mobile working?

26/11/2020 17:36:4627/11/2020 17:50:56

B6.15 Do your policies refer to business continuity measures?

26/11/2020 17:20:3827/11/2020 17:50:43

B6.15 Do your policies refer to business continuity measures?

26/11/2020 17:36:4627/11/2020 17:50:19

B6.14 Do your policies refer to security incident management?

26/11/2020 17:20:3827/11/2020 17:49:55

B6.14 Do your policies refer to security incident management?

26/11/2020 17:36:4627/11/2020 17:49:29

B6.13 Do your policies refer to security from malware and intrusion?

26/11/2020 17:36:4627/11/2020 17:48:43

B6.12 Do your policies refer to monitoring and acceptable usage of systems/data?

26/11/2020 17:20:3827/11/2020 17:48:25

B6.12 Do your policies refer to monitoring and acceptable usage of systems/data?

26/11/2020 17:36:4627/11/2020 17:47:54

B6.11 Do your policies refer to computer and network security?

26/11/2020 17:20:3827/11/2020 17:47:36

B6.11 Do your policies refer to computer and network security?

26/11/2020 17:36:4627/11/2020 17:47:08

B6.10 Do your policies refer to physical and environmental security?

26/11/2020 17:20:3827/11/2020 17:32:10

B6.10 Do your policies refer to physical and environmental security?

26/11/2020 17:36:4627/11/2020 17:31:48

B6.9 Do your policies refer to user authentication and access management?

26/11/2020 17:20:3827/11/2020 17:31:29

B6.9 Do your policies refer to user authentication and access management?

26/11/2020 17:36:4627/11/2020 17:30:57

B6.8 Do your policies refer to asset management (including removable media)?

26/11/2020 17:20:3827/11/2020 17:30:34

B6.8 Do your policies refer to asset management (including removable media)?

26/11/2020 17:36:4627/11/2020 17:30:01

B6.7 Do your policies refer to personnel security?

26/11/2020 17:20:3827/11/2020 17:29:44

B6.7 Do your policies refer to personnel security?

26/11/2020 17:36:4627/11/2020 17:29:20

B6.6 Do your policies refer to intellectual property rights and legal requirements?

26/11/2020 17:20:3727/11/2020 17:29:05

B6.6 Do your policies refer to intellectual property rights and legal requirements?

26/11/2020 17:36:4527/11/2020 17:28:44

B6.5 Is there a policy review and consultation process?

26/11/2020 17:20:3727/11/2020 17:28:16

B6.5 Is there a policy review and consultation process?

26/11/2020 17:36:4527/11/2020 17:27:53

B6.4 Provide the name and role of the person who approved the policies?

26/11/2020 17:20:3727/11/2020 17:27:31

B6.4 Provide the name and role of the person who approved the policies?

26/11/2020 17:36:4527/11/2020 17:27:08

B6.3 Do your information security policies cover the scope of this assessment?

26/11/2020 17:20:3727/11/2020 17:26:39

B6.3 Do your information security policies cover the scope of this assessment?

26/11/2020 17:36:4527/11/2020 17:26:19

B6.2 Have your policies been reviewed in the last 12 months?

26/11/2020 17:36:4527/11/2020 17:24:59

B6.1 Do you have a policy or a set of policies that cover information security?

26/11/2020 17:20:3727/11/2020 17:24:23

B6.1 Do you have a policy or a set of policies that cover information security?

26/11/2020 17:36:4527/11/2020 17:23:56

B5.8 On termination of employment, are user access privileges immediately withdrawn and the employee de-briefed on their post-employment confidentiality responsibilities? How do you do this?

26/11/2020 17:20:3727/11/2020 17:23:40

B5.8 On termination of employment, are user access privileges immediately withdrawn and the employee de-briefed on their post-employment confidentiality responsibilities? How do you do this?

26/11/2020 17:36:4527/11/2020 17:23:00

B5.7 Are employees with responsibility for information security, or with privileged access to business systems, appropriately qualified and suitably trained?

26/11/2020 17:20:3727/11/2020 17:22:45

B5.7 Are employees with responsibility for information security, or with privileged access to business systems, appropriately qualified and suitably trained?

26/11/2020 17:36:4527/11/2020 17:22:16

B5.6 Do employee contracts include security obligations (such as an obligation to comply with the security policy) and are reminders given at regular intervals?

26/11/2020 17:20:3727/11/2020 17:21:56

B5.6 Do employee contracts include security obligations (such as an obligation to comply with the security policy) and are reminders given at regular intervals?

26/11/2020 17:36:4527/11/2020 17:21:23

B5.5 Do you give new employees a briefing on their corporate and security responsibilities before, or immediately after employment, preferably reinforced by reference literature? How do you do this?

26/11/2020 17:20:3727/11/2020 17:21:08

B5.5 Do you give new employees a briefing on their corporate and security responsibilities before, or immediately after employment, preferably reinforced by reference literature? How do you do this?

26/11/2020 17:36:4527/11/2020 17:20:28

B5.4 Do all staff and contractors receive regular information security and data protection training (at least annually)? Describe how this is done.

26/11/2020 17:20:3727/11/2020 17:20:10

B5.4 Do all staff and contractors receive regular information security and data protection training (at least annually)? Describe how this is done.

26/11/2020 17:36:4527/11/2020 17:19:50

B5.3 Provide the name and role of the person responsible for security and data protection training and awareness.

26/11/2020 17:20:3727/11/2020 17:19:19

B5.3 Provide the name and role of the person responsible for security and data protection training and awareness.

26/11/2020 17:36:4527/11/2020 17:18:43

B5.2 Where criminal record checks are carried out, do you ensure that explicit consent has been obtained from employees and that such checks are carried out for lawful purposes?

26/11/2020 17:20:3727/11/2020 17:18:25

B5.2 Where criminal record checks are carried out, do you ensure that explicit consent has been obtained from employees and that such checks are carried out for lawful purposes?

26/11/2020 17:36:4527/11/2020 17:18:03

B5.1 Do you take up references or confirm employment history (or carry out any other pre-employment checks to meet regulatory requirements) when employing new staff? How do you do this?

26/11/2020 17:20:3727/11/2020 17:17:33

B5.1 Do you take up references or confirm employment history (or carry out any other pre-employment checks to meet regulatory requirements) when employing new staff? How do you do this?

26/11/2020 17:36:4527/11/2020 17:16:45

B4.19 Where you disclose personal data to a supplier/provider does the contract explicitly impose the obligation to maintain appropriate technical and organisational measures to protect personal data in line with relevant legislation?

26/11/2020 17:36:4527/11/2020 16:11:32

B4.19 Where you disclose personal data to a supplier/provider does the contract explicitly impose the obligation to maintain appropriate technical and organisational measures to protect personal data in line with relevant legislation?

26/11/2020 17:20:3727/11/2020 16:11:08

B4.18 Where you have decided to hold data under the lawful purpose of Legitimate Interest of the Controller or Third Party, have you completed the three-part Legitimate Interest test and kept a record of the results?

26/11/2020 17:20:3727/11/2020 16:10:40

B4.18 Where you have decided to hold data under the lawful purpose of Legitimate Interest of the Controller or Third Party, have you completed the three-part Legitimate Interest test and kept a record of the results?

26/11/2020 17:36:4527/11/2020 16:10:14

B4.17 In each contract you hold with suppliers and customers involving the processing of personal data, do you confirm whether you are the data controller or data processor?

26/11/2020 17:20:3727/11/2020 16:06:57

B4.17 In each contract you hold with suppliers and customers involving the processing of personal data, do you confirm whether you are the data controller or data processor?

26/11/2020 17:36:4527/11/2020 16:06:33

B4.16 For each piece of personal information you hold, do you record whether your organisation is the data processor or the data controller?

26/11/2020 17:20:3727/11/2020 16:05:51

B4.16 For each piece of personal information you hold, do you record whether your organisation is the data processor or the data controller?

26/11/2020 17:36:4527/11/2020 16:05:08

B4.15 For each piece of personal information and special category data you hold, do you record the justification for obtaining it? Where is this recorded?

26/11/2020 17:20:3627/11/2020 16:04:36

B4.15 For each piece of personal information and special category data you hold, do you record the justification for obtaining it? Where is this recorded?

26/11/2020 17:36:4527/11/2020 16:03:56

B4.14 Do you have mechanisms in place which make it as easy for the data subject to remove consent for the data processing under the consent lawful purpose?

26/11/2020 17:20:3627/11/2020 15:52:37

B4.14 Do you have mechanisms in place which make it as easy for the data subject to remove consent for the data processing under the consent lawful purpose?

26/11/2020 17:36:4527/11/2020 15:52:15

B4.13 Where you are holding data based upon the consent of the data subject, how do you record details of the consent?

26/11/2020 17:20:3627/11/2020 15:51:53

B4.13 Where you are holding data based upon the consent of the data subject, how do you record details of the consent?

26/11/2020 17:36:4427/11/2020 15:48:50

B4.12 Do you have a data privacy statement compliant with the requirements of GDPR and does the statement provide a point of contact for data protection issues? Who is the point of contact?

26/11/2020 17:20:3627/11/2020 15:48:16

B4.12 Do you have a data privacy statement compliant with the requirements of GDPR and does the statement provide a point of contact for data protection issues? Who is the point of contact?

26/11/2020 17:36:4427/11/2020 15:47:57

B4.11 Do you have documented data classification criteria?

26/11/2020 17:20:3627/11/2020 15:46:12

B4.11 Do you have documented data classification criteria?

26/11/2020 17:36:4427/11/2020 15:45:49

B4.10 Do you have documented data retention periods and do these cover contractual and legal requirements?

26/11/2020 17:36:4427/11/2020 15:45:13

B4.10 Do you have documented data retention periods and do these cover contractual and legal requirements?

26/11/2020 17:20:3627/11/2020 15:44:48

B4.9 Do you make it clear to data subjects how they should contact your organisation to exercise their rights and to raise complaints?

26/11/2020 17:20:3627/11/2020 15:44:13

B4.9 Do you make it clear to data subjects how they should contact your organisation to exercise their rights and to raise complaints?

26/11/2020 17:36:4427/11/2020 15:43:51

B4.8 What is your process for dealing with Subject Access or Data Portability requests within 30 days? Do you have processes in place to maintain the rights of the individual, within the time limits laid down by the Regulation?

26/11/2020 17:20:3627/11/2020 15:43:12

B4.8 What is your process for dealing with Subject Access or Data Portability requests within 30 days? Do you have processes in place to maintain the rights of the individual, within the time limits laid down by the Regulation?

26/11/2020 17:36:4427/11/2020 15:42:00

B4.7 Where you collect data from children, do you actively seek parental consent? How do you record this?

26/11/2020 17:20:3627/11/2020 15:41:39

B4.7 Where you collect data from children, do you actively seek parental consent? How do you record this?

26/11/2020 17:36:4427/11/2020 15:41:16

B4.6 When your organisation collects personal data from a subject do you clearly state what it is being collected for, how it will be processed and who will process it and does the data subject have to provide consent for this?

26/11/2020 17:36:4427/11/2020 15:40:55

B4.5 If you fall into the category of requiring a Data Protection Officer have you appointed one?

26/11/2020 17:36:4427/11/2020 15:40:10

B4.5 If you fall into the category of requiring a Data Protection Officer have you appointed one?

26/11/2020 17:20:3627/11/2020 15:39:50

B4.4 Do policies and procedures set clear responsibilities for handling of personal data, including where appropriate reference to responsibilities held by your Data Protection Officer?

26/11/2020 17:20:3627/11/2020 15:35:54

B4.4 Do policies and procedures set clear responsibilities for handling of personal data, including where appropriate reference to responsibilities held by your Data Protection Officer?

26/11/2020 17:36:4427/11/2020 15:35:34

B4.3 Is Data Protection referred to in employee contracts of employment?

26/11/2020 17:20:3627/11/2020 15:35:05

B4.3 Is Data Protection referred to in employee contracts of employment?

26/11/2020 17:36:4427/11/2020 15:34:38

B4.2 Are these policies and procedures provided to all employees, required to be followed in everyday practice and linked to disciplinary procedures? How do you achieve this?

26/11/2020 17:20:3627/11/2020 15:34:05

B4.2 Are these policies and procedures provided to all employees, required to be followed in everyday practice and linked to disciplinary procedures? How do you achieve this?

26/11/2020 17:36:4427/11/2020 15:33:38

B4.1 Have you put policies and procedures in place to mitigate risks to personal data?

26/11/2020 17:20:3627/11/2020 15:32:04

B4.1 Have you put policies and procedures in place to mitigate risks to personal data?

26/11/2020 17:36:4427/11/2020 15:31:27

B3.6 Was the risk assessment approved at board/director/partner/trustee level?

26/11/2020 17:20:3627/11/2020 15:31:04

B3.6 Was the risk assessment approved at board/director/partner/trustee level?

26/11/2020 17:36:4427/11/2020 15:30:42

B3.5 Do you have an action plan to implement any actions identified in the risk assessment?

26/11/2020 17:36:4427/11/2020 15:18:10

B3.5 Do you have an action plan to implement any actions identified in the risk assessment?

26/11/2020 17:20:3627/11/2020 15:17:48

B3.4 Does the risk assessment identify which actions you will be taking for each risk (such as reduce or accept)?

26/11/2020 17:20:3627/11/2020 15:17:01

B3.4 Does the risk assessment identify which actions you will be taking for each risk (such as reduce or accept)?

26/11/2020 17:36:4427/11/2020 15:16:30

B3.3 Does the risk assessment cover the scope of this assessment?

26/11/2020 17:20:3527/11/2020 15:15:47

B3.3 Does the risk assessment cover the scope of this assessment?

26/11/2020 17:36:4427/11/2020 15:15:22

B3.2 Has your risk assessment been reviewed in the last 12 months? Who reviewed it?

26/11/2020 17:20:3527/11/2020 15:14:58

B3.2 Has your risk assessment been reviewed in the last 12 months? Who reviewed it?

26/11/2020 17:36:4427/11/2020 15:14:36

B3.1 Do you have a current Risk Assessment which includes information security risks and includes risks to data subjects for the information you hold?

26/11/2020 17:20:3527/11/2020 15:14:01

B3.1 Do you have a current Risk Assessment which includes information security risks and includes risks to data subjects for the information you hold?

26/11/2020 17:36:4427/11/2020 15:13:20

B2.16 Is your data encrypted whilst being stored by your cloud provider(s) (i.e. encrypted at rest)?

26/11/2020 17:20:3527/11/2020 15:11:57

B2.16 Is your data encrypted whilst being stored by your cloud provider(s) (i.e. encrypted at rest)?

26/11/2020 17:36:4327/11/2020 15:11:18

B2.15 Is your data encrypted before being passed between your site and your cloud provider(s) (i.e. encrypted in transit)?

26/11/2020 17:20:3527/11/2020 15:10:58

B2.15 Is your data encrypted before being passed between your site and your cloud provider(s) (i.e. encrypted in transit)?

26/11/2020 17:36:4327/11/2020 15:10:31

B2.14 Which security accreditations are held by the cloud providers used by your organisation?

26/11/2020 17:20:3527/11/2020 15:09:54

B2.14 Which security accreditations are held by the cloud providers used by your organisation?

26/11/2020 17:36:4327/11/2020 15:09:23

B2.13 Please describe which provisions have been put in place to ensure that the requirements of the GDPR are met fully for the data held in your cloud services?

26/11/2020 17:20:3527/11/2020 15:09:09

B2.13 Please describe which provisions have been put in place to ensure that the requirements of the GDPR are met fully for the data held in your cloud services?

26/11/2020 17:36:4327/11/2020 15:08:46

B2.12 Where do your cloud providers store your data?

26/11/2020 17:20:3527/11/2020 15:08:04

B2.12 Where do your cloud providers store your data?

26/11/2020 17:36:4327/11/2020 15:07:39

B2.11 Do you use cloud providers to share company information between employees or with customers (such as instant messaging or collaboration tools)? If so, please list all providers.

26/11/2020 17:20:3527/11/2020 15:07:13

B2.11 Do you use cloud providers to share company information between employees or with customers (such as instant messaging or collaboration tools)? If so, please list all providers.

26/11/2020 17:36:4327/11/2020 15:06:47

B2.10 Do you use cloud providers to store company information (such as files, emails, data backups)? If so, please list all providers.

26/11/2020 17:20:3526/11/2020 19:35:03

B2.9 When assets are no longer required, is all data securely wiped from them or are the assets securely destroyed? Describe how this is done.

26/11/2020 17:20:3526/11/2020 19:34:20

B2.9 When assets are no longer required, is all data securely wiped from them or are the assets securely destroyed? Describe how this is done.

26/11/2020 17:36:4326/11/2020 19:33:55

B2.8 Is all sensitive information identified (e.g. by protective marking) and properly protected?

26/11/2020 17:36:4326/11/2020 19:32:14

B2.8 Is all sensitive information identified (e.g. by protective marking) and properly protected?

26/11/2020 17:20:3526/11/2020 19:31:25

B2.7 How do you ensure all flows of personal and special category data are documented, including where data was obtained, where it is stored and all destinations of data?

26/11/2020 17:36:4326/11/2020 19:30:46

B2.7 How do you ensure all flows of personal and special category data are documented, including where data was obtained, where it is stored and all destinations of data?

26/11/2020 17:20:3526/11/2020 19:30:16

B2.6 Is all personal data and special category data identified (e.g. by protective marking) and properly protected? Describe how this is done.

26/11/2020 17:20:3526/11/2020 19:29:50

B2.6 Is all personal data and special category data identified (e.g. by protective marking) and properly protected? Describe how this is done.

26/11/2020 17:36:4326/11/2020 19:29:30

B2.5 Are all mobile phones, tablets and laptops tracked in the asset register, pin/ password protected and encrypted? Please describe how you have achieved this for all criteria within this question.

26/11/2020 17:20:3526/11/2020 19:28:45

B2.5 Are all mobile phones, tablets and laptops tracked in the asset register, pin/ password protected and encrypted? Please describe how you have achieved this for all criteria within this question.

26/11/2020 17:36:4326/11/2020 19:28:02

B2.4 Is all removable media tracked in the asset register and encrypted? Please describe how you achieve this.

26/11/2020 17:20:3526/11/2020 19:27:23

B2.4 Is all removable media tracked in the asset register and encrypted? Please describe how you achieve this.

26/11/2020 17:36:4326/11/2020 19:26:47

B2.3 Do all assets (both physical and information assets) have named owners?

26/11/2020 17:20:3526/11/2020 19:26:04

B2.3 Do all assets (both physical and information assets) have named owners?

26/11/2020 17:36:4326/11/2020 19:25:24

B2.2 How does your asset register track information assets (i.e. categories of information)?

26/11/2020 17:20:3526/11/2020 19:24:31

B2.2 How does your asset register track information assets (i.e. categories of information)?

26/11/2020 17:36:4326/11/2020 19:24:02

B2.1 Does your organisation have up-to-date information and physical asset registers?

26/11/2020 17:20:3526/11/2020 19:23:00

B2.1 Does your organisation have up-to-date information and physical asset registers?

26/11/2020 17:36:4326/11/2020 19:22:35

B1.4 How do you ensure that you provide sufficient funding and a suitable number of appropriately skilled staff to develop and maintain good information security and data protection?

26/11/2020 17:20:3526/11/2020 19:21:52

B1.4 How do you ensure that you provide sufficient funding and a suitable number of appropriately skilled staff to develop and maintain good information security and data protection?

26/11/2020 17:36:4326/11/2020 19:21:29

B1.3 Please provide the name and role of the person who has overall responsibility for managing security in your organisation?

26/11/2020 17:20:3526/11/2020 19:20:46

B1.3 Please provide the name and role of the person who has overall responsibility for managing security in your organisation?

26/11/2020 17:36:4326/11/2020 19:19:50

B1.2 Is information security and data protection (including a review of any recent incidents) a standing agenda item for your board/director/partner/trustee meetings?

26/11/2020 17:20:3526/11/2020 19:18:57

B1.2 Is information security and data protection (including a review of any recent incidents) a standing agenda item for your board/director/partner/trustee meetings?

26/11/2020 17:36:4326/11/2020 19:18:32

B1.1 Please provide the name of the board member/director/partner/trustee who has responsibility for information security and data protection?

26/11/2020 17:36:4226/11/2020 19:16:58
test 226/11/2020 17:39:4326/11/2020 17:39:43
Test26/11/2020 17:39:1826/11/2020 17:39:18
B9.3 How did you act to improve the security of your system on the basis of the scan results?26/11/2020 17:36:5126/11/2020 17:36:51
A4.4 Do you change the password when you believe it may have been compromised? How do you achieve this?26/11/2020 17:36:4726/11/2020 17:36:47
B2.10 Do you use cloud providers to store company information (such as files, emails, data backups)? If so, please list all providers.26/11/2020 17:36:4326/11/2020 17:36:43
B12.7 Do all staff involved with incident management have clear roles and responsibilities and have they all received appropriate training?26/11/2020 17:20:4426/11/2020 17:20:44
B9.3 How did you act to improve the security of your system on the basis of the scan results?26/11/2020 17:20:4326/11/2020 17:20:43
A4.4 Do you change the password when you believe it may have been compromised? How do you achieve this?26/11/2020 17:20:3926/11/2020 17:20:39
B6.13 Do your policies refer to security from malware and intrusion?26/11/2020 17:20:3826/11/2020 17:20:38
B6.2 Have your policies been reviewed in the last 12 months?26/11/2020 17:20:3726/11/2020 17:20:37
" The organisation must have an implemented security policy to match its risk profile. This is usually the ultimate responsibility of the CIO/Director. IASME provides a model template policy which can be adapted to the individual circumstances of most organisations. Dates for achieving objectives can be set within the policy, which should be reviewed by the Board at regular intervals or when security incidents occur or changes in the risk landscape emerge. "26/11/2020 17:20:3726/11/2020 17:20:37
B4.6 When your organisation collects personal data from a subject do you clearly state what it is being collected for, how it will be processed and who will process it and does the data subject have to provide consent for this?26/11/2020 17:20:3626/11/2020 17:20:36
B1.1 Please provide the name of the board member/director/partner/trustee who has responsibility for information security and data protection?26/11/2020 17:20:3326/11/2020 17:20:33

6.10.2 The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals' and considers the following issues:

• not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason;

• protecting the interests of vulnerable groups such as people with learning disabilities or children;

• whether you could introduce safeguards to reduce any potentially negative impact;

• whether you could offer an opt-out; and

• whether you require a DPIA.

19/11/2020 18:19:1922/11/2020 14:21:02

6.7.1 Consent requests: are kept separate from other terms and conditions; require a positive opt-in and do not use pre-ticked boxes; are clear and specific (not a pre-condition of signing up to a service); inform individuals how to withdraw consent in an easy way; and give your organisation's name as well as the names of any third parties relying on consent.

19/11/2020 18:19:1822/11/2020 14:19:29

7.4.4 Each contract (or other legal act) sets out details of the processing including the: • subject matter of the processing; • duration of the processing; • nature and purpose of the processing; • type of personal data involved; • categories of data subject; and • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR.

19/11/2020 18:19:2122/11/2020 14:18:50
9.9.14 You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.20/11/2020 15:31:3920/11/2020 15:31:39
7.2.5 You have a regular review process to make sure that the information remains accurate and up-to-date, and to examine how the agreement is working.20/11/2020 15:31:2920/11/2020 15:31:29
1.1.1 The board, or highest senior management level, has overall responsibility for data protection and information governance.20/11/2020 15:27:0120/11/2020 15:27:01
10.8.3 Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.20/11/2020 15:10:4820/11/2020 15:10:48
10.8.2 The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.20/11/2020 15:10:4720/11/2020 15:10:47
10.8.1 You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.20/11/2020 15:10:4720/11/2020 15:10:47
10.7.4 You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules, and the performance of the system in place to index and track paper files containing personal data.20/11/2020 15:10:4720/11/2020 15:10:47
10.7.3 You have KPIs regarding information security, including the number of security breaches, incidents and near misses.20/11/2020 15:10:4720/11/2020 15:10:47
10.7.2 You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who have complete the training.20/11/2020 15:10:4720/11/2020 15:10:47
10.7.1 You have Key Performance Indicators (KPIs) regarding SAR performance (the volume of requests and the percentage completed within statutory timescales).20/11/2020 15:10:4720/11/2020 15:10:47
10.6.7 You have a central action plan in place to take forward the outputs from data protection and information governance audits.20/11/2020 15:10:4720/11/2020 15:10:47
10.6.6 Audit reports are produced to document the findings.20/11/2020 15:10:4620/11/2020 15:10:46
10.6.5 There is a central audit plan/schedule in place evidencing the planning of data protection and information governance internal audits.20/11/2020 15:10:4620/11/2020 15:10:46
10.6.4 You make sure that your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.20/11/2020 15:10:4620/11/2020 15:10:46
10.6.3 You routinely conduct informal, ad-hoc monitoring and spot checks.20/11/2020 15:10:4620/11/2020 15:10:46
10.6.2 Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.20/11/2020 15:10:4620/11/2020 15:10:46
10.6.1 You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.20/11/2020 15:10:4620/11/2020 15:10:46
10.5.5 You have a central action plan in place to take forward the outputs from data protection and information governance audits.20/11/2020 15:10:4620/11/2020 15:10:46
10.5.4 You produce audit reports to document the findings.20/11/2020 15:10:4520/11/2020 15:10:45
10.5.3 Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).20/11/2020 15:10:4520/11/2020 15:10:45
10.5.2 Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.20/11/2020 15:10:4520/11/2020 15:10:45
10.5.1 Your organisation completes externally-provided self-assessment tools to provide assurances on compliance with data protection and information security compliance.20/11/2020 15:10:4520/11/2020 15:10:45
10.4.4 Groups with oversight for data protection and information governance review the outputs.20/11/2020 15:10:4520/11/2020 15:10:45
10.4.3 You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.20/11/2020 15:10:4520/11/2020 15:10:45
10.4.2 Your organisation monitors the type, volume and cost of incidents.20/11/2020 15:10:4520/11/2020 15:10:45
10.4.1 You analyse all personal data breach reports to prevent a recurrence.20/11/2020 15:10:4520/11/2020 15:10:45
10.3.4 You provide individuals with advice to protect themselves from any effects of the breach.20/11/2020 15:10:4520/11/2020 15:10:45
10.3.3 The information you provide to individuals includes the DPO's details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).20/11/2020 15:10:4420/11/2020 15:10:44
10.3.2 You tell individuals about personal data breaches in clear, plain language without undue delay.20/11/2020 15:10:4420/11/2020 15:10:44
10.3.1 You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.20/11/2020 15:10:4420/11/2020 15:10:44
10.2.4 If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.20/11/2020 15:10:4420/11/2020 15:10:44
10.2.3 The procedure includes details of what information must be given to the ICO about the breach.20/11/2020 15:10:4420/11/2020 15:10:44
10.2.2 You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.20/11/2020 15:10:4420/11/2020 15:10:44
10.2.1 You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.20/11/2020 15:10:4420/11/2020 15:10:44
10.1.7 The log documents the facts relating to the near miss or breach including: its causes; what happened; the personal data affected; the effects of the breach; and any remedial action taken and rationale.20/11/2020 15:10:4420/11/2020 15:10:44
10.1.6 You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).20/11/2020 15:10:4320/11/2020 15:10:43
10.1.5 Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.20/11/2020 15:10:4320/11/2020 15:10:43
10.1.4 Procedures and systems facilitate the reporting of security incidents and breaches.20/11/2020 15:10:4320/11/2020 15:10:43
10.1.3 Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.20/11/2020 15:10:4320/11/2020 15:10:43
10.1.2 A dedicated person or team manages security incidents and personal data breaches.20/11/2020 15:10:4320/11/2020 15:10:43
10.1.1 You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.20/11/2020 15:10:4320/11/2020 15:10:43
9.13.4 You regularly test back-ups and recovery processes to make sure that they remain fit for purpose.20/11/2020 15:10:4320/11/2020 15:10:43
9.13.3 The frequency of backups reflects the sensitivity and importance of the data.20/11/2020 15:10:4320/11/2020 15:10:43
9.12.2 You take back-up copies of electronic information, software and systems (and ideally store them off-site).20/11/2020 15:10:4320/11/2020 15:10:43
9.12.1 You have a risk-based business continuity plan to manage disruption and a disaster recovery plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.8 You operate a 'clear screen' policy across your organisation where personal data is processed.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.7 You have regular clear desk 'sweeps' or checks and issues are fed back appropriately20/11/2020 15:10:4220/11/2020 15:10:42
9.11.6 You operate a clear desk policy across the organisation where personal data is processed.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.5 You store paper records securely and control access to them.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.4 Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.3 You implement additional protection against external and environmental threats in secure areas such as server rooms.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.2 You have visitor protocols in place such as signing-in procedures, name badges and escorted access.20/11/2020 15:10:4220/11/2020 15:10:42
9.11.1 You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.20/11/2020 15:10:4220/11/2020 15:10:42
9.10.6 You do not allow equipment, information or software to be taken off-site without prior authorisation, and you have a log of all mobile devices and removeable media used and who they are allocated to.20/11/2020 15:10:4120/11/2020 15:10:41
9.10.5 Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices, as well as an entire class of devices.20/11/2020 15:10:4120/11/2020 15:10:41
9.10.4 Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.20/11/2020 15:10:4120/11/2020 15:10:41
9.10.3 You implement security measures to protect information processed when home or remote working, for example VPN and two factor authentication.20/11/2020 15:10:4120/11/2020 15:10:41
9.10.2 You have protections in place to avoid the unauthorised access to, or disclosure of, the information processed by mobile devices, for example encryption and remote wiping capabilities.20/11/2020 15:10:4120/11/2020 15:10:41
9.10.1 You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.20/11/2020 15:10:4120/11/2020 15:10:41
9.9.14 You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.20/11/2020 15:10:4120/11/2020 15:10:41
9.9.13 You do not have unsupported operating systems in use, for example Windows XP, Windows Server 2003.20/11/2020 15:10:4120/11/2020 15:10:41
9.9.12 You have external and internal firewalls and intrusion detection systems in place as appropriate, to make sure that the information in networks and systems is protected from unauthorised access or attack, for example denial of service attacks.20/11/2020 15:10:4120/11/2020 15:10:41
9.9.11 You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.10 You deploy URL or web content filtering to block specific websites or entire categories.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.9 You regularly run vulnerability scans.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.8 Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.7 Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.6 You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.5 You log and monitor user and system activity to detect anything unusual.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.4 Emails content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.20/11/2020 15:10:4020/11/2020 15:10:40
9.9.3 You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).20/11/2020 15:10:4020/11/2020 15:10:40
9.9.2 You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.20/11/2020 15:10:3920/11/2020 15:10:39
9.9.1 You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).20/11/2020 15:10:3920/11/2020 15:10:39
9.8.5 You regularly review users' access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.20/11/2020 15:10:3920/11/2020 15:10:39
9.8.4 You keep a log of user access to systems holding personal data.20/11/2020 15:10:3920/11/2020 15:10:39
9.8.3 You restrict and control the allocation and use of privileged access rights.20/11/2020 15:10:3920/11/2020 15:10:39
9.8.2 You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.20/11/2020 15:10:3920/11/2020 15:10:39
9.8.1 You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.20/11/2020 15:10:3920/11/2020 15:10:39
9.7.3 Your organisation monitors compliance with Acceptable Use rules and makes sure that staff are aware of any monitoring.20/11/2020 15:10:3920/11/2020 15:10:39
9.7.2 You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.20/11/2020 15:10:3920/11/2020 15:10:39
9.7.1 You have Acceptable Use or terms and conditions of use procedures in place.20/11/2020 15:10:3820/11/2020 15:10:38
9.6.3 You periodically risk-assess assets within the register and you carry out physical checks to make sure that the hardware asset inventory remains accurate.20/11/2020 15:10:3820/11/2020 15:10:38
9.6.2 You review the register periodically to make sure it remains up-to-date and accurate.20/11/2020 15:10:3820/11/2020 15:10:38
9.6.1 Your organisation has an asset register that holds details of all information assets (software and hardware) including: asset owners; asset location; retention periods; and security measures deployed.20/11/2020 15:10:3820/11/2020 15:10:38
9.5.5 You have a log of all equipment and confidential waste sent for disposal or destruction.20/11/2020 15:10:3820/11/2020 15:10:38
9.5.4 You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have disposed of the data securely, for example through audit checks and destruction certificates.20/11/2020 15:10:3820/11/2020 15:10:38
9.5.3 You either hold, collect or send away securely confidential waste awaiting destruction.20/11/2020 15:10:3820/11/2020 15:10:38
9.5.2 For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.20/11/2020 15:10:3720/11/2020 15:10:37
9.5.1 For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.20/11/2020 15:10:3720/11/2020 15:10:37
9.4.4 You regularly review retained data to identify opportunities for minimisation, pseudonymisation, or anonymisation, and you document this in the schedule.20/11/2020 15:10:3720/11/2020 15:10:37
9.4.3 You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.20/11/2020 15:10:3720/11/2020 15:10:37
9.4.2 The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.20/11/2020 15:10:3720/11/2020 15:10:37
9.4.1 You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).20/11/2020 15:10:3720/11/2020 15:10:37
9.3.3 Records containing personal data (whether 'active' or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.20/11/2020 15:10:3720/11/2020 15:10:37
9.3.2 You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.20/11/2020 15:10:3720/11/2020 15:10:37
9.3.1 You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.20/11/2020 15:10:3720/11/2020 15:10:37
9.2.4 You have agreements in place with any third parties used to transfer business information between your organisation and third parties.20/11/2020 15:10:3620/11/2020 15:10:36
9.2.3 When you transfer data off site, you use an appropriate form of transport, (for example, secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)), and you check to make sure that the information has been received.20/11/2020 15:10:3620/11/2020 15:10:36
9.2.2 You minimise data transferred off-site and keep it secure in transit.20/11/2020 15:10:3620/11/2020 15:10:36
9.2.1 You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.20/11/2020 15:10:3620/11/2020 15:10:36
9.1.4 You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.20/11/2020 15:10:3620/11/2020 15:10:36
9.1.3 You know the whereabouts of records at all times, you track their movements, and you attempt to trace records that are missing or not returned.20/11/2020 15:10:3620/11/2020 15:10:36
9.1.2 You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.20/11/2020 15:10:3620/11/2020 15:10:36
9.1.1 You have policies and procedures to make sure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.20/11/2020 15:10:3620/11/2020 15:10:36
8.5.6 You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.20/11/2020 15:10:3620/11/2020 15:10:36
8.5.5 You consider actively publishing DPIAs where possible, removing sensitive details if necessary.20/11/2020 15:10:3620/11/2020 15:10:36
8.5.4 You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.20/11/2020 15:10:3520/11/2020 15:10:35
8.5.3 You do not start high risk processing until mitigating measures are in place following the DPIA.20/11/2020 15:10:3520/11/2020 15:10:35
8.5.2 You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.20/11/2020 15:10:3520/11/2020 15:10:35
8.5.1 You have a procedure to consult the ICO if you cannot mitigate residual high risks.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.7 Appropriate people sign off DPIAs, such as a project lead or senior manager.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.6 You record your DPO's advice and recommendations, and the details of any other consultations.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.5 You have a documented process, with appropriate document controls, that you review periodically to make sure that it remains up-to-date.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.4 DPIAs identify measures that can be put in place to eliminate, mitigate or reduce high risks.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.3 DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.2 DPIAs include: the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.20/11/2020 15:10:3520/11/2020 15:10:35
8.4.1 Your organisation has a standard, well-structured DPIA template which is written in plain English.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.7 You assign responsibility for completing DPIAs to a member of staff who has enough authority over a project to effect change, eg a project lead or manager.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.6 Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data, and where relevant, you train staff in how to carry out a DPIA.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.5 Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.4 Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.3 If the screening checklist indicates that you do not need a DPIA, you document this.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.2 You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.20/11/2020 15:10:3420/11/2020 15:10:34
8.3.1 You have a DPIA policy which includes: clear procedures to decide whether you conduct a DPIA; what the DPIA should cover; who will authorise it; and how you will incorporate it into the overall planning.20/11/2020 15:10:3420/11/2020 15:10:34
8.2.3 You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the: intended processing activities; risks that these may pose to the rights and freedoms of individuals; and possible measures available to mitigate the risks.20/11/2020 15:10:3420/11/2020 15:10:34
8.2.2 Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.20/11/2020 15:10:3420/11/2020 15:10:34
8.2.1 You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.6 You put measures in place to mitigate the risks identified within risk categories and you test these regularly to make sure that they remain effective.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.5 If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.4 You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.3 You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.2 You have a process to help staff report and escalate data protection and information governance concerns and risks to a central point, for example staff forums.20/11/2020 15:10:3320/11/2020 15:10:33
8.1.1 An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.20/11/2020 15:10:3320/11/2020 15:10:33
7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.20/11/2020 15:10:3320/11/2020 15:10:33
7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose.20/11/2020 15:10:3320/11/2020 15:10:33
7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.20/11/2020 15:10:3320/11/2020 15:10:33
7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.20/11/2020 15:10:3320/11/2020 15:10:33
7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.20/11/2020 15:10:3220/11/2020 15:10:32
7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights.20/11/2020 15:10:3220/11/2020 15:10:32
7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests.20/11/2020 15:10:3220/11/2020 15:10:32
7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.20/11/2020 15:10:3220/11/2020 15:10:32
7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.20/11/2020 15:10:3220/11/2020 15:10:32
7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.20/11/2020 15:10:3220/11/2020 15:10:32
7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).20/11/2020 15:10:3220/11/2020 15:10:32
7.5.1 The contract or other legal act includes terms or clauses stating that the processor must: • only act on the controller’s documented instructions, unless required by law to act without such instructions; • make sure that the people processing the data are subject to a duty of confidence; • help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections.20/11/2020 15:10:3220/11/2020 15:10:32
7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.20/11/2020 15:10:3220/11/2020 15:10:32
7.4.6 You review contracts periodically to make sure they remain up-to-date.20/11/2020 15:10:3220/11/2020 15:10:32
7.4.5 You keep a record or log of all current processor contracts, which you update when processors change.20/11/2020 15:10:3220/11/2020 15:10:32
7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.20/11/2020 15:10:3120/11/2020 15:10:31
7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.20/11/2020 15:10:3120/11/2020 15:10:31
7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.20/11/2020 15:10:3120/11/2020 15:10:31
7.4.1 You have written contracts with all processors.20/11/2020 15:10:3120/11/2020 15:10:31
7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR.20/11/2020 15:10:3120/11/2020 15:10:31
7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).20/11/2020 15:10:3120/11/2020 15:10:31
7.2.6 There is a central log of the current data sharing agreements.20/11/2020 15:10:3120/11/2020 15:10:31
7.2.5 You have a regular review process to make sure that the information remains accurate and up-to-date, and to examine how the agreement is working.20/11/2020 15:10:3120/11/2020 15:10:31
7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals.20/11/2020 15:10:3120/11/2020 15:10:31
7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements.20/11/2020 15:10:3120/11/2020 15:10:31
7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children).20/11/2020 15:10:3120/11/2020 15:10:31
7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off.20/11/2020 15:10:3020/11/2020 15:10:30
7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.20/11/2020 15:10:3020/11/2020 15:10:30
7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.20/11/2020 15:10:3020/11/2020 15:10:30
7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them.20/11/2020 15:10:3020/11/2020 15:10:30
7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing.20/11/2020 15:10:3020/11/2020 15:10:30
6.10.5 You keep the LIA under review and refresh it if changes affect the outcome.20/11/2020 15:10:3020/11/2020 15:10:30
6.10.4 You complete the LIA prior to the start of the processing.20/11/2020 15:10:3020/11/2020 15:10:30
6.10.3 You clearly document the decision and the assessment.20/11/2020 15:10:3020/11/2020 15:10:30
6.10.2 The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals' and considers the following issues: • not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason; • protecting the interests of vulnerable groups such as people with learning disabilities or children; • whether you could introduce safeguards to reduce any potentially negative impact; • whether you could offer an opt-out; and • whether you require a DPIA.20/11/2020 15:10:3020/11/2020 15:10:30
6.10.1 The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.20/11/2020 15:10:3020/11/2020 15:10:30
6.9.4 When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are reviewed regularly, and you make reasonable efforts to verify that the person giving consent has parental or guardian responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.20/11/2020 15:10:3020/11/2020 15:10:30
6.9.3 When providing online services to children, your organisation has risk-based age checking systems in place to establish age with a level of certainty that is appropriate based on the risks to children's rights and freedoms.20/11/2020 15:10:2920/11/2020 15:10:29
6.9.2 You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.20/11/2020 15:10:2920/11/2020 15:10:29
6.9.1 Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.20/11/2020 15:10:2920/11/2020 15:10:29
6.8.3 Your organisation uses privacy dashboards or other preference-management tools to help people manage their consent.20/11/2020 15:10:2920/11/2020 15:10:29
6.8.2 Your organisation has a procedure to refresh consent at appropriate intervals.20/11/2020 15:10:2920/11/2020 15:10:29
6.8.1 You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.20/11/2020 15:10:2920/11/2020 15:10:29
6.7.3 You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt in-tick boxes, and paper-based forms.20/11/2020 15:10:2920/11/2020 15:10:29
6.7.2 You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.20/11/2020 15:10:2920/11/2020 15:10:29
6.7.1 Consent requests: are kept separate from other terms and conditions; require a positive opt-in and do not use pre-ticked boxes; are clear and specific (not a pre-condition of signing up to a service); inform individuals how to withdraw consent in an easy way; and give your organisation's name as well as the names of any third parties relying on consent.20/11/2020 15:10:2920/11/2020 15:10:29
6.6.3 If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unantipated purpose, you inform individuals in a timely manner and record the changes.20/11/2020 15:10:2920/11/2020 15:10:29
6.6.2 You provide information in an easily understandable format.20/11/2020 15:10:2920/11/2020 15:10:29
6.6.1 You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category data or criminal offence data publicly available in your organisation's privacy notice(s).20/11/2020 15:10:2820/11/2020 15:10:28
6.5.6 You identify the lawful basis before starting any new processing.20/11/2020 15:10:2820/11/2020 15:10:28
6.5.5 Where Schedule 1 requires it, there is an appropriate policy document including: which schedule 1 conditions you are relying on; what procedures you have in place to ensure compliance with the data protection principle; how special category or criminal offence data will be treated for retention and erasure purposes; a review date; and details of an individual assigned responsibility for the processing.20/11/2020 15:10:2820/11/2020 15:10:28
6.5.4 In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.20/11/2020 15:10:2820/11/2020 15:10:28
6.5.3 If your organisation processes special category data or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data only, you identify the official authority to process).20/11/2020 15:10:2820/11/2020 15:10:28
6.5.2 You document the lawful basis (or bases) relied upon and the reasons why.20/11/2020 15:10:2820/11/2020 15:10:28
6.5.1 Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.20/11/2020 15:10:2820/11/2020 15:10:28
6.4.1 The ROPA also includes, or links to documentation covering: •information required for privacy notices, such as the lawful basis for the processing and the source of the personal data; •records of consent; •controller-processor contracts; •the location of personal data; • DPIA reports; •records of personal data breaches; •information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and •retention and erasure policy documents.20/11/2020 15:10:2820/11/2020 15:10:28
6.3.2 You have an internal record of all processing activities carried out by any processors on behalf of your organisation.20/11/2020 15:10:2820/11/2020 15:10:28
•a description of the technical and organisational security measures in place."20/11/2020 15:10:2820/11/2020 15:10:28
6.2.3 You regularly review the processing activities and types of data you process for data minimisation purposes.20/11/2020 15:10:2820/11/2020 15:10:28
6.2.2 Your organisation regularly reviews the record against processing activities, policies and procedures to make sure that it remains accurate and up-to-date, and you clearly assign responsibilities for doing this.20/11/2020 15:10:2720/11/2020 15:10:27
6.2.1 You record processing activities in electronic form so you can add, remove or amend information easily.20/11/2020 15:10:2720/11/2020 15:10:27
6.1.3 You consult staff across your organisation to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.20/11/2020 15:10:2720/11/2020 15:10:27
6.1.2 The data map is kept up-to-date and you clearly assign the responsibilities for maintaining and amending it.20/11/2020 15:10:2720/11/2020 15:10:27
6.1.1 Your organisation carries out Information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.20/11/2020 15:10:2720/11/2020 15:10:27
5.7.5 You implement appropriate measures to protect children using digital services.20/11/2020 15:10:2720/11/2020 15:10:27
5.7.4 You help children to exercise their data protection rights, where relevant, in an easily accessible way that they understand.20/11/2020 15:10:2720/11/2020 15:10:27
5.7.3 Your organisation offers strong privacy defaults and user-friendly options and controls.20/11/2020 15:10:2720/11/2020 15:10:27
5.7.2 You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how you use their personal data.20/11/2020 15:10:2720/11/2020 15:10:27
5.7.1 Privacy policies are clear and easy for members of the public to access.20/11/2020 15:10:2720/11/2020 15:10:27
5.6.5 If you plan to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.20/11/2020 15:10:2720/11/2020 15:10:27
5.6.4 You analyse complaints from the public about how you use personal data, and in particular, any complaints about how you explain that use.20/11/2020 15:10:2620/11/2020 15:10:26
5.6.3 Your organisation carries out user-testing to evaluate how effective their privacy information is.20/11/2020 15:10:2620/11/2020 15:10:26
5.6.2 You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information was provided to individuals and when.20/11/2020 15:10:2620/11/2020 15:10:26
5.6.1 You review privacy information against the records of processing activities, to make sure it remains up-to-date and that it actually explains what happens with individuals’ personal data.20/11/2020 15:10:2620/11/2020 15:10:26
5.5.3 Staff are aware of the various ways in which the organisation provides privacy information.20/11/2020 15:10:2620/11/2020 15:10:26
5.5.2 Front-line staff receive more specialised or specific training.20/11/2020 15:10:2620/11/2020 15:10:26
5.5.1 You arrange organisation-wide staff training about privacy information.20/11/2020 15:10:2620/11/2020 15:10:26
5.4.4 If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.20/11/2020 15:10:2620/11/2020 15:10:26
5.4.3 If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.20/11/2020 15:10:2620/11/2020 15:10:26
5.4.2 If the decision is solely automated and has legal or similarly significant effects, you tell individuals about the processing - including what information you are using, why and what the impact is likely to be.20/11/2020 15:10:2620/11/2020 15:10:26
5.4.1 You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit if needed.20/11/2020 15:10:2620/11/2020 15:10:26
5.3.4 You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.20/11/2020 15:10:2620/11/2020 15:10:26
5.3.3 You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.20/11/2020 15:10:2620/11/2020 15:10:26
5.3.2 You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.20/11/2020 15:10:2520/11/2020 15:10:25
5.3.1 You proactively make individuals aware of privacy information and have a free, easy way to access it.20/11/2020 15:10:2520/11/2020 15:10:25
5.2.2 If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals within a reasonable period no later than one month of obtaining the data.20/11/2020 15:10:2520/11/2020 15:10:25
5.2.1 Individuals receive privacy information when their personal data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).20/11/2020 15:10:2520/11/2020 15:10:25
5.1.8 You provide individuals with privacy information about the source of the processed personal data if you don't obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register and Companies House.20/11/2020 15:10:2520/11/2020 15:10:25
5.1.7 Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).20/11/2020 15:10:2520/11/2020 15:10:25
5.1.6 Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.20/11/2020 15:10:2520/11/2020 15:10:25
5.1.5 Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.20/11/2020 15:10:2520/11/2020 15:10:25
5.1.4 Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.20/11/2020 15:10:2520/11/2020 15:10:25
5.1.3 Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.20/11/2020 15:10:2520/11/2020 15:10:25
5.1.2 Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).20/11/2020 15:10:2520/11/2020 15:10:25
5.1.1 Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO's contact details.20/11/2020 15:10:2520/11/2020 15:10:25
4.11.3 You tell individuals about their right to make a complaint to the ICO in your privacy information.20/11/2020 15:10:2520/11/2020 15:10:25
4.11.2 The DPO's contact details or alternative contact points are publicly available if individuals wish to make a complaint about the use of their personal data.20/11/2020 15:10:2520/11/2020 15:10:25
4.11.1 You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.20/11/2020 15:10:2420/11/2020 15:10:24
4.10.5 You conduct regular checks for accuracy and bias to make sure that systems are working as intended, and you feed this back into the design process.20/11/2020 15:10:2420/11/2020 15:10:24
4.10.4 Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion, and challenge decisions.20/11/2020 15:10:2420/11/2020 15:10:24
4.10.3 If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to make sure that these decisions only occur in accordance with Article 22 of the GDPR. If this applies, your organisation must carry out a data protection impact assessment (DPIA).20/11/2020 15:10:2420/11/2020 15:10:24
4.10.2 Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.20/11/2020 15:10:2420/11/2020 15:10:24
4.10.1 You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling.20/11/2020 15:10:2420/11/2020 15:10:24
4.9.2 Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.20/11/2020 15:10:2420/11/2020 15:10:24
4.9.1 When requested, you provide personal data in a structured, commonly used and machine readable format.20/11/2020 15:10:2420/11/2020 15:10:24
4.8.3 If asked to, your organisation tells the data subject which third parties have received the personal data.20/11/2020 15:10:2420/11/2020 15:10:24
4.8.2 If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction (unless this is impossible or involves disproportionate effort).20/11/2020 15:10:2420/11/2020 15:10:24
4.8.1 Your organisation restricts personal data in a way that is appropriate for the type of processing and the system, eg temporarily moving the data to another system or removing it from a website.20/11/2020 15:10:2420/11/2020 15:10:24
4.7.5 Your organisation gives particular weight to a request for erasure where the processing is or was based on a child's consent, especially when processing any personal data on the internet.20/11/2020 15:10:2420/11/2020 15:10:24
4.7.4 If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.20/11/2020 15:10:2420/11/2020 15:10:24
4.7.3 If asked to, your organisation tells the data subject which third parties have received the personal data.20/11/2020 15:10:2320/11/2020 15:10:23
4.7.2 If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.20/11/2020 15:10:2320/11/2020 15:10:23
4.7.1 You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their personal data.20/11/2020 15:10:2320/11/2020 15:10:23
4.6.4 If asked, your organisation tells the data subject which third parties have received the personal data.20/11/2020 15:10:2320/11/2020 15:10:23
4.6.3 If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.20/11/2020 15:10:2320/11/2020 15:10:23
4.6.2 If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.20/11/2020 15:10:2320/11/2020 15:10:23
4.6.1 Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.20/11/2020 15:10:2320/11/2020 15:10:23
4.5.4 Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.20/11/2020 15:10:2320/11/2020 15:10:23
4.5.3 You share reports with senior management, that they review and action as appropriate at meetings.20/11/2020 15:10:2320/11/2020 15:10:23
4.5.2 You produce regular reports on performance and case quality assessments to make sure that requests are handled appropriately.20/11/2020 15:10:2320/11/2020 15:10:23
4.5.1 The staff responsible for managing requests meet regularly to discuss any issues.20/11/2020 15:10:2320/11/2020 15:10:23
4.4.4 If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.20/11/2020 15:10:2320/11/2020 15:10:23
4.4.3 If you need an extension, you update individuals on the progress of their request and keep them informed.20/11/2020 15:10:2320/11/2020 15:10:23
4.4.2 The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.20/11/2020 15:10:2220/11/2020 15:10:22
4.4.1 You action all requests within statutory timescales.20/11/2020 15:10:2220/11/2020 15:10:22
4.3.4 You have records of your organisation's request responses, and any information disclosed to, or withheld from, individuals.20/11/2020 15:10:2220/11/2020 15:10:22
4.3.3 A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.20/11/2020 15:10:2220/11/2020 15:10:22
4.3.2 The log shows the due date for requests, the actual date of the final response and the action taken.20/11/2020 15:10:2220/11/2020 15:10:22
4.3.1 You have processes in place to make sure that the log is accurate and updated as appropriate.20/11/2020 15:10:2220/11/2020 15:10:22
4.2.5 Your organisation can deal with any increase in requests or reduction in staffing levels.20/11/2020 15:10:2220/11/2020 15:10:22
4.2.4 If a staff member is absent, other staff are trained to carry out key tasks.20/11/2020 15:10:2220/11/2020 15:10:22
4.2.3 You have sufficient resources to deal with requests.20/11/2020 15:10:2220/11/2020 15:10:22
4.2.2 Staff receive specialised training to handle requests, including regular refresher training.20/11/2020 15:10:2220/11/2020 15:10:22
4.2.1 A specific person/s or team are responsible for managing and responding to requests.20/11/2020 15:10:2220/11/2020 15:10:22
4.1.3 All staff receive training and guidance about how to recognise requests and where to send them.20/11/2020 15:10:2220/11/2020 15:10:22
4.1.2 Your policies and procedures set out processes for dealing with requests from individuals about their rights.20/11/2020 15:10:2220/11/2020 15:10:22
4.1.1 You give individuals clear and relevant information about their rights and how to exercise them.20/11/2020 15:10:2220/11/2020 15:10:22
3.5.2 You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.20/11/2020 15:10:2120/11/2020 15:10:21
3.5.1 Your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts, and blogs.20/11/2020 15:10:2120/11/2020 15:10:21
3.4.4 staff are able to provide feedback on the training they receive.20/11/2020 15:10:2120/11/2020 15:10:21
3.4.3 You monitor training completion in line with organisationl requirements at all levels of the organisation, and you follow up with staff who do not complete the training.20/11/2020 15:10:2120/11/2020 15:10:21
3.4.2 You keep copies of the training material provided on record as well as details of who receives the training.20/11/2020 15:10:2120/11/2020 15:10:21
3.4.1 You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.20/11/2020 15:10:2120/11/2020 15:10:21
3.3.4 You keep on record copies of the training material provided as well as details of who receives the training.20/11/2020 15:10:2120/11/2020 15:10:21
3.3.3 You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they receive proportionate refresher training.20/11/2020 15:10:2120/11/2020 15:10:21
3.3.2 You set out training and skills requirements in job descriptions.20/11/2020 15:10:2120/11/2020 15:10:21
3.3.1 You complete a training needs analysis for data protection and information governance staff to inform the training plan and to make sure it is specific to the individual's responsibilities.20/11/2020 15:10:2120/11/2020 15:10:21
3.2.4 Your staff complete refresher training at appropriate intervals.20/11/2020 15:10:2120/11/2020 15:10:21
3.2.3 Your staff receive induction training prior to accessing personal data and within one month of their start date.20/11/2020 15:10:2120/11/2020 15:10:21
3.2.2 All staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status, or grade.20/11/2020 15:10:2120/11/2020 15:10:21
3.2.1 Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.7 Senior management sign off your programme.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.6 You regularly review your programme to make sure that it remains accurate and up-to-date.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.5 You have dedicated and trained resources available to deliver training to all staff.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.4 You assign responsibilities for managing data protection and information governance training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.3 You consider the training needs of all staff and use this information to compile the training programme.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.2 The programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.20/11/2020 15:10:2020/11/2020 15:10:20
3.1.1 The programme incorporates national and sector-specific requirements.20/11/2020 15:10:2020/11/2020 15:10:20
2.4.4 The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.20/11/2020 15:10:2020/11/2020 15:10:20
2.4.3 Your organisation's approach to implementing the data protection principles and safeguarding individuals' rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.20/11/2020 15:10:2020/11/2020 15:10:20
2.4.2 You have policies and procedures to make sure that data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.20/11/2020 15:10:2020/11/2020 15:10:20
2.4.1 Where relevant, you consider policies and procedures across your organisation with data protection in mind.20/11/2020 15:10:2020/11/2020 15:10:20
2.3.4 Guidelines, posters or publications help to emphasise key messages and raise staff awareness of policies and procedures.20/11/2020 15:10:2020/11/2020 15:10:20
2.3.3 You make policies and procedures readily available for all staff on your organisation's intranet site (or equivalent shared area) or provide them in other ways that are easy to access.20/11/2020 15:10:2020/11/2020 15:10:20
2.3.2 You tell staff about updated policies and procedures.20/11/2020 15:10:2020/11/2020 15:10:20
2.3.1 Your staff read and understand the policies and procedures, including why they are important to implement and comply with.20/11/2020 15:10:1920/11/2020 15:10:19
2.2.5 All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.20/11/2020 15:10:1920/11/2020 15:10:19
2.2.4 You update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions, or changes in regulatory guidance.20/11/2020 15:10:1920/11/2020 15:10:19
2.2.3 Existing policies and procedures are reviewed in line with documented review dates, are up-to-date and fit for purpose.20/11/2020 15:10:1920/11/2020 15:10:19
2.2.2 An appropriately senior staff member reviews and approves all new and existing policies and procedures.20/11/2020 15:10:1920/11/2020 15:10:19
2.2.1 All policies and procedures follow an agreed format and style.20/11/2020 15:10:1920/11/2020 15:10:19
2.1.4 Policies and procedures clearly outline roles and responsibilities.20/11/2020 15:10:1920/11/2020 15:10:19
2.1.3 You make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.20/11/2020 15:10:1920/11/2020 15:10:19
2.1.2 Policies cover data protection, records management and information security.20/11/2020 15:10:1920/11/2020 15:10:19
2.1.1 The policy framework stems from strategic business planning for data protection and information governance, which the highest management level endorses.20/11/2020 15:10:1920/11/2020 15:10:19
1.6.4 Any data protection and information governance issues and risks that arise are reported to the oversight group.20/11/2020 15:10:1920/11/2020 15:10:19
1.6.3 The agenda shows the groups discuss appropriate data protection and information governance issues regularly.20/11/2020 15:10:1920/11/2020 15:10:19
1.6.2 The groups produce minutes of the meetings and action plans.20/11/2020 15:10:1920/11/2020 15:10:19
1.6.1 The groups meet and are attended by relevant staff regularly.20/11/2020 15:10:1920/11/2020 15:10:19
1.5.7 The board, or highest management level, considers data protection and information governance issues and risks reported by the oversight group.20/11/2020 15:10:1920/11/2020 15:10:19
1.5.6 The group has a work or action plan that is monitored regularly.20/11/2020 15:10:1820/11/2020 15:10:18
1.5.5 The group covers a full range of data protection related topics including Key Performance Indicators (KPIs), issues and risks.20/11/2020 15:10:1820/11/2020 15:10:18
1.5.4 The group's meeting minutes record what takes place.20/11/2020 15:10:1820/11/2020 15:10:18
1.5.3 Clear terms of reference set out the group's aims.20/11/2020 15:10:1820/11/2020 15:10:18
1.5.2 An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).20/11/2020 15:10:1820/11/2020 15:10:18
1.5.1 Key staff, eg the DPO, regularly attend the oversight group meetings.20/11/2020 15:10:1820/11/2020 15:10:18
1.4.4 Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.20/11/2020 15:10:1820/11/2020 15:10:18
1.4.3 A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.20/11/2020 15:10:1820/11/2020 15:10:18
1.4.2 Your staff manage all records effectively and they keep information secure.20/11/2020 15:10:1820/11/2020 15:10:18
1.4.1 Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.6 The DPO provides regular updates to senior management about data protection compliance.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.5 The DPO directly advises senior decision-makers and raises concerns with the highest management level.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.4 The DPO performs their tasks independenly, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.3 Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.2 All data protection issues involve the DPO in a timely manner.20/11/2020 15:10:1820/11/2020 15:10:18
1.3.1 Staff know who the DPO is, what their role is and how to contact them.20/11/2020 15:10:1720/11/2020 15:10:17
1.2.5 If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.20/11/2020 15:10:1720/11/2020 15:10:17
1.2.4 If your organisation is not required to appoint a DPO, you record the decision.20/11/2020 15:10:1720/11/2020 15:10:17
1.2.3 The DPO has the authority, support and resources to do their job effectively.20/11/2020 15:10:1720/11/2020 15:10:17
1.2.2 The DPO has expert knowledge of data protection law and practices.20/11/2020 15:10:1720/11/2020 15:10:17
1.2.1 The DPO has specific responsibilities in line with Article 39 of the GDPR for data protection compliance, data protection policies, awareness raising, training, and audits.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.7 Data Protection and information governance staff understand the organisational structure and their responsibilities.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.6 Job descriptions are up-to-date, fit for purpose and are reviewed regularly.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.5 Job descriptions clearly set out responsibilities and reporting lines to management.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.4 Policies clearly set out the organisational structure for managing data protection and information governance.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.3 You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.2 Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.20/11/2020 15:10:1720/11/2020 15:10:17
1.1.1 The board, or highest senior management level, has overall responsibility for data protection and information governance.20/11/2020 15:10:1720/11/2020 15:10:17
10.8.3 Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.19/11/2020 18:19:3919/11/2020 18:19:39
10.8.2 The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.19/11/2020 18:19:3919/11/2020 18:19:39
10.8.1 You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.19/11/2020 18:19:3819/11/2020 18:19:38
10.7.4 You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules, and the performance of the system in place to index and track paper files containing personal data.19/11/2020 18:19:3819/11/2020 18:19:38
10.7.3 You have KPIs regarding information security, including the number of security breaches, incidents and near misses.19/11/2020 18:19:3819/11/2020 18:19:38
10.7.2 You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who complete the training.19/11/2020 18:19:3819/11/2020 18:19:38
10.7.1 You have Key Performance Indicators (KPIs) regarding SAR performance (the volume of requests and the percentage completed within statutory timescales).19/11/2020 18:19:3819/11/2020 18:19:38
10.6.7 You have a central action plan in place to take forward the outputs from data protection and information governance audits.19/11/2020 18:19:3819/11/2020 18:19:38
10.6.6 You produce audit reports to document the findings.19/11/2020 18:19:3819/11/2020 18:19:38
10.6.5 There is a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.19/11/2020 18:19:3819/11/2020 18:19:38
10.6.4 You make sure that your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.19/11/2020 18:19:3719/11/2020 18:19:37
10.6.3 You routinely conduct informal, ad-hoc monitoring and spot checks.19/11/2020 18:19:3719/11/2020 18:19:37
10.6.2 Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.19/11/2020 18:19:3719/11/2020 18:19:37
10.6.1 You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.19/11/2020 18:19:3719/11/2020 18:19:37
10.5.5 You have a central action plan in place to take forward the outputs from data protection and information governance audits.19/11/2020 18:19:3719/11/2020 18:19:37
10.5.4 You produce audit reports to document the findings.19/11/2020 18:19:3719/11/2020 18:19:37
10.5.3 Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).19/11/2020 18:19:3719/11/2020 18:19:37
10.5.2 Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.19/11/2020 18:19:3619/11/2020 18:19:36
10.5.1 Your organisation completes externally-provided self-assessment tools to provide assurances on compliance with data protection and information security compliance.19/11/2020 18:19:3619/11/2020 18:19:36
10.4.4 Groups with oversight for data protection and information governance review the outputs.19/11/2020 18:19:3619/11/2020 18:19:36
10.4.3 You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.19/11/2020 18:19:3619/11/2020 18:19:36
10.4.2 Your organisation monitors the type, volume and cost of incidents.19/11/2020 18:19:3619/11/2020 18:19:36
10.4.1 You analyse all personal data breach reports to prevent a recurrence.19/11/2020 18:19:3619/11/2020 18:19:36
10.3.4 You provide individuals with advice to protect themselves from any effects of the breach.19/11/2020 18:19:3619/11/2020 18:19:36
10.3.3 The information you provide to individuals includes the DPO's details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).19/11/2020 18:19:3519/11/2020 18:19:35
10.3.2 You tell individuals about personal data breaches in clear, plain language without undue delay.19/11/2020 18:19:3519/11/2020 18:19:35
10.3.1 You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.19/11/2020 18:19:3519/11/2020 18:19:35
10.2.4 If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.19/11/2020 18:19:3519/11/2020 18:19:35
10.2.3 The procedure includes details of what information must be given to the ICO about the breach.19/11/2020 18:19:3519/11/2020 18:19:35
10.2.2 You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.19/11/2020 18:19:3519/11/2020 18:19:35
10.2.1 You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.19/11/2020 18:19:3519/11/2020 18:19:35
10.1.7 The log documents the facts relating to the near miss or breach including: its causes; what happened; the personal data affected; the effects of the breach; and any remedial action taken and rationale.19/11/2020 18:19:3519/11/2020 18:19:35
10.1.6 You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).19/11/2020 18:19:3519/11/2020 18:19:35
10.1.5 Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.19/11/2020 18:19:3419/11/2020 18:19:34
10.1.4 Procedures and systems facilitate the reporting of security incidents and breaches.19/11/2020 18:19:3419/11/2020 18:19:34
10.1.3 Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.19/11/2020 18:19:3419/11/2020 18:19:34
10.1.2 A dedicated person or team manages security incidents and personal data breaches.19/11/2020 18:19:3419/11/2020 18:19:34
10.1.1 You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.19/11/2020 18:19:3419/11/2020 18:19:34
9.13.4 You regularly test back-ups and recovery processes to make sure that they remain fit for purpose.19/11/2020 18:19:3419/11/2020 18:19:34
9.13.3 The frequency of backups reflects the sensitivity and importance of the data.19/11/2020 18:19:3419/11/2020 18:19:34
9.12.2 You take back-up copies of electronic information, software and systems (and ideally store them off-site).19/11/2020 18:19:3319/11/2020 18:19:33
9.12.1 You have a risk-based business continuity plan to manage disruption and a disaster recovery plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.19/11/2020 18:19:3319/11/2020 18:19:33
9.11.8 You operate a 'clear screen' policy across your organisation where personal data is processed.19/11/2020 18:19:3319/11/2020 18:19:33
9.11.7 You have regular clear desk 'sweeps' or checks and issues are fed back appropriately19/11/2020 18:19:3319/11/2020 18:19:33
9.11.6 You operate a clear desk policy across the organisation where personal data is processed.19/11/2020 18:19:3319/11/2020 18:19:33
9.11.5 You store paper records securely and control access to them.19/11/2020 18:19:3319/11/2020 18:19:33
9.11.4 Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.19/11/2020 18:19:3319/11/2020 18:19:33
9.11.3 You implement additional protection against external and environmental threats in secure areas such as server rooms.19/11/2020 18:19:3219/11/2020 18:19:32
9.11.2 You have visitor protocols in place such as signing-in procedures, name badges and escorted access.19/11/2020 18:19:3219/11/2020 18:19:32
9.11.1 You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.6 You do not allow equipment, information or software to be taken off-site without prior authorisation, and you have a log of all mobile devices and removeable media used and who they are allocated to.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.5 Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices, as well as an entire class of devices.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.4 Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.3 You implement security measures to protect information processed when home or remote working, for example VPN and two factor authentication.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.2 You have protections in place to avoid the unauthorised access to, or disclosure of, the information processed by mobile devices, for example encryption and remote wiping capabilities.19/11/2020 18:19:3219/11/2020 18:19:32
9.10.1 You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.19/11/2020 18:19:3219/11/2020 18:19:32
9.9.14 You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.13 You do not have unsupported operating systems in use, for example Windows XP, Windows Server 2003.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.12 You have external and internal firewalls and intrusion detection systems in place as appropriate, to make sure that the information in networks and systems is protected from unauthorised access or attack, for example denial of service attacks.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.11 You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.10 You deploy URL or web content filtering to block specific websites or entire categories.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.9 You regularly run vulnerability scans.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.8 Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.7 Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.6 You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.19/11/2020 18:19:3119/11/2020 18:19:31
9.9.5 You log and monitor user and system activity to detect anything unusual.19/11/2020 18:19:3019/11/2020 18:19:30
9.9.4 Emails content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.19/11/2020 18:19:3019/11/2020 18:19:30
9.9.3 You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).19/11/2020 18:19:3019/11/2020 18:19:30
9.9.2 You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.19/11/2020 18:19:3019/11/2020 18:19:30
9.9.1 You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).19/11/2020 18:19:3019/11/2020 18:19:30
9.8.5 You regularly review users' access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.19/11/2020 18:19:3019/11/2020 18:19:30
9.8.4 You keep a log of user access to systems holding personal data.19/11/2020 18:19:3019/11/2020 18:19:30
9.8.3 You restrict and control the allocation and use of privileged access rights.19/11/2020 18:19:2919/11/2020 18:19:29
9.8.2 You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.19/11/2020 18:19:2919/11/2020 18:19:29
9.8.1 You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.19/11/2020 18:19:2919/11/2020 18:19:29
9.7.3 Your organisation monitors compliance with Acceptable Use rules and makes sure that staff are aware of any monitoring.19/11/2020 18:19:2919/11/2020 18:19:29
9.7.2 You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.19/11/2020 18:19:2919/11/2020 18:19:29
9.7.1 You have Acceptable Use or terms and conditions of use procedures in place.19/11/2020 18:19:2919/11/2020 18:19:29
9.6.3 You periodically risk-assess assets within the register and you carry out physical checks to make sure that the hardware asset inventory remains accurate.19/11/2020 18:19:2919/11/2020 18:19:29
9.6.2 You review the register periodically to make sure it remains up-to-date and accurate.19/11/2020 18:19:2919/11/2020 18:19:29
9.6.1 Your organisation has an asset register that holds details of all information assets (software and hardware) including: asset owners; asset location; retention periods; and security measures deployed.19/11/2020 18:19:2919/11/2020 18:19:29
9.5.5 You have a log of all equipment and confidential waste sent for disposal or destruction.19/11/2020 18:19:2819/11/2020 18:19:28
9.5.4 You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have disposed of the data securely, for example through audit checks and destruction certificates.19/11/2020 18:19:2819/11/2020 18:19:28
9.5.3 You either hold, collect or send away securely confidential waste awaiting destruction.19/11/2020 18:19:2819/11/2020 18:19:28
9.5.2 For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.19/11/2020 18:19:2819/11/2020 18:19:28
9.5.1 For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.19/11/2020 18:19:2819/11/2020 18:19:28
9.4.4 You regularly review retained data to identify opportunities for minimisation, pseudonymisation, or anonymisation, and you document this in the schedule.19/11/2020 18:19:2819/11/2020 18:19:28
9.4.3 You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.19/11/2020 18:19:2819/11/2020 18:19:28
9.4.2 The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.19/11/2020 18:19:2719/11/2020 18:19:27
9.4.1 You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).19/11/2020 18:19:2719/11/2020 18:19:27
9.3.3 Records containing personal data (whether 'active' or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.19/11/2020 18:19:2719/11/2020 18:19:27
9.3.2 You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.19/11/2020 18:19:2719/11/2020 18:19:27
9.3.1 You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.19/11/2020 18:19:2719/11/2020 18:19:27
9.2.4 You have agreements in place with any third parties used to transfer business information between your organisation and third parties.19/11/2020 18:19:2719/11/2020 18:19:27
9.2.3 When you transfer data off site, you use an appropriate form of transport, (for example, secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)), and you check to make sure that the information has been received.19/11/2020 18:19:2719/11/2020 18:19:27
9.2.2 You minimise data transferred off-site and keep it secure in transit.19/11/2020 18:19:2719/11/2020 18:19:27
9.2.1 You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.19/11/2020 18:19:2719/11/2020 18:19:27
9.1.4 You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.19/11/2020 18:19:2619/11/2020 18:19:26
9.1.3 You know the whereabouts of records at all times, you track their movements, and you attempt to trace records that are missing or not returned.19/11/2020 18:19:2619/11/2020 18:19:26
9.1.2 You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.19/11/2020 18:19:2619/11/2020 18:19:26
9.1.1 You have policies and procedures to make sure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.6 You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.5 You consider actively publishing DPIAs where possible, removing sensitive details if necessary.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.4 You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.3 You do not start high risk processing until mitigating measures are in place following the DPIA.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.2 You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.19/11/2020 18:19:2619/11/2020 18:19:26
8.5.1 You have a procedure to consult the ICO if you cannot mitigate residual high risks.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.7 Appropriate people sign off DPIAs, such as a project lead or senior manager.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.6 You record your DPO's advice and recommendations, and the details of any other consultations.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.5 You have a documented process, with appropriate document controls, that you review periodically to make sure that it remains up-to-date.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.4 DPIAs identify measures that can be put in place to eliminate, mitigate or reduce high risks.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.3 DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.2 DPIAs include: the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.19/11/2020 18:19:2519/11/2020 18:19:25
8.4.1 Your organisation has a standard, well-structured DPIA template which is written in plain English.19/11/2020 18:19:2519/11/2020 18:19:25
8.3.7 You assign responsibility for completing DPIAs to a member of staff who has enough authority over a project to effect change, eg a project lead or manager.19/11/2020 18:19:2519/11/2020 18:19:25
8.3.6 Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data, and where relevant, you train staff in how to carry out a DPIA.19/11/2020 18:19:2419/11/2020 18:19:24
8.3.5 Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.19/11/2020 18:19:2419/11/2020 18:19:24
8.3.4 Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.19/11/2020 18:19:2419/11/2020 18:19:24
8.3.3 If the screening checklist indicates that you do not need a DPIA, you document this.19/11/2020 18:19:2419/11/2020 18:19:24
8.3.2 You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.19/11/2020 18:19:2419/11/2020 18:19:24
8.3.1 You have a DPIA policy which includes: clear procedures to decide whether you conduct a DPIA; what the DPIA should cover; who will authorise it; and how you will incorporate it into the overall planning.19/11/2020 18:19:2419/11/2020 18:19:24
8.2.3 You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the: intended processing activities; risks that these may pose to the rights and freedoms of individuals; and possible measures available to mitigate the risks.19/11/2020 18:19:2419/11/2020 18:19:24
8.2.2 Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.19/11/2020 18:19:2419/11/2020 18:19:24
8.2.1 You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.6 You put measures in place to mitigate the risks identified within risk categories and you test these regularly to make sure that they remain effective.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.5 If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.4 You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.3 You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.2 You have a process to help staff report and escalate data protection and information governance concerns and risks to a central point, for example staff forums.19/11/2020 18:19:2319/11/2020 18:19:23
8.1.1 An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.19/11/2020 18:19:2319/11/2020 18:19:23
7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.19/11/2020 18:19:2319/11/2020 18:19:23
7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose.19/11/2020 18:19:2219/11/2020 18:19:22
7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.19/11/2020 18:19:2219/11/2020 18:19:22
7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.19/11/2020 18:19:2219/11/2020 18:19:22
7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.19/11/2020 18:19:2219/11/2020 18:19:22
7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights.19/11/2020 18:19:2219/11/2020 18:19:22
7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests.19/11/2020 18:19:2219/11/2020 18:19:22
7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.19/11/2020 18:19:2219/11/2020 18:19:22
7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.19/11/2020 18:19:2219/11/2020 18:19:22
7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.19/11/2020 18:19:2219/11/2020 18:19:22
7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).19/11/2020 18:19:2219/11/2020 18:19:22
7.5.1 The contract or other legal act includes terms or clauses stating that the processor must: • only act on the controller’s documented instructions, unless required by law to act without such instructions; • make sure that the people processing the data are subject to a duty of confidence; • help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.6 You review contracts periodically to make sure they remain up-to-date.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.5 You keep a record or log of all current processor contracts, which you update when processors change.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.19/11/2020 18:19:2119/11/2020 18:19:21
7.4.1 You have written contracts with all processors.19/11/2020 18:19:2119/11/2020 18:19:21
7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR.19/11/2020 18:19:2119/11/2020 18:19:21
7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).19/11/2020 18:19:2119/11/2020 18:19:21
7.2.6 There is a central log of the current data sharing agreements.19/11/2020 18:19:2019/11/2020 18:19:20
7.2.5 You have a regular review process to make sure that the information remains accurate and up-to-date, and to examine how the agreement is working.19/11/2020 18:19:2019/11/2020 18:19:20
7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals.19/11/2020 18:19:2019/11/2020 18:19:20
7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements.19/11/2020 18:19:2019/11/2020 18:19:20
7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children).19/11/2020 18:19:2019/11/2020 18:19:20
7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off.19/11/2020 18:19:2019/11/2020 18:19:20
7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.19/11/2020 18:19:2019/11/2020 18:19:20
7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.19/11/2020 18:19:2019/11/2020 18:19:20
7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them.19/11/2020 18:19:2019/11/2020 18:19:20
7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing.19/11/2020 18:19:2019/11/2020 18:19:20
6.10.5 You keep the LIA under review and refresh it if changes affect the outcome.19/11/2020 18:19:1919/11/2020 18:19:19
6.10.4 You complete the LIA prior to the start of the processing.19/11/2020 18:19:1919/11/2020 18:19:19
6.10.3 You clearly document the decision and the assessment.19/11/2020 18:19:1919/11/2020 18:19:19
6.10.1 The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.19/11/2020 18:19:1919/11/2020 18:19:19
6.9.4 When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are reviewed regularly, and you make reasonable efforts to verify that the person giving consent has parental or guardian responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.19/11/2020 18:19:1919/11/2020 18:19:19
6.9.3 When providing online services to children, your organisation has risk-based age checking systems in place to establish age with a level of certainty that is appropriate based on the risks to children's rights and freedoms.19/11/2020 18:19:1919/11/2020 18:19:19
6.9.2 You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.19/11/2020 18:19:1919/11/2020 18:19:19
6.9.1 Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.19/11/2020 18:19:1919/11/2020 18:19:19
6.8.3 Your organisation uses privacy dashboards or other preference-management tools to help people manage their consent.19/11/2020 18:19:1919/11/2020 18:19:19
6.8.2 Your organisation has a procedure to refresh consent at appropriate intervals.19/11/2020 18:19:1919/11/2020 18:19:19
6.8.1 You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.19/11/2020 18:19:1819/11/2020 18:19:18
6.7.3 You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt in-tick boxes, and paper-based forms.19/11/2020 18:19:1819/11/2020 18:19:18
6.7.2 You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.19/11/2020 18:19:1819/11/2020 18:19:18
6.6.3 If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unantipated purpose, you inform individuals in a timely manner and record the changes.19/11/2020 18:19:1819/11/2020 18:19:18
6.6.2 You provide information in an easily understandable format.19/11/2020 18:19:1819/11/2020 18:19:18
6.6.1 You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category data or criminal offence data publicly available in your organisation's privacy notice(s).19/11/2020 18:19:1819/11/2020 18:19:18
6.5.6 You identify the lawful basis before starting any new processing.19/11/2020 18:19:1819/11/2020 18:19:18
6.5.5 Where Schedule 1 requires it, there is an appropriate policy document including: which schedule 1 conditions you are relying on; what procedures you have in place to ensure compliance with the data protection principle; how special category or criminal offence data will be treated for retention and erasure purposes; a review date; and details of an individual assigned responsibility for the processing.19/11/2020 18:19:1819/11/2020 18:19:18
6.5.4 In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.19/11/2020 18:19:1719/11/2020 18:19:17
6.5.3 If your organisation processes special category data or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data only, you identify the official authority to process).19/11/2020 18:19:1719/11/2020 18:19:17
6.5.2 You document the lawful basis (or bases) relied upon and the reasons why.19/11/2020 18:19:1719/11/2020 18:19:17
6.5.1 Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.19/11/2020 18:19:1719/11/2020 18:19:17
6.4.1 The ROPA also includes, or links to documentation covering: •information required for privacy notices, such as the lawful basis for the processing and the source of the personal data; •records of consent; •controller-processor contracts; •the location of personal data; • DPIA reports; •records of personal data breaches; •information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and •retention and erasure policy documents.19/11/2020 18:19:1719/11/2020 18:19:17
6.3.2 You have an internal record of all processing activities carried out by any processors on behalf of your organisation.19/11/2020 18:19:1719/11/2020 18:19:17
6.3.1 The ROPA includes (as a minimum): •Your organisation's name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO); •the purposes of the processing; •a description of the categories of individuals and personal data; •the categories of recipients of personal data; •details of transfers to third countries, including a record of the transfer mechanism safeguards in place; •retention schedules; and •a description of the technical and organisational security measures in place.19/11/2020 18:19:1719/11/2020 18:19:17
6.2.3 You regularly review the processing activities and types of data you process for data minimisation purposes.19/11/2020 18:19:1719/11/2020 18:19:17
6.2.2 Your organisation regularly reviews the record against processing activities, policies and procedures to make sure that it remains accurate and up-to-date, and you clearly assign responsibilities for doing this.19/11/2020 18:19:1719/11/2020 18:19:17
6.2.1 You record processing activities in electronic form so you can add, remove or amend information easily.19/11/2020 18:19:1719/11/2020 18:19:17
6.1.3 You consult staff across your organisation to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.19/11/2020 18:19:1719/11/2020 18:19:17
6.1.2 The data map is kept up-to-date and you clearly assign the responsibilities for maintaining and amending it.19/11/2020 18:19:1719/11/2020 18:19:17
6.1.1 Your organisation carries out Information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.19/11/2020 18:19:1619/11/2020 18:19:16
5.7.5 You implement appropriate measures to protect children using digital services.19/11/2020 18:19:1619/11/2020 18:19:16
5.7.4 You help children to exercise their data protection rights, where relevant, in an easily accessible way that they understand.19/11/2020 18:19:1619/11/2020 18:19:16
5.7.3 Your organisation offers strong privacy defaults and user-friendly options and controls.19/11/2020 18:19:1619/11/2020 18:19:16
5.7.2 You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how you use their personal data.19/11/2020 18:19:1619/11/2020 18:19:16
5.7.1 Privacy policies are clear and easy for members of the public to access.19/11/2020 18:19:1619/11/2020 18:19:16
5.6.5 If you plan to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.19/11/2020 18:19:1619/11/2020 18:19:16
5.6.4 You analyse complaints from the public about how you use personal data, and in particular, any complaints about how you explain that use.19/11/2020 18:19:1619/11/2020 18:19:16
5.6.3 Your organisation carries out user-testing to evaluate how effective their privacy information is.19/11/2020 18:19:1619/11/2020 18:19:16
5.6.2 You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information was provided to individuals and when.19/11/2020 18:19:1619/11/2020 18:19:16
5.6.1 You review privacy information against the records of processing activities, to make sure it remains up-to-date and that it actually explains what happens with individuals’ personal data.19/11/2020 18:19:1519/11/2020 18:19:15
5.5.3 Staff are aware of the various ways in which the organisation provides privacy information.19/11/2020 18:19:1519/11/2020 18:19:15
5.5.2 Front-line staff receive more specialised or specific training.19/11/2020 18:19:1519/11/2020 18:19:15
5.5.1 You arrange organisation-wide staff training about privacy information.19/11/2020 18:19:1519/11/2020 18:19:15
5.4.4 If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.19/11/2020 18:19:1519/11/2020 18:19:15
5.4.3 If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.19/11/2020 18:19:1519/11/2020 18:19:15
5.4.2 If the decision is solely automated and has legal or similarly significant effects, you tell individuals about the processing - including what information you are using, why and what the impact is likely to be.19/11/2020 18:19:1519/11/2020 18:19:15
5.4.1 You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit if needed.19/11/2020 18:19:1519/11/2020 18:19:15
5.3.4 You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.19/11/2020 18:19:1519/11/2020 18:19:15
5.3.3 You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.19/11/2020 18:19:1519/11/2020 18:19:15
5.3.2 You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.19/11/2020 18:19:1419/11/2020 18:19:14
5.3.1 You proactively make individuals aware of privacy information and have a free, easy way to access it.19/11/2020 18:19:1419/11/2020 18:19:14
5.2.2 If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals within a reasonable period no later than one month of obtaining the data.19/11/2020 18:19:1419/11/2020 18:19:14
5.2.1 Individuals receive privacy information when their personal data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).19/11/2020 18:19:1419/11/2020 18:19:14
5.1.8 You provide individuals with privacy information about the source of the processed personal data if you don't obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register and Companies House.19/11/2020 18:19:1419/11/2020 18:19:14
5.1.7 Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).19/11/2020 18:19:1419/11/2020 18:19:14
5.1.6 Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.19/11/2020 18:19:1419/11/2020 18:19:14
5.1.5 Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.19/11/2020 18:19:1419/11/2020 18:19:14
5.1.4 Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.19/11/2020 18:19:1419/11/2020 18:19:14
5.1.3 Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.19/11/2020 18:19:1419/11/2020 18:19:14
5.1.2 Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).19/11/2020 18:19:1419/11/2020 18:19:14
5.1.1 Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO's contact details.19/11/2020 18:19:1319/11/2020 18:19:13
4.11.3 You tell individuals about their right to make a complaint to the ICO in your privacy information.19/11/2020 18:19:1319/11/2020 18:19:13
4.11.2 The DPO's contact details or alternative contact points are publicly available if individuals wish to make a complaint about the use of their personal data.19/11/2020 18:19:1319/11/2020 18:19:13
4.11.1 You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.19/11/2020 18:19:1319/11/2020 18:19:13
4.10.5 You conduct regular checks for accuracy and bias to make sure that systems are working as intended, and you feed this back into the design process.19/11/2020 18:19:1319/11/2020 18:19:13
4.10.4 Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion, and challenge decisions.19/11/2020 18:19:1319/11/2020 18:19:13
4.10.3 If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to make sure that these decisions only occur in accordance with Article 22 of the GDPR. If this applies, your organisation must carry out a data protection impact assessment (DPIA).19/11/2020 18:19:1319/11/2020 18:19:13
4.10.2 Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.19/11/2020 18:19:1319/11/2020 18:19:13
4.10.1 You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling.19/11/2020 18:19:1319/11/2020 18:19:13
4.9.2 Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.19/11/2020 18:19:1319/11/2020 18:19:13
4.9.1 When requested, you provide personal data in a structured, commonly used and machine readable format.19/11/2020 18:19:1319/11/2020 18:19:13
4.8.3 If asked to, your organisation tells the data subject which third parties have received the personal data.19/11/2020 18:19:1319/11/2020 18:19:13
4.8.2 If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction (unless this is impossible or involves disproportionate effort).19/11/2020 18:19:1319/11/2020 18:19:13
4.8.1 Your organisation restricts personal data in a way that is appropriate for the type of processing and the system, eg temporarily moving the data to another system or removing it from a website.19/11/2020 18:19:1219/11/2020 18:19:12
4.7.5 Your organisation gives particular weight to a request for erasure where the processing is or was based on a child's consent, especially when processing any personal data on the internet.19/11/2020 18:19:1219/11/2020 18:19:12
4.7.4 If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.19/11/2020 18:19:1219/11/2020 18:19:12
4.7.3 If asked to, your organisation tells the data subject which third parties have received the personal data.19/11/2020 18:19:1219/11/2020 18:19:12
4.7.2 If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.19/11/2020 18:19:1219/11/2020 18:19:12
"19/11/2020 18:19:1219/11/2020 18:19:12
4.6.4 If asked, your organisation tells the data subject which third parties have received the personal data.19/11/2020 18:19:1219/11/2020 18:19:12
4.6.3 If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.19/11/2020 18:19:1219/11/2020 18:19:12
4.6.2 If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.19/11/2020 18:19:1219/11/2020 18:19:12
4.6.1 Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.19/11/2020 18:19:1219/11/2020 18:19:12
4.5.4 Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.19/11/2020 18:19:1119/11/2020 18:19:11
4.5.3 You share reports with senior management, that they review and action as appropriate at meetings.19/11/2020 18:19:1119/11/2020 18:19:11
4.5.2 You produce regular reports on performance and case quality assessments to make sure that requests are handled appropriately.19/11/2020 18:19:1119/11/2020 18:19:11
4.5.1 The staff responsible for managing requests meet regularly to discuss any issues.19/11/2020 18:19:1119/11/2020 18:19:11
4.4.4 If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.19/11/2020 18:19:1119/11/2020 18:19:11
4.4.3 If you need an extension, you update individuals on the progress of their request and keep them informed.19/11/2020 18:19:1119/11/2020 18:19:11
4.4.2 The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.19/11/2020 18:19:1119/11/2020 18:19:11
4.4.1 You action all requests within statutory timescales.19/11/2020 18:19:1119/11/2020 18:19:11
4.3.4 You have records of your organisation's request responses, and any information disclosed to, or withheld from, individuals.19/11/2020 18:19:1119/11/2020 18:19:11
4.3.3 A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.19/11/2020 18:19:1119/11/2020 18:19:11
4.3.2 The log shows the due date for requests, the actual date of the final response and the action taken.19/11/2020 18:19:1119/11/2020 18:19:11
4.3.1 You have processes in place to make sure that the log is accurate and updated as appropriate.19/11/2020 18:19:1119/11/2020 18:19:11
4.2.5 Your organisation can deal with any increase in requests or reduction in staffing levels.19/11/2020 18:19:1119/11/2020 18:19:11
4.2.4 If a staff member is absent, other staff are trained to carry out key tasks.19/11/2020 18:19:1119/11/2020 18:19:11
4.2.3 You have sufficient resources to deal with requests.19/11/2020 18:19:1019/11/2020 18:19:10
4.2.2 Staff receive specialised training to handle requests, including regular refresher training.19/11/2020 18:19:1019/11/2020 18:19:10
4.2.1 A specific person/s or team are responsible for managing and responding to requests.19/11/2020 18:19:1019/11/2020 18:19:10
4.1.3 All staff receive training and guidance about how to recognise requests and where to send them.19/11/2020 18:19:1019/11/2020 18:19:10
4.1.2 Your policies and procedures set out processes for dealing with requests from individuals about their rights.19/11/2020 18:19:1019/11/2020 18:19:10
4.1.1 You give individuals clear and relevant information about their rights and how to exercise them.19/11/2020 18:19:1019/11/2020 18:19:10
3.5.2 You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.19/11/2020 18:19:1019/11/2020 18:19:10
3.5.1 Your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts, and blogs.19/11/2020 18:19:1019/11/2020 18:19:10
3.4.4 staff are able to provide feedback on the training they receive.19/11/2020 18:19:1019/11/2020 18:19:10
3.4.3 You monitor training completion in line with organisationl requirements at all levels of the organisation, and you follow up with staff who do not complete the training.19/11/2020 18:19:1019/11/2020 18:19:10
3.4.2 You keep copies of the training material provided on record as well as details of who receives the training.19/11/2020 18:19:1019/11/2020 18:19:10
3.4.1 You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.19/11/2020 18:19:1019/11/2020 18:19:10
3.3.4 You keep on record copies of the training material provided as well as details of who receives the training.19/11/2020 18:19:1019/11/2020 18:19:10
3.3.3 You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they receive proportionate refresher training.19/11/2020 18:19:1019/11/2020 18:19:10
3.3.2 You set out training and skills requirements in job descriptions.19/11/2020 18:19:0919/11/2020 18:19:09
3.3.1 You complete a training needs analysis for data protection and information governance staff to inform the training plan and to make sure it is specific to the individual's responsibilities.19/11/2020 18:19:0919/11/2020 18:19:09
3.2.4 Your staff complete refresher training at appropriate intervals.19/11/2020 18:19:0919/11/2020 18:19:09
3.2.3 Your staff receive induction training prior to accessing personal data and within one month of their start date.19/11/2020 18:19:0919/11/2020 18:19:09
3.2.2 All staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status, or grade.19/11/2020 18:19:0919/11/2020 18:19:09
3.2.1 Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.7 Senior management sign off your programme.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.6 You regularly review your programme to make sure that it remains accurate and up-to-date.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.5 You have dedicated and trained resources available to deliver training to all staff.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.4 You assign responsibilities for managing data protection and information governance training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.3 You consider the training needs of all staff and use this information to compile the training programme.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.2 The programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.19/11/2020 18:19:0919/11/2020 18:19:09
3.1.1 The programme incorporates national and sector-specific requirements.19/11/2020 18:19:0919/11/2020 18:19:09
2.4.4 The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.19/11/2020 18:19:0919/11/2020 18:19:09
2.4.3 Your organisation's approach to implementing the data protection principles and safeguarding individuals' rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.19/11/2020 18:19:0819/11/2020 18:19:08
2.4.2 You have policies and procedures to make sure that data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.19/11/2020 18:19:0819/11/2020 18:19:08
2.4.1 Where relevant, you consider policies and procedures across your organisation with data protection in mind.19/11/2020 18:19:0819/11/2020 18:19:08
2.3.4 Guidelines, posters or publications help to emphasise key messages and raise staff awareness of policies and procedures.19/11/2020 18:19:0819/11/2020 18:19:08
2.3.3 You make policies and procedures readily available for all staff on your organisation's intranet site (or equivalent shared area) or provide them in other ways that are easy to access.19/11/2020 18:19:0819/11/2020 18:19:08
2.3.2 You tell staff about updated policies and procedures.19/11/2020 18:19:0819/11/2020 18:19:08
2.3.1 Your staff read and understand the policies and procedures, including why they are important to implement and comply with.19/11/2020 18:19:0819/11/2020 18:19:08
2.2.5 All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.19/11/2020 18:19:0819/11/2020 18:19:08
2.2.4 You update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions, or changes in regulatory guidance.19/11/2020 18:19:0819/11/2020 18:19:08
2.2.3 Existing policies and procedures are reviewed in line with documented review dates, are up-to-date and fit for purpose.19/11/2020 18:19:0819/11/2020 18:19:08
2.2.2 An appropriately senior staff member reviews and approves all new and existing policies and procedures.19/11/2020 18:19:0819/11/2020 18:19:08
2.2.1 All policies and procedures follow an agreed format and style.19/11/2020 18:19:0819/11/2020 18:19:08
2.1.4 Policies and procedures clearly outline roles and responsibilities.19/11/2020 18:19:0819/11/2020 18:19:08
2.1.3 You make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.19/11/2020 18:19:0819/11/2020 18:19:08
2.1.2 Policies cover data protection, records management and information security.19/11/2020 18:19:0819/11/2020 18:19:08
2.1.1 The policy framework stems from strategic business planning for data protection and information governance, which the highest management level endorses.19/11/2020 18:19:0719/11/2020 18:19:07
1.6.4 Any data protection and information governance issues and risks that arise are reported to the oversight group.19/11/2020 18:19:0719/11/2020 18:19:07
1.6.3 The agenda shows the groups discuss appropriate data protection and information governance issues regularly.19/11/2020 18:19:0719/11/2020 18:19:07
1.6.2 The groups produce minutes of the meetings and action plans.19/11/2020 18:19:0719/11/2020 18:19:07
1.6.1 The groups meet and are attended by relevant staff regularly.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.7 The board, or highest management level, considers data protection and information governance issues and risks reported by the oversight group.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.6 The group has a work or action plan that is monitored regularly.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.5 The group covers a full range of data protection related topics including Key Performance Indicators (KPIs), issues and risks.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.4 The group's meeting minutes record what takes place.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.3 Clear terms of reference set out the group's aims.19/11/2020 18:19:0719/11/2020 18:19:07
1.5.2 An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).19/11/2020 18:19:0719/11/2020 18:19:07
1.5.1 Key staff, eg the DPO, regularly attend the oversight group meetings.19/11/2020 18:19:0719/11/2020 18:19:07
1.4.4 Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.19/11/2020 18:19:0719/11/2020 18:19:07
1.4.3 A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.19/11/2020 18:19:0719/11/2020 18:19:07
1.4.2 Your staff manage all records effectively and they keep information secure.19/11/2020 18:19:0719/11/2020 18:19:07
1.4.1 Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.19/11/2020 18:19:0719/11/2020 18:19:07
1.3.6 The DPO provides regular updates to senior management about data protection compliance.19/11/2020 18:19:0619/11/2020 18:19:06
1.3.5 The DPO directly advises senior decision-makers and raises concerns with the highest management level.19/11/2020 18:19:0619/11/2020 18:19:06
1.3.4 The DPO performs their tasks independenly, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.19/11/2020 18:19:0619/11/2020 18:19:06
1.3.3 Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.19/11/2020 18:19:0619/11/2020 18:19:06
1.3.2 All data protection issues involve the DPO in a timely manner.19/11/2020 18:19:0619/11/2020 18:19:06
1.3.1 Staff know who the DPO is, what their role is and how to contact them.19/11/2020 18:19:0619/11/2020 18:19:06
1.2.5 If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.19/11/2020 18:19:0619/11/2020 18:19:06
1.2.4 If your organisation is not required to appoint a DPO, you record the decision.19/11/2020 18:19:0619/11/2020 18:19:06
1.2.3 The DPO has the authority, support and resources to do their job effectively.19/11/2020 18:19:0619/11/2020 18:19:06
1.2.2 The DPO has expert knowledge of data protection law and practices.19/11/2020 18:19:0619/11/2020 18:19:06
1.2.1 The DPO has specific responsibilities in line with Article 39 of the GDPR for data protection compliance, data protection policies, awareness raising, training, and audits.19/11/2020 18:19:0619/11/2020 18:19:06
1.1.7 Data Protection and information governance staff understand the organisational structure and their responsibilities.19/11/2020 18:19:0619/11/2020 18:19:06
1.1.6 Job descriptions are up-to-date, fit for purpose and are reviewed regularly.19/11/2020 18:19:0619/11/2020 18:19:06
1.1.5 Job descriptions clearly set out responsibilities and reporting lines to management.19/11/2020 18:19:0619/11/2020 18:19:06
1.1.4 Policies clearly set out the organisational structure for managing data protection and information governance.19/11/2020 18:19:0519/11/2020 18:19:05
1.1.3 You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.19/11/2020 18:19:0519/11/2020 18:19:05
1.1.2 Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.19/11/2020 18:19:0519/11/2020 18:19:05
1.1.1 The board, or highest senior management level, has overall responsibility for data protection and information governance.19/11/2020 18:19:0519/11/2020 18:19:05

A.12.4.4 The clocks of all relevant information processing systems within an organisation or security domain shall be synchronised to a single reference time source?

03/11/2020 11:13:2403/11/2020 11:22:23
Q31 Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.17/12/2019 20:15:3421/07/2020 20:17:28
Q30 Your business has effective processes to identify, report, manage and resolve any personal data breaches.17/12/2019 20:15:3421/07/2020 20:08:42
Q29 Your business has an information security policy supported by appropriate security measures.17/12/2019 20:15:3421/07/2020 20:04:27
Q28 Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.17/12/2019 20:15:3421/07/2020 19:55:35
Q27 Your business has nominated a data protection lead or Data Protection Officer (DPO).17/12/2019 20:15:3421/07/2020 19:47:30
Q26 Your business has a DPIA framework which links to your existing risk management and project management processes.17/12/2019 20:15:3421/07/2020 19:38:25
Q25 Your business understands when you must conduct a DPIA and has processes in place to action this.17/12/2019 20:15:3421/07/2020 19:35:20
Q24 Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.17/12/2019 20:15:3421/07/2020 19:30:00
Q23 Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.17/12/2019 20:15:3421/07/2020 19:26:41
Q22 Your business has a written contract with any processors you use.17/12/2019 20:15:3421/07/2020 19:20:30
Q21 Your business provides data protection awareness training for all staff.17/12/2019 20:15:3421/07/2020 19:17:15
Q20 Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.17/12/2019 20:15:3421/07/2020 19:10:46
Q19 Your business has an appropriate data protection policy.17/12/2019 20:15:3421/07/2020 19:06:17
Q18 Your business has identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.17/12/2019 20:15:3421/07/2020 18:55:03
Q17 Your business has procedures to handle an individual’s objection to the processing of their personal data.17/12/2019 20:15:3421/07/2020 18:49:55
Q16 Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.17/12/2019 20:15:3421/07/2020 18:49:03
Q15 Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.17/12/2019 20:15:3421/07/2020 18:48:14
Q14 Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.17/12/2019 20:15:3421/07/2020 18:47:14
Q13 Your business has processes to ensure that the personal data you hold remains accurate and up to date.17/12/2019 20:15:3421/07/2020 18:46:11
Q12 Your business has a process to recognise and respond to individuals' requests to access their personal data.17/12/2019 20:15:3421/07/2020 18:45:02
Q11 If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.17/12/2019 20:15:3421/07/2020 18:43:53
Q10 Your business has provided privacy information to individuals.17/12/2019 20:15:3421/07/2020 18:31:03
Q9 Your business is currently registered with the Information Commissioner's Office.17/12/2019 20:15:3421/07/2020 18:30:28
Q8 If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.17/12/2019 20:15:3421/07/2020 18:29:28
Q7 If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.17/12/2019 20:15:3421/07/2020 18:28:19
Q2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.17/12/2019 20:15:3421/07/2020 18:24:29
Q3 Your business has identified your lawful bases for processing and documented them.17/12/2019 20:15:3421/07/2020 18:23:55
Q4 Your business has reviewed how you ask for and record consent.17/12/2019 20:15:3421/07/2020 18:23:24
Q5 Your business has systems to record and manage ongoing consent.17/12/2019 20:15:3421/07/2020 18:22:52
Q6 If your business relies on consent to offer online services directly to children, you have systems in place to manage it.17/12/2019 20:15:3421/07/2020 18:22:12
Q1 Your business has conducted an information audit to map personal data flows.17/12/2019 20:15:3411/07/2020 14:28:09
Your organisation's approach and policy relating to the security of networks and information systems supporting the operation  of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Regular board discussions on the security of network and information systems supporting the operation  of your essential function take place, based on timely and accurate information and informed by expert guidance.29/05/2020 09:55:1929/05/2020 09:55:19
There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.29/05/2020 09:55:1929/05/2020 09:55:19
Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The security of network and information systems related to the operation  of essential functions is discussed and reported regularly at board-level.29/05/2020 09:55:1929/05/2020 09:55:19
Board-level discussions on the security of networks and information systems are based on up-to-date information, with the benefit of expert guidance.29/05/2020 09:55:1929/05/2020 09:55:19
The security of networks and information systems supporting your essential functions are driven effectively by the direction set at board level.29/05/2020 09:55:1929/05/2020 09:55:19
No senior management or pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.29/05/2020 09:55:1929/05/2020 09:55:19
Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.29/05/2020 09:55:1929/05/2020 09:55:19
Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.29/05/2020 09:55:1929/05/2020 09:55:19
There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Key roles are filled on a formal basis.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are assigned security responsibilities with adequate authority and resources to fulfil them.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are comfortable what their responsibilities are for the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Senior management have visibility of key risk decisions made throughout the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decisions are periodically reviewed to ensure their continued relevance and validity.29/05/2020 09:55:1929/05/2020 09:55:19
What should be relatively straightforward risk decisions are completed by those placed effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Risks are resolved formally at a local level with a formal reporting mechanism when it is appropriate.29/05/2020 09:55:1929/05/2020 09:55:19
Decision-makers are sure of what senior management's risk appetite is, or understand it in clear terms.29/05/2020 09:55:1929/05/2020 09:55:19
Organisational structure causes risk decisions to be made collaboratively. (e.g. engineering and IT talk to each other about risk).29/05/2020 09:55:1929/05/2020 09:55:19
Risk priorities are clear enough to make meaningful distinctions between them.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.29/05/2020 09:55:1929/05/2020 09:55:19
Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.29/05/2020 09:55:1929/05/2020 09:55:19
You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.29/05/2020 09:55:1929/05/2020 09:55:19
The effectiveness of your risk management process is reviewed periodically, and improvements made as required.29/05/2020 09:55:1929/05/2020 09:55:19
You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.29/05/2020 09:55:1929/05/2020 09:55:19
Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.29/05/2020 09:55:1929/05/2020 09:55:19
You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.29/05/2020 09:55:1929/05/2020 09:55:19
You perform threat analysis and understand how generic threats apply to your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessments are based on a clearly defined set of threat assumptions.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessment outputs aren't too complex or unwieldy to be consumed by decision-makers and are effectively communicated in a clear and timely manner.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessments for critical systems are a recurring activity.29/05/2020 09:55:1929/05/2020 09:55:19
The security elements of projects or programmes are not solely dependent on the completion of a risk management assessment without any regard to the outcomes.29/05/2020 09:55:1929/05/2020 09:55:19
There is a systematic process in place to ensure that identified security risks are managed effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Systems are not assessed in isolation, and are assessed with consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments).29/05/2020 09:55:1929/05/2020 09:55:19
Security requirements and mitigation's aren't arbitrary and are applied from a control catalogue with consideration of how they contribute to the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Risks documented on a register are resolved quickly and effectively.29/05/2020 09:55:1929/05/2020 09:55:19
You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.29/05/2020 09:55:1929/05/2020 09:55:19
Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.29/05/2020 09:55:1929/05/2020 09:55:19
The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.29/05/2020 09:55:1929/05/2020 09:55:19
No particular products or services are seen as a "silver bullet" and vendor claims aren't taken at face value.29/05/2020 09:55:1929/05/2020 09:55:19
Assurance methods are applied with appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.29/05/2020 09:55:1929/05/2020 09:55:19
Assurance isn't assumed because there have been no known problems to date.29/05/2020 09:55:1929/05/2020 09:55:19
All assets relevant to the secure operation of essential functions are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.29/05/2020 09:55:1929/05/2020 09:55:19
Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.29/05/2020 09:55:1929/05/2020 09:55:19
You have prioritised your assets according to their importance to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have assigned responsibility for managing physical assets.29/05/2020 09:55:1929/05/2020 09:55:19
Assets relevant to essential functions are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.29/05/2020 09:55:1929/05/2020 09:55:19
Inventories of assets relevant to the essential function are complete and adequately detailed.29/05/2020 09:55:1929/05/2020 09:55:19
All domains and types of asset are documented and understood. Dependencies between assets are understood (such as the dependencies between IT and OT).29/05/2020 09:55:1929/05/2020 09:55:19
Information assets, which could include personally identifiable information or other sensitive information, are stored with clear business need and retention policy.29/05/2020 09:55:1929/05/2020 09:55:19
Knowledge critical to the management, operation, or recovery of essential functions is not held by one or two key individuals and a succession plan is in place.29/05/2020 09:55:1929/05/2020 09:55:19
Asset inventories are completed and in date.29/05/2020 09:55:1929/05/2020 09:55:19
You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to supply chain risk management considers the risks to your essential functions arising from supply chain subversion by capable and well-resourced attackers.29/05/2020 09:55:1929/05/2020 09:55:19
You have confidence that information shared with suppliers that is essential to the operation of your function is appropriately protected from sophisticated attacks.29/05/2020 09:55:1929/05/2020 09:55:19
You can clearly express the security needs you place on suppliers in ways that are mutually understood and are laid in contracts. There is a clear and documented shared-responsibility model.29/05/2020 09:55:1929/05/2020 09:55:19
All network connections and data sharing with third parties is managed effectively and proportionately.29/05/2020 09:55:1929/05/2020 09:55:19
When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the general risks suppliers may pose to your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
You know the extent of your supply chain for essential functions, including sub-contractors.29/05/2020 09:55:1929/05/2020 09:55:19
You engage with suppliers about security, and you set and communicate security requirements in contracts.29/05/2020 09:55:1929/05/2020 09:55:19
You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to security incident management considers incidents that might arise in your supply chain.29/05/2020 09:55:1929/05/2020 09:55:19
You have confidence that information shared with suppliers that is necessary for the operation of your essential function is appropriately protected from well-known attacks and known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
You know what data belonging to you is held by suppliers, and how it is managed.29/05/2020 09:55:1929/05/2020 09:55:19
Elements of the supply chain for essential functions are subcontracted and you have full visibility of the sub-contractors.29/05/2020 09:55:1929/05/2020 09:55:19
Relevant contracts have security requirements.29/05/2020 09:55:1929/05/2020 09:55:19
Suppliers that have access to systems that provide your essential function is restricted and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
You fully document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance. Cyber security is integrated and embedded throughout these policies and processes and key performance indicators are reported to your executive management.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation’s policies and processes are developed to be practical, usable and appropriate for your essential function and your technologies.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes that rely on user behaviour are practical, appropriate and achievable.29/05/2020 09:55:1929/05/2020 09:55:19
You review and update policies and processes at suitably regular intervals to ensure they remain relevant. This is in addition to reviews following a major cyber security incident.29/05/2020 09:55:1929/05/2020 09:55:19
Any changes to the essential function or the threat it faces triggers a review of policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems are designed so that they remain secure even when user security policies and processes are not always followed.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance.29/05/2020 09:55:1929/05/2020 09:55:19
You review and update policies and processes in response to major cyber security incidents.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are active and complete.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes are applied universally and consistently.29/05/2020 09:55:1929/05/2020 09:55:19
People don't circumvent policies and processes to achieve business objectives.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation’s security governance and risk management approach has no bearing on your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
System security isn't reliant on users' careful and consistent application of manual security processes.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes have been reviewed in response to major changes (e.g. technology or regulatory framework), and within a suitable period.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes are readily available to staff, simple to remember, and easy to understand.29/05/2020 09:55:1929/05/2020 09:55:19
All your policies and processes are followed, their correct application and security effectiveness is evaluated.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.29/05/2020 09:55:1929/05/2020 09:55:19
Appropriate action is taken to address all breaches of policies and processes with potential to adversely impact the essential function including aggregated breaches.29/05/2020 09:55:1929/05/2020 09:55:19
Most of your policies and processes are followed and their application is monitored.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.29/05/2020 09:55:1929/05/2020 09:55:19
All staff are aware of their responsibilities under your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
All breaches of policies and processes with the potential to adversely impact the essential function are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes aren't ignored and are fully followed.29/05/2020 09:55:1929/05/2020 09:55:19
The reliance on your policies and processes is well understood.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are aware of their responsibilities under your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
You attempt to detect breaches of policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes integrate with other organisational policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are well communicated across your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Only authorised and individually authenticated users can physically access and logically connect to your networks or information systems on which your essential function depends.29/05/2020 09:55:1929/05/2020 09:55:19
User access to all your networks and information systems supporting the essential function is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to all systems that operate or support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, when you individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The list of users with access to networks and systems supporting and delivering the essential function is reviewed on a regular basis, at least every six months.29/05/2020 09:55:1929/05/2020 09:55:19
All authorised users with access to networks or information systems on which your essential function depends are individually identified and authenticated.29/05/2020 09:55:1929/05/2020 09:55:19
User access to essential function networks and information systems is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to sensitive systems such as operational technology.29/05/2020 09:55:1929/05/2020 09:55:19
You individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The list of users with access to essential function networks and systems is reviewed on a regular basis at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
Authorised users with access to networks or information systems on which your essential function depends can be individually identified.29/05/2020 09:55:1929/05/2020 09:55:19
Unauthorised individuals or devices cannot access your networks or information systems on which your essential function depends.29/05/2020 09:55:1929/05/2020 09:55:19
User access is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Dedicated devices are used for privileged actions (such as administration or accessing the essential function's network and information systems). These devices are not used for directly browsing the web or accessing email.29/05/2020 09:55:1929/05/2020 09:55:19
You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your systems, or you only allow third-party devices or networks dedicated to supporting your systems to connect.29/05/2020 09:55:1929/05/2020 09:55:19
You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You perform regular scans to detect unknown devices and investigate any findings.29/05/2020 09:55:1929/05/2020 09:55:19
Only corporately owned and managed devices can access your essential function's networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged access occurs from corporately management devices dedicated to management functions.29/05/2020 09:55:1929/05/2020 09:55:19
You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems. You have taken appropriate steps to mitigate any risks identified.29/05/2020 09:55:1929/05/2020 09:55:19
The act of connecting to a network port or cable does not grant access to any systems.29/05/2020 09:55:1929/05/2020 09:55:19
You are able to detect unknown devices being connected to your network and investigate such incidents.29/05/2020 09:55:1929/05/2020 09:55:19
Users can't connect to your essential function's networks using devices that are not corporately managed.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users can't perform administrative functions from devices that are not corporately managed.29/05/2020 09:55:1929/05/2020 09:55:19
You have gained assurance in the security of any third-party devices or networks connected to your systems.29/05/2020 09:55:1929/05/2020 09:55:19
Physically connecting a device to your network doesn't give that device access without device or user authentication29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function systems is carried out from dedicated separate accounts that are closely monitored and managed.29/05/2020 09:55:1929/05/2020 09:55:19
The issuing of temporary, time-bound rights for privileged user access and external third-party support access is either in place or you are migrating to an access control solution that supports this functionality.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged user access to your networks and information systems requires strong authentication, such as two-factor, hardware authentication, or additional real-time security monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access requires additional validation, but this does not use a strong form of authentication (e.g. two-factor, hardware authentication or additional real-time security monitoring).29/05/2020 09:55:1929/05/2020 09:55:19
The identities of the individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are known and managed. This includes third parties.29/05/2020 09:55:1929/05/2020 09:55:19
Activity by privileged users is routinely reviewed and validated. (e.g. at least annually).29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users are only granted specific privileged permissions which are essential to their business role or function.29/05/2020 09:55:1929/05/2020 09:55:19
The identities of the individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are known and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function systems is via strong authentication mechanisms.29/05/2020 09:55:1929/05/2020 09:55:19
The list of privileged users has been reviewed recently (e.g. within the last 12 months).29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access is granted on a per-user or per-role basis rather than system wide.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function isn't via generic, shared or default name accounts.29/05/2020 09:55:1929/05/2020 09:55:19
Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are additional controls (e.g. physical controls) to ensure access is appropriately restricted.29/05/2020 09:55:1929/05/2020 09:55:19
There is logical separation between roles that an individual may have and hence the actions they perform. (e.g. access to corporate email and privilege user actions).29/05/2020 09:55:1929/05/2020 09:55:19
Your procedure to verify each user and issue the minimum required access rights is robust and regularly audited.29/05/2020 09:55:1929/05/2020 09:55:19
User permissions are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
All user access is logged and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review access logs and correlate this data with other access records and expected activity.29/05/2020 09:55:1929/05/2020 09:55:19
Attempts by unauthorised users to connect to your systems are alerted, promptly assessed and investigated.29/05/2020 09:55:1929/05/2020 09:55:19
You follow a robust procedure to verify each user and issue the minimum required access rights.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review access rights and those no longer needed are revoked.29/05/2020 09:55:1929/05/2020 09:55:19
User permissions are reviewed when people change roles via your joiners, leavers and movers process.29/05/2020 09:55:1929/05/2020 09:55:19
All user access is logged and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
No greater rights are granted to users than necessary.29/05/2020 09:55:1929/05/2020 09:55:19
User rights are granted with validation of their identity and requirement for access.29/05/2020 09:55:1929/05/2020 09:55:19
User rights are reviewed when they move jobs.29/05/2020 09:55:1929/05/2020 09:55:19
User rights don't remain active when people leave your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued who has access to the data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the location, quantity and quality of data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You take steps to remove or minimise unnecessary copies or unneeded historic data.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified all mobile devices and media that may hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the data links used to transmit data that is important to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the context, limitations and dependencies of your important data.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and document the impact on your essential function of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.29/05/2020 09:55:1929/05/2020 09:55:19
You validate these documented impact statements regularly, at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued who has access to the data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You periodically review location, transmission, quantity and quality of data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified all mobile devices and media that hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and document the impact on your essential function of all relevant scenarios, including unauthorised access, modification or deletion, or when authorised users are unable to appropriately access this data.29/05/2020 09:55:1929/05/2020 09:55:19
You occasionally validate these documented impact statements.29/05/2020 09:55:1929/05/2020 09:55:19
You have a complete knowledge of what data is used by and produced in the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified the important data on which your essential function relies.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified who has access to data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have clearly articulated the impact of data compromise or inaccessibility.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You apply appropriate physical or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function due to resource limitation (e.g. transmission equipment or function failure, or important data being blocked or jammed).29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You apply appropriate technical means (e.g. cryptography) to protect data that travels over non-trusted or openly accessible carriers, but you have limited or no confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You know what all your data links are, or which carry data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Data important to the operation of the essential function travels with technical protection over non-trusted or openly accessible carriers.29/05/2020 09:55:1929/05/2020 09:55:19
Critical data paths that could fail, be jammed, be overloaded, etc. have an alternative path.29/05/2020 09:55:1929/05/2020 09:55:19
You have only necessary copies of this data. Where data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.29/05/2020 09:55:1929/05/2020 09:55:19
You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.29/05/2020 09:55:1929/05/2020 09:55:19
If cryptographic protections are used you apply suitable technical and procedural means, and you have justified confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitable, secured backups of data to allow the operation of the essential function to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.29/05/2020 09:55:1929/05/2020 09:55:19
Necessary historic or archive data is suitably secured in storage.29/05/2020 09:55:1929/05/2020 09:55:19
All copies of data important to the operation of your essential function are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.29/05/2020 09:55:1929/05/2020 09:55:19
You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.29/05/2020 09:55:1929/05/2020 09:55:19
If cryptographic protections are used, you apply suitable technical and procedural means, but you have limited or no confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitable, secured backups of data to allow the operation of the essential function to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.29/05/2020 09:55:1929/05/2020 09:55:19
You have complete knowledge of where data important to the operation of the essential function is stored.29/05/2020 09:55:1929/05/2020 09:55:19
You have protected vulnerable stored data important to the operation of the essential function in a suitable way.29/05/2020 09:55:1929/05/2020 09:55:19
Backups are complete, tested, adequately secured and could be accessible in a disaster recovery or business continuity situation.29/05/2020 09:55:1929/05/2020 09:55:19
Mobile devices that hold data that is important to the operation of the essential function are catalogued, are under your organisation's control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation can remotely wipe all mobile devices holding data important to the operation of essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have minimised this data on these mobile devices. Some data may be automatically deleted off mobile devices after a certain period.29/05/2020 09:55:1929/05/2020 09:55:19
You know which mobile devices hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Data important to the operation of the essential function is only stored on mobile devices with at least equivalent security standard to your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Data on mobile devices is technically secured.29/05/2020 09:55:1929/05/2020 09:55:19
You know which mobile devices hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You don't allow data important to the operation of the essential function to be stored on devices not managed by your organisation, or to at least equivalent standard.29/05/2020 09:55:1929/05/2020 09:55:19
Data on mobile devices is technically secured.29/05/2020 09:55:1929/05/2020 09:55:19
You catalogue and track all devices that contain data important to the operation of the essential function (whether a specific storage device or one with integral storage).29/05/2020 09:55:1929/05/2020 09:55:19
All data important to the operation of the essential function is sanitised from all devices, equipment or removable media before disposal.29/05/2020 09:55:1929/05/2020 09:55:19
All devices, equipment and removable media that hold data important to the operation of the essential function are disposed of with sanitisation of that data.29/05/2020 09:55:1929/05/2020 09:55:19
You employ appropriate expertise to design network and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
Your networks and information systems are segregated into appropriate security zones, e.g. operational systems for the essential function are segregated in a highly trusted, more secure zone.29/05/2020 09:55:1929/05/2020 09:55:19
The networks and information systems supporting your essential function are designed to have simple data flows between components to support effective security monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
The networks and information systems supporting your essential function are designed to be easy to recover.29/05/2020 09:55:1929/05/2020 09:55:19
Content-based attacks are mitigated for all inputs to operational systems that affect the essential function (e.g. via transformation and inspection).29/05/2020 09:55:1929/05/2020 09:55:19
You employ appropriate expertise to design network and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You design strong boundary defences where your networks and information systems interface with other organisations or the world at large.29/05/2020 09:55:1929/05/2020 09:55:19
You design simple data flows between your networks and information systems and any external interface to enable effective monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
You design to make network and information system recovery simple.29/05/2020 09:55:1929/05/2020 09:55:19
All inputs to operational systems are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.29/05/2020 09:55:1929/05/2020 09:55:19
Systems essential to the operation of the essential function are appropriately segregated from other systems.29/05/2020 09:55:1929/05/2020 09:55:19
Internet access isn't available from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
Data flows between the essential function's operational systems and other systems are simple, making it easy to differentiate between legitimate and illegitimate/malicious traffic.29/05/2020 09:55:1929/05/2020 09:55:19
No remote or third party accesses circumvent some network controls to gain more direct access to operational systems of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified, documented and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment.29/05/2020 09:55:1929/05/2020 09:55:19
You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review and validate that your network and information systems have the expected, secured settings and configuration.29/05/2020 09:55:1929/05/2020 09:55:19
Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.29/05/2020 09:55:1929/05/2020 09:55:19
If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and documented the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Secure platform and device builds are used across the estate.29/05/2020 09:55:1929/05/2020 09:55:19
Consistent, secure and minimal system and device configurations are applied across the same types of environment.29/05/2020 09:55:1929/05/2020 09:55:19
Changes and adjustments to security configuration at security boundaries with the networks and information systems supporting your essential function are approved and documented.29/05/2020 09:55:1929/05/2020 09:55:19
You verify software before installation is permitted.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Policies relating to the security of operating system builds or configuration are applied consistently across your network and information systems relating to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Configuration details are recorded and contain enough information to be able to rebuild the system or device.29/05/2020 09:55:1929/05/2020 09:55:19
The recording of security changes or adjustments that effect your essential function is full and consistent.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems and devices supporting the operation of the essential function are only administered or maintained by authorised privileged users from dedicated devices that are technically segregated and secured to the same level as the networks and systems being maintained.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review and update technical knowledge about networks and information systems, such as documentation and network diagrams, and ensure they are securely stored.29/05/2020 09:55:1929/05/2020 09:55:19
You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems and devices supporting the operation of the essential function are only administered or maintained by authorised privileged users from dedicated devices.29/05/2020 09:55:1929/05/2020 09:55:19
Technical knowledge about networks and information systems, such as documentation and network diagrams, is regularly reviewed and updated.29/05/2020 09:55:1929/05/2020 09:55:19
You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Essential function networks and systems are administered and maintained using dedicated devices.29/05/2020 09:55:1929/05/2020 09:55:19
You have good or current technical documentation of your networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
Announced vulnerabilities for all software packages, network equipment and operating systems used to support the operation of your essential function are tracked, prioritised and mitigated (e.g. by patching) promptly.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly test to fully understand the vulnerabilities of the networks and information systems that support the operation of your essential function and verify this understanding with third-party testing.29/05/2020 09:55:1929/05/2020 09:55:19
You maximise the use of supported software, firmware and hardware in your networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential function are tracked, prioritised and externally-exposed vulnerabilities are mitigated (e.g. by patching) promptly.29/05/2020 09:55:1929/05/2020 09:55:19
Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.29/05/2020 09:55:1929/05/2020 09:55:19
You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly test to fully understand the vulnerabilities of the networks and information systems that support the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
You mitigate externally-exposed vulnerabilities promptly.29/05/2020 09:55:1929/05/2020 09:55:19
There are means to check data or software imports for malware.29/05/2020 09:55:1929/05/2020 09:55:19
You have recently tested to verify your understanding of the vulnerabilities of the networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitably mitigated systems and software that is no longer supported.29/05/2020 09:55:1929/05/2020 09:55:19
You are pursuing replacement for unsupported systems or software.29/05/2020 09:55:1929/05/2020 09:55:19
You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods, e.g. manual fail-over, table-top exercises, or red-teaming.29/05/2020 09:55:1929/05/2020 09:55:19
You use your security awareness and threat intelligence sources, to make immediate and potentially temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.29/05/2020 09:55:1929/05/2020 09:55:19
You know all networks, information systems and underlying technologies that are necessary to restore the operation of the essential function and understand their interdependence.29/05/2020 09:55:1929/05/2020 09:55:19
You know the order in which systems need to be recovered to efficiently and effectively restore the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have a full understanding of all the elements that are required to restore operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have completed business continuity and/or disaster recovery plans for your essential function’s networks, information systems and their dependencies.29/05/2020 09:55:1929/05/2020 09:55:19
You have fully assessed the practical implementation of your disaster recovery plans.29/05/2020 09:55:1929/05/2020 09:55:19
Operational systems that support the operation of the essential function are segregated from other business and external systems by appropriate technical and physical means, e.g. separate network and system infrastructure with independent user administration. Internet services are not accessible from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and mitigated all resource limitations, e.g. bandwidth limitations and single network paths.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and mitigated any geographical constraints or weaknesses. (e.g. systems that your essential function depends upon are replicated in another location, important network connectivity has alternative physical paths and service providers).29/05/2020 09:55:1929/05/2020 09:55:19
You review and update assessments of dependencies, resource and geographical limitations and mitigation's when necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Operational systems that support the operation of the essential function are logically separated from your business systems, e.g. they reside on the same network as the rest of the organisation, but within a DMZ. Internet access is not available from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.29/05/2020 09:55:1929/05/2020 09:55:19
Operational networks and systems are appropriately segregated.29/05/2020 09:55:1929/05/2020 09:55:19
Internet services, such as browsing and email, aren't accessible from essential  operational systems supporting the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and have plans to mitigate all resource limitations that could adversely affect your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.29/05/2020 09:55:1929/05/2020 09:55:19
Key roles are duplicated, and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Backups of all important data and information needed to recover the essential function are made, tested, documented and routinely reviewed.29/05/2020 09:55:1929/05/2020 09:55:19
You have appropriately secured backups (including data, configuration information, software, equipment, processes and key roles or knowledge). These backups will be accessible to recover from an extreme event.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely test backups to ensure that the backup process functions correctly and the backups are usable.29/05/2020 09:55:1929/05/2020 09:55:19
Backup coverage is complete in coverage and would be adequate to restore operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Backups are frequent enough for the operation of your essential function to be restored within a suitable time-frame.29/05/2020 09:55:1929/05/2020 09:55:19
Your executive management clearly and effectively communicates the organisation's cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation raising potential cyber security incidents and issues are treated positively.29/05/2020 09:55:1929/05/2020 09:55:19
Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.29/05/2020 09:55:1929/05/2020 09:55:19
Your management is seen to be committed to and actively involved in cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation communicates openly about cyber security, with any concern being taken seriously.29/05/2020 09:55:1929/05/2020 09:55:19
People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.29/05/2020 09:55:1929/05/2020 09:55:19
Your executive management understand and widely communicate the importance of a positive cyber security culture. Positive attitudes, behaviours and expectations are described for your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
All people in your organisation understand the contribution they make to the essential function's cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation understand what they contribute to the cyber security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation know how to raise a concern about cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
People believe that reporting issues will not get them into trouble.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation's approach to cyber security is not perceived by staff as hindering the business of the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
All people in your organisation, from the most senior to the most junior, follow appropriate cyber security training paths.29/05/2020 09:55:1929/05/2020 09:55:19
Each individual’s cyber security training is tracked and refreshed at suitable intervals.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely evaluate your cyber security training and awareness activities to ensure they reach the widest audience and are effective.29/05/2020 09:55:1929/05/2020 09:55:19
You make cyber security information and good practice guidance easily accessible, widely available and you know it is referenced and used within your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
You have defined appropriate cyber security training and awareness activities for all roles in your organisation, from executives to the most junior roles.29/05/2020 09:55:1929/05/2020 09:55:19
You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security information is easily available.29/05/2020 09:55:1929/05/2020 09:55:19
All teams who operate and support your essential function that are cyber security trained.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security training isn't restricted to specific roles in your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security training records for your organisation are extensive and complete.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect the operation of your essential function. (e.g. presence of malware, malicious emails, user policy violations).29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring data provides enough detail to reliably detect security incidents that could affect the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You easily detect the presence or absence of IoCs on your essential functions, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
Extensive monitoring of user activity in relation to the operation of essential functions enables you to detect policy violations and an agreed list of suspicious or undesirable behaviour.29/05/2020 09:55:1929/05/2020 09:55:19
You have extensive monitoring coverage that includes host-based monitoring and network gateways.29/05/2020 09:55:1929/05/2020 09:55:19
All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.29/05/2020 09:55:1929/05/2020 09:55:19
Data relating to the security and operation of some areas of your essential functions is collected.29/05/2020 09:55:1929/05/2020 09:55:19
You easily detect the presence or absence of IoCs on your essential function, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
Some user monitoring is done, but not covering a fully agreed list of suspicious or undesirable behaviour.29/05/2020 09:55:1929/05/2020 09:55:19
You monitor traffic crossing your network boundary (including IP address connections as a minimum).29/05/2020 09:55:1929/05/2020 09:55:19
Data relating to the security and operation of your essential functions is collected.29/05/2020 09:55:1929/05/2020 09:55:19
You confidently detect the presence or absence of Indicators of Compromise (IoCs) on your essential functions, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
You are able to audit the activities of users in relation to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You capture any traffic crossing your network boundary including as a minimum IP connections.29/05/2020 09:55:1929/05/2020 09:55:19
The integrity of logging data is protected, or any modification is detected and attributed.29/05/2020 09:55:1929/05/2020 09:55:19
The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it.29/05/2020 09:55:1929/05/2020 09:55:19
Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.29/05/2020 09:55:1929/05/2020 09:55:19
Logging datasets are synchronised, using an accurate common time source, so separate datasets can be correlated in different ways.29/05/2020 09:55:1929/05/2020 09:55:19
Access to logging data is limited to those with business need and no others.29/05/2020 09:55:1929/05/2020 09:55:19
All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user.29/05/2020 09:55:1929/05/2020 09:55:19
Legitimate reasons for accessing logging data are given in use policies.29/05/2020 09:55:1929/05/2020 09:55:19
Only authorised staff can view logging data for investigations.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users can view logging information.29/05/2020 09:55:1929/05/2020 09:55:19
There is some monitoring of access to logging data. (e.g. copying, deleting or modification, or even viewing.)29/05/2020 09:55:1929/05/2020 09:55:19
It is not possible for logging data to be easily edited or deleted by unauthorised users or malicious attackers.29/05/2020 09:55:1929/05/2020 09:55:19
There is a controlled list of who can view and query logging information.29/05/2020 09:55:1929/05/2020 09:55:19
There is monitoring of the access to logging data.29/05/2020 09:55:1929/05/2020 09:55:19
There is policy for accessing logging data.29/05/2020 09:55:1929/05/2020 09:55:19
Logging is synchronised, using an accurate common time source.29/05/2020 09:55:1929/05/2020 09:55:19
Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.29/05/2020 09:55:1929/05/2020 09:55:19
A wide range of signatures and indicators of compromise are used for investigations of suspicious activity and alerts.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts can be easily resolved to network assets using knowledge of networks and systems.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to all essential functions are prioritised and this information is used to support incident management.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed almost continuously, in real time.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts from third party security software are investigated, and action taken.29/05/2020 09:55:1929/05/2020 09:55:19
Some logging datasets can be easily queried with search tools to aid investigations.29/05/2020 09:55:1929/05/2020 09:55:19
The resolution of alerts to a network asset or system is performed regularly.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to some essential functions are prioritised.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed at regular intervals.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts from third party security software is investigated e.g. Anti-Virus (AV) providers.29/05/2020 09:55:1929/05/2020 09:55:19
Logs aren't distributed across devices with no easy way to access them other than manual login or physical action.29/05/2020 09:55:1929/05/2020 09:55:19
The resolution of alerts to a network asset or system is performed.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to essential functions are prioritised.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed frequently.29/05/2020 09:55:1929/05/2020 09:55:19
You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based infoshare).29/05/2020 09:55:1929/05/2020 09:55:19
You apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.29/05/2020 09:55:1929/05/2020 09:55:19
You receive signature updates for all your protective technologies (e.g. AV, IDS).29/05/2020 09:55:1929/05/2020 09:55:19
You track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation uses some threat intelligence services, but you don't choose providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, anti-virus providers, specialist threat intel firms).29/05/2020 09:55:1929/05/2020 09:55:19
You receive updates for all your signature based protective technologies (e.g. AV, IDS).29/05/2020 09:55:1929/05/2020 09:55:19
You apply some updates, signatures and IoCs in a timely way.29/05/2020 09:55:1929/05/2020 09:55:19
You know how effective your threat intelligence is (e.g. by tracking how threat intelligence helps you identify security problems).29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation has sources of threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
You apply updates in a timely way, after receiving them. (e.g. AV signature updates, other threat signatures or Indicators of Compromise (IoCs)).29/05/2020 09:55:1929/05/2020 09:55:19
You receive signature updates for all protective technologies such as AV and IDS or other software in use.29/05/2020 09:55:1929/05/2020 09:55:19
You evaluate the usefulness of your threat intelligence and share feedback with providers or other users.29/05/2020 09:55:1929/05/2020 09:55:19
You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff follow process and procedures that address all governance reporting requirements, internal and external.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools make use of all logging data collected to pinpoint activity within an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff and tools drive and shape new log data collection and can make wide use of it.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are aware of the operation of essential functions and related assets and can identify and prioritise alerts or investigations that relate to them.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff can report to other parts of the organisation (e.g. security directors, resilience managers).29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are capable of following most of the required workflows.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools can make use of logging that would capture most unsophisticated and untargeted attack types.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools work with most logging data, with some configuration.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are aware of some essential functions and can manage alerts relating to them.29/05/2020 09:55:1929/05/2020 09:55:19
There are staff who perform a monitoring function.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have the correct specialist skills.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are capable of reporting against governance requirements. Monitoring staff have the skills to successfully perform any part of the defined workflow.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring tools are able to make use of all logging data being collected.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring tools can be configured to make use of new logging streams, as they come online.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have full awareness of the essential functions the organisation provides, what assets relate to those functions and hence the importance of the logging data and security events.29/05/2020 09:55:1929/05/2020 09:55:19
Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (e.g. You fully understand which systems should and should not communicate and when).29/05/2020 09:55:1929/05/2020 09:55:19
System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
The system abnormalities you search for consider the nature of attacks likely to impact on the networks and information systems supporting the operation of essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
The system abnormality descriptions you use are updated to reflect changes in your networks and information systems and current threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
Normal system behaviour is sufficiently understood to be able to use system abnormalities to detect malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
You have an established understanding of what abnormalities to look for that might signify malicious activities.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches.29/05/2020 09:55:1929/05/2020 09:55:19
You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely search for system abnormalities indicative of malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is based on a clear understanding of the security risks to the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is comprehensive (i.e. covers the complete lifecycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is documented and integrated with wider organisational business and supply chain response plans.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is communicated and understood by the business areas involved with the operation of your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan covers your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan comprehensively covers scenarios that are focused on likely impacts of known and well-understood attacks only.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan is understood by all staff who are involved with your organisation's response function.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan is documented and shared with all relevant stakeholders.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is documented.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan includes your organisation's identified essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is well understood by relevant staff.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.29/05/2020 09:55:1929/05/2020 09:55:19
Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.29/05/2020 09:55:1929/05/2020 09:55:19
Back-up mechanisms are available that can be readily activated to allow continued operation of your essential function (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.29/05/2020 09:55:1929/05/2020 09:55:19
Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (e.g. specialist cyber incident responders).29/05/2020 09:55:1929/05/2020 09:55:19
Adequate arrangements have been made to make the right resources available to implement your response plan.29/05/2020 09:55:1929/05/2020 09:55:19
Your response team members are equipped to make good response decisions and put them into effect.29/05/2020 09:55:1929/05/2020 09:55:19
Adequate back-up mechanisms exist to allow the continued operation of your essential function during an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
Exercise scenarios are documented, regularly reviewed, and validated.29/05/2020 09:55:1929/05/2020 09:55:19
Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of your response cycle relating to your essential functions (e.g. restoration of normal function levels).29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of the process.29/05/2020 09:55:1929/05/2020 09:55:19
Incident response exercises are routinely carried out and are carried out in an systematic way.29/05/2020 09:55:1929/05/2020 09:55:19
Outputs from exercises are fed into the organisation's lessons learned process.29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of the response cycle.29/05/2020 09:55:1929/05/2020 09:55:19
Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.29/05/2020 09:55:1929/05/2020 09:55:19
All relevant incident data is made available to the analysis team to perform root cause analysis.29/05/2020 09:55:1929/05/2020 09:55:19
You are usually able to resolve incidents to a root cause.29/05/2020 09:55:1929/05/2020 09:55:19
You have a formal process for investigating causes.29/05/2020 09:55:1929/05/2020 09:55:19
You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.29/05/2020 09:55:1929/05/2020 09:55:19
Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You use lessons learned to improve security measures, including updating and retesting response plans when necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.29/05/2020 09:55:1929/05/2020 09:55:19
Analysis is fed to senior management and incorporated into risk management and continuous improvement.29/05/2020 09:55:1929/05/2020 09:55:19
Following incidents, lessons learned are captured and aren't limited in scope.29/05/2020 09:55:1929/05/2020 09:55:19
Improvements arising from lessons learned following an incident are implemented and given sufficient organisational priority.29/05/2020 09:55:1929/05/2020 09:55:19
Access control resilience and access privileges are reviewed frequently.31/03/2020 13:37:0514/04/2020 16:41:03
Your business has the capability and technology to support communication while employees are working from home.31/03/2020 13:37:0531/03/2020 13:37:05
All devices use mobile device management software to be able to remotely lock access to the device, erase the data stored on it, or retrieve a backup of this data.31/03/2020 13:37:0531/03/2020 13:37:05
Security Incident and Event Monitoring Systems have been reviewed to ensure rules are effective for home workers.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have secure access to necessary software to continue working from home such as instant communication, video conferencing and effective planning tools.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have the relevant accounts and access to continue their day to day business.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have complex passwords that are difficult to guess and are at least 8 characters in length on all internet routers or hardware firewall devices.31/03/2020 13:37:0531/03/2020 13:37:05
Employees can only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password.31/03/2020 13:37:0531/03/2020 13:37:05
Two factor authentication has been reviewed implemented on accounts where appropriate.31/03/2020 13:37:0531/03/2020 13:37:05
If appropriate, Virtual Private Networks are available to allow users to securely access your organisation's IT resources.31/03/2020 13:37:0531/03/2020 13:37:05
Furloughed workers accounts are de-activated if access to systems is no longer required.31/03/2020 13:37:0531/03/2020 13:37:05
Your business has software firewalls enabled on all computers and laptops.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees have changed the default password on home routers.31/03/2020 13:37:0531/03/2020 13:37:05
You have an effective Bring Your Own Device (BYOD) policy that employees are aware of.31/03/2020 13:37:0531/03/2020 13:37:05
A policy is in place ensuring communication with employees frequently to ensure they feel motivated and supported.31/03/2020 13:37:0531/03/2020 13:37:05
Ensure government recommendations are disseminated and adhered to by employees.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees know how to report any security problems they may have with their devices and software when working from home.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation has outlined rules on which operations can be carried out on personal devices for example the restriction of accessing emails on personal devices.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation has laid out minimum security requirements, or even mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources.31/03/2020 13:37:0531/03/2020 13:37:05
All operating systems and firmware on your devices is supported by a supplier that produces regular fixes for any security problems.31/03/2020 13:37:0531/03/2020 13:37:05
Encryption has been reviewed and configured to ensure home workers are protected.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation monitors the number of devices operating on your business network.31/03/2020 13:37:0531/03/2020 13:37:05
Your business produced an easily accessible series of "how to" guides to support the identification of phishing emails.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees understand to flag all suspicious emails as spam or junk and to alert you and your email provider as potentially unsafe.31/03/2020 13:37:0531/03/2020 13:37:05
All employees keep devices safely and securely when in and out of use.31/03/2020 13:37:0531/03/2020 13:37:05
All employees know the protocol to follow when reporting a device as lost or stolen.31/03/2020 13:37:0531/03/2020 13:37:05
All employees understand the importance of keeping software up to date, and that they know how to do this.31/03/2020 13:37:0531/03/2020 13:37:05
Your business supplies guides for any new software or software features that have been implemented for home working.31/03/2020 13:37:0531/03/2020 13:37:05
Your business supplies a series of "how to" guides/webinar and/or online workshops in order to support home working.31/03/2020 13:37:0531/03/2020 13:37:05
Q27 Is user account creation subject to a full provisioning and approval process?17/12/2019 20:15:3417/12/2019 20:15:34
Q28 Are system administrative access privileges restricted to a limited number of authorised individuals?17/12/2019 20:15:3417/12/2019 20:15:34
Q29 Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone?17/12/2019 20:15:3417/12/2019 20:15:34
Q30 Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q31 Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts?17/12/2019 20:15:3417/12/2019 20:15:34
Q32 Is there a password policy covering the following points: a) How to avoid choosing obvious passwords (such as those based on easily-discoverable information). b) Not to choose common passwords (use of technical means, using a password blacklist recommended). c) No password reuse. d) Where and how they may record passwords to store and retrieve them securely. e) If password management software is allowed, if so, which. f) Which passwords they really must memorise and not record anywhere.17/12/2019 20:15:3417/12/2019 20:15:34
Q33 Are users authenticated using difficult to guess passwords, as a minimum, before being granted access to applications and computers?17/12/2019 20:15:3417/12/2019 20:15:34
Q34 Are user accounts removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (e.g. 3 months)?17/12/2019 20:15:3417/12/2019 20:15:34
Q35 Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.1.1 Does your organisation outline the procedures on access control policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.1.2. Does your organisation outline the procedures on access to networks and network services?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.1 Does your organisation outline the procedures on user registration and de-registration?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.2 Does your organisation outline the procedures on user access provisioning?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.3 Does your organisation outline the procedures on management of privileged access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.4 Does your organisation outline the procedures on management of secret authentication information of users?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.5 Does your organisation outline the procedures on review of user access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.6 Does your organisation outline the procedures on removal or adjustment of access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.3.1 Does your organisation outline the procedures on the use of secret authentication information?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.1 Does your organisation outline the procedures on information access restriction?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.2 Does your organisation outline the procedures on secure log-on procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.3 Does your organisation outline the procedures on password management system?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.4 Does your organisation outline the procedures on use of privileged utility programs?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.5 Does your organisation outline the procedures on access control to program source code?17/12/2019 20:15:3417/12/2019 20:15:34
Q25 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.17/12/2019 20:15:3417/12/2019 20:15:34
Q26 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?17/12/2019 20:15:3417/12/2019 20:15:34
Q27 How do you ensure that administrator accounts are not used for accessing email or web browsing?17/12/2019 20:15:3417/12/2019 20:15:34
Q28 Do you formally track which users have administrator accounts in your organisation?17/12/2019 20:15:3417/12/2019 20:15:34
Q29 Do you review who should have administrative access on a regular basis?17/12/2019 20:15:3417/12/2019 20:15:34
Q30 Have you enabled two-factor authentication for access to all administrative accounts?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.1 Does your organisation have an inventory of assets?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.2 Does your organisation outline ownership of assets in the inventory?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.3 Does your organisation outline the acceptable use of assets in set rules of the company?17/12/2019 20:15:3417/12/2019 20:15:34
A8.1.4 Does your organisation outline the policy of the returning of assets to all employees?17/12/2019 20:15:3417/12/2019 20:15:34
A8.2.1 Does your organisation outline the classification of information?17/12/2019 20:15:3417/12/2019 20:15:34
A8.2.2 Does your organisation outline the labelling of information procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.2.3 Does your organisation outline the handling of assets procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A8.3.1 Does your organisation outline the policy on management of removable media procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.3.2. Does your organisation outline the procedures on disposal of media?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.3.3 Does your organisation outline the procedures on physical media transfer?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.1 What are your organisation's procedures on network controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.2 What are your organisation's procedures on security of network services?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.3 What are your organisation's procedures on segregation in networks?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.1 What are your organisation's procedures on information transfer policies and procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.2 Does your organisation have procedures in place on agreements on information transfer?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.3 Does your organisation have procedures in place on agreements on electronic messaging?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.4 Does your organisation have procedures in place on agreements on confidentiality or non disclosure agreements?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.1 Does your organisation have procedures in place on identification of applicable legislation and contractual requirements?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.2 Does your organisation have procedures in place on intellectual property rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.3 Does your organisation have procedures in place on protection of records?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.4 Does your organisation have procedures in place on privacy and protection of personally identifiable information?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.5 How does your organisation implement regulation of cryptographic controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.1 Does your organisation have procedures in place on independent review of information security?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.2 Does your organisation have procedures in place on compliance with security policies and standards?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.3 Does your organisation have policies on implementing technical compliance?17/12/2019 20:15:3417/12/2019 20:15:34
A.10.1.1 Does your organisation outline the procedures on policy on the use of cryptographic controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.10.1.2 Does your organisation have an outlined list of procedures regarding key management?17/12/2019 20:15:3417/12/2019 20:15:34
Q1 Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)?17/12/2019 20:15:3417/12/2019 20:15:34
Q2 Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password?17/12/2019 20:15:3417/12/2019 20:15:34
Q3 Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)?17/12/2019 20:15:3417/12/2019 20:15:34
Q4 Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification?17/12/2019 20:15:3417/12/2019 20:15:34
Q5 Have firewall rules that are no longer required been removed or disabled?17/12/2019 20:15:3417/12/2019 20:15:34
Q6 Are firewall rules subject to regular review?17/12/2019 20:15:3417/12/2019 20:15:34
Q7 Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)?17/12/2019 20:15:3417/12/2019 20:15:34
Q8 Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q8a If the answer to Q8 is no, does the administrative interface require second factor authentication or is access limited to a specific address?17/12/2019 20:15:3417/12/2019 20:15:34
A.7.1.1 Does your organisation have an employee screening policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.7.1.2 Does your organisation have a Terms and Conditions of employment in place?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.1 Does your organisation have a information packet outlining all possible management responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.2 Does your organisation implement information security awareness, education and training?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.3. Does your organisation have a formal disciplinary process?17/12/2019 20:15:3417/12/2019 20:15:34
A7.3.1 Does your organisation have a termination or change of employment responsibilities outlined in an information packet?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.1 Does your organisation have procedures in place on planning information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.2 Does your organisation have procedures in place on implementing information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.3 Does your organisation have procedures in place to verify, review and evaluate information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.2.1 Does your organisation have procedures in place for availability of information processing facilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.1 Does your organisation have procedures in place on responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.2 Does your organisation have procedures in place on reporting information security events?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.3 Does your organisation have procedures in place on reporting information security weaknesses?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.4 Does your organisation have procedures in place on assessment of and decision on information security events?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.5 Does your organisation have procedures in place on response to information security incidents?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.6 Does your organisation have procedures in place on learning from information security incidents?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.7 Does your organisation have procedures in place on collection of evidence?17/12/2019 20:15:3417/12/2019 20:15:34
A5.1.1 Does your organisation have policies for information security?17/12/2019 20:15:3417/12/2019 20:15:34
A5.1.2 Does your organisation review information security policies at planned intervals or if significant changes have occurred?17/12/2019 20:15:3417/12/2019 20:15:34
Q31 Are all of your computers, laptops, tablets and mobile phones protected from malware by either: A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)?17/12/2019 20:15:3417/12/2019 20:15:34
Q31a Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?17/12/2019 20:15:3417/12/2019 20:15:34
Q31b Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?17/12/2019 20:15:3417/12/2019 20:15:34
Q36 Which of the following does the organisation mainly rely on for malware protection:17/12/2019 20:15:3417/12/2019 20:15:34
Q37 Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q38 Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)?17/12/2019 20:15:3417/12/2019 20:15:34
Q39 Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)?17/12/2019 20:15:3417/12/2019 20:15:34
Q40 Has malware protection software been configured to perform regular periodic scans (eg daily)?17/12/2019 20:15:3417/12/2019 20:15:34
Q41 Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms?17/12/2019 20:15:3417/12/2019 20:15:34
Q42 Does the organisation maintain a list of approved applications?17/12/2019 20:15:3417/12/2019 20:15:34
Q43 Are users prevented from installing any other applications?17/12/2019 20:15:3417/12/2019 20:15:34
Q44 Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission?17/12/2019 20:15:3417/12/2019 20:15:34
Q1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?17/12/2019 20:15:3417/12/2019 20:15:34
Q3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?17/12/2019 20:15:3417/12/2019 20:15:34
Q4 Do you change the password when you believe it may have been compromised? How do you achieve this?17/12/2019 20:15:3417/12/2019 20:15:34
Q5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?17/12/2019 20:15:3417/12/2019 20:15:34
Q6 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q7 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q8 Do you have software firewalls enabled on all of your computers and laptops?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.1 Does your organisation have a policy on documented operating procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.2 What are your organisation's procedures on change management?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.3 What are your organisation's procedures on capacity management?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.4 What are your organisation's procedures on separation of development, testing and operational environments?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.2.1 What are your organisation's procedures on controls against malware?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.3.1 What are your organisation's procedures on information backup?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.1 Does your organisation have procedures on event logging?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.2 What are your organisation's procedures on protection off log information?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.3 What are your organisation's procedures on administrator and operator logs?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.5.1 What are your organisation's procedures on installation of software on operational systems?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.6.1 What are your organisation's procedures on management of technical vulnerabilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.6.2 What are your organisation's procedures on restrictions on software installations?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.7.1 What are your organisation's procedures on information systems audit controls?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.1 How does your organisation assign information security roles and responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.2 How does your organisation implement segregation of duties?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.3 Has your organisation identified and had contact with relevant authorities?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.4 Can your organisation maintain contact with special interest groups?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.5 Does your organisation have an information security policy which is addressed within project management?17/12/2019 20:15:3417/12/2019 20:15:34
A6.2.1 Does your organisation have a mobile device policy?17/12/2019 20:15:3417/12/2019 20:15:34
A6.2.2 Does your organisation have a teleworking policy?17/12/2019 20:15:3417/12/2019 20:15:34
Q45 Do you apply security patches to all software running on computers and network devices?17/12/2019 20:15:3417/12/2019 20:15:34
Q46 Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available?17/12/2019 20:15:3417/12/2019 20:15:34
Q47 Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q48 Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors?17/12/2019 20:15:3417/12/2019 20:15:34
Q49 Are all smart phones kept up to date with vendor updates and application updates?17/12/2019 20:15:3417/12/2019 20:15:34
Q50 Are all tablets kept up to date with vendor updates and application updates?17/12/2019 20:15:3417/12/2019 20:15:34
Q51 Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed?17/12/2019 20:15:3417/12/2019 20:15:34
Q52 Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.1 Does your organisation have an outlined list of procedures regarding physical security perimeter?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.2 Does your organisation have an outlined list of procedures regarding physical entry controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.3 Does your organisation have an outlined list of procedures regarding securing offices, rooms and facilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.4 How would your organisation implement procedures protecting against external and environmental threats?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.5 How would your organisation implement procedures on working in secure areas?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.6 What are your organisation's procedures on delivery and loading areas?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.1 What are your organisation's procedures on equipment siting and protection?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.2 What are your organisation's procedures on supporting utilities ?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.3 What are your organisation's procedures on cabling security?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.4 What are your organisation's procedures on equipment maintenance?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.5 What are your organisation's procedures on removal of assets ?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.6 What are your organisation's procedures on security of equipment and assets off-premises?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.7 What are your organisation's procedures on secure disposal or reuse of equipment?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.8 What are your organisation's procedures on unattended user equipment?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.9 What are your organisation's procedures on clear desk and clear screen policy?17/12/2019 20:15:3417/12/2019 20:15:34
Q9 Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg Guest, previous employees) removed or disabled?17/12/2019 20:15:3417/12/2019 20:15:34
Q10 Have default passwords for any user accounts been changed to a difficult to guess password?17/12/2019 20:15:3417/12/2019 20:15:34
Q11 Are strong, complex passwords defined in policy and enforced technically for all users and administrators?17/12/2019 20:15:3417/12/2019 20:15:34
Q12 Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)?17/12/2019 20:15:3417/12/2019 20:15:34
Q13 Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements?17/12/2019 20:15:3417/12/2019 20:15:34
Q14 Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software?17/12/2019 20:15:3417/12/2019 20:15:34
Q15 Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default?17/12/2019 20:15:3417/12/2019 20:15:34
Q16 Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate?17/12/2019 20:15:3417/12/2019 20:15:34
Q17 Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies?17/12/2019 20:15:3417/12/2019 20:15:34
Q18 Are proxy servers used to provide controlled access to the Internet for relevant machines and users?17/12/2019 20:15:3417/12/2019 20:15:34
Q19 Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files?17/12/2019 20:15:3417/12/2019 20:15:34
Q20 Is there a corporate policy on log retention and the centralised storage and management of log information?17/12/2019 20:15:3417/12/2019 20:15:34
Q21 Are log files retained for operating systems on both servers and workstations?17/12/2019 20:15:3417/12/2019 20:15:34
Q22 Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months?17/12/2019 20:15:3417/12/2019 20:15:34
Q23 Are Internet access (for both web and mail) log files retained for a period of least three months?17/12/2019 20:15:3417/12/2019 20:15:34
Q24 Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft?17/12/2019 20:15:3417/12/2019 20:15:34
Q25 Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation?17/12/2019 20:15:3417/12/2019 20:15:34
Q26 Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication.17/12/2019 20:15:3417/12/2019 20:15:34
Q9 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q10 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?17/12/2019 20:15:3417/12/2019 20:15:34
Q11 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a nonguessable password of 8 characters or more?17/12/2019 20:15:3417/12/2019 20:15:34
Q12 Do all your users and administrators use passwords of at least 8 characters?17/12/2019 20:15:3417/12/2019 20:15:34
Q13 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q14 Is 'auto-run' or 'auto-play' disabled on all of your systems?17/12/2019 20:15:3417/12/2019 20:15:34
Q15 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?17/12/2019 20:15:3417/12/2019 20:15:34
Q16 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?17/12/2019 20:15:3417/12/2019 20:15:34
Q17 Is all software licensed in accordance with the publisher’s recommendations?17/12/2019 20:15:3417/12/2019 20:15:34
Q18 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q19 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q20 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.1 Does your organisation have procedures in place on information security policy for supplier relationships?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.2 Does your organisation have procedures in place on agreements on addressing security within supplier agreements?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.3 Does your organisation have procedures in place on agreements on information and communication technology supply chain?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.2.1 Does your organisation have procedures in place on agreements on monitoring and review of supplier services?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.2.2 How does your organisation operate managing changes to supplier services?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.1 Does your organisation have procedures in place for agreements on information security requirements analysis and specification?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.2 Does your organisation have procedures in place on agreements on Securing application services on public networks17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.3 Does your organisation have procedures in place on agreements on Protecting application services transactions17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.1 Does your organisation have procedures in place on agreements on secure development policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.2 Does your organisation have procedures in place on agreements on system change control procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.3 Does your organisation have procedures in place on agreements on technical review of applications after operating platform?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.4 Does your organisation have procedures in place on agreements on restrictions on changes to software packages?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.5 Does your organisation have procedures in place on agreements on secure system engineering principles?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.6 Does your organisation have procedures in place to implement agreements on secure development environments?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.7 Does your organisation have procedures in place on agreements on outsourced development?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.8 Does your organisation operate testing procedures on agreement system security testing?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.9 Does your organisation have procedures in place on agreements on system acceptance testing?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.3.1 Does your organisation have procedures in place on agreements on protection of test data?17/12/2019 20:15:3417/12/2019 20:15:34
Q21 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.17/12/2019 20:15:3417/12/2019 20:15:34
Q22 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?17/12/2019 20:15:3417/12/2019 20:15:34
Q23 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?17/12/2019 20:15:3417/12/2019 20:15:34
Q24 How do you ensure that staff only have the privileges that they need to do their current job? How do you do this?17/12/2019 20:15:3417/12/2019 20:15:34