.svg)
Key Point:
Your organisation must fully understand the data critical to its essential functions, including where it is stored, how it is transferred, and the impacts of unauthorised access, modification, or deletion.
Overview:
This outcome focuses on identifying and understanding the data supporting your organisation’s essential functions, assessing the risks of compromise or loss, and ensuring proper protection for both personal and non-personal data.
How to Meet the Requirement:
Begin by cataloguing all critical data—both personal data (e.g., patient or staff information) and non-personal data (e.g., operational or technical data). Use tools such as a Record of Processing Activities (ROPA) and Information Asset Register (IAR) to document where the data is stored, how it is used, and who is responsible for it. Also, understand which staff members need access to specific types of data.
You must assess the potential impacts of unauthorised access, modification, deletion, or unavailability of this data on essential functions, and incorporate these assessments into your risk management and business continuity planning.
Evidence to Provide:
Submit documents such as:
Ensure the documentation shows how you manage data risks, and its importance to essential operations.
Indicators of Good Practice:
Key Point:
Your organisation must protect the transmission of critical data, both electronically and physically, to prevent unauthorised access or interception.
Overview:
This outcome ensures that data flows within and outside of your organisation are secure. You must identify all critical data transfers—whether through email, network connections, or physical transport—and protect them using appropriate security measures.
How to Meet the Requirement:
Identify key data flows that are critical to your operations. For electronic data, use encryption, secure email standards, and network protection mechanisms to safeguard data in transit. For physical data, ensure secure handling through trusted mail services, proper packaging, and other controls to prevent data breaches.
Document your data flows using diagrams, registers, or control documents that clearly show how data is transferred and protected.
Evidence to Provide:
Submit documentation such as:
Ensure your evidence demonstrates robust protections for both electronic and physical data transfers.
Indicators of Good Practice:
Key Point:
You must ensure that both electronic and physical data critical to your essential functions is protected from unauthorised access, modification, or deletion.
Overview:
This outcome addresses the protection of data that is stored, whether electronically or in physical form. Organisations must safeguard this data by applying security measures that prevent it from being accessed or compromised by unauthorised individuals.
How to Meet the Requirement:
For electronic data, use encryption, access controls, and regular backups to ensure data integrity and security. For physical data, such as paper records or ID cards, secure it in locked storage, restrict access, and follow appropriate disposal procedures. Both types of data should be catalogued and regularly reviewed to ensure they remain protected.
Evidence to Provide:
Submit documentation such as:
Ensure that your evidence demonstrates secure storage practices for both electronic and physical data.
Indicators of Good Practice:
Key Point:
Your organisation must ensure that data critical to your essential functions, stored or accessed on mobile devices, is fully protected.
Overview:
This outcome ensures that mobile devices used within your organisation, such as smartphones, tablets, or laptops, are secure and that any critical data they hold or access is protected. This applies to both organisation-owned and personal devices used for work (BYOD).
How to Meet the Requirement:
Use mobile device management (MDM) systems to track devices and ensure they are configured with encryption and access controls. Limit the data stored on these devices to the minimum necessary for business purposes, and ensure that data is erased when no longer needed.
Catalogue all mobile devices in your asset register and ensure that they follow best practices for security configuration.
Evidence to Provide:
Submit documents such as:
Ensure your documentation demonstrates secure management and protection of mobile data.
Indicators of Good Practice:
Key Point:
Your organisation must securely sanitise all devices, equipment, and media containing critical data before reuse or disposal.
Overview:
This outcome ensures that when devices, media, or equipment are no longer in use, they are securely sanitised to prevent unauthorised recovery of data. This applies to both internal reuse and external disposal, and it includes data on items like hard drives, USBs, and physical devices.
How to Meet the Requirement:
Implement procedures to securely erase data from devices before reuse, disposal, or destruction. Use verified methods such as software sanitisation, physical destruction, or services certified by recognised standards (e.g., NCSC’s Assured Service (Sanitisation) scheme). Ensure that devices and media are tracked and accounted for until disposal is confirmed.
Contracts with third-party disposal services should include provisions for auditing their sanitisation procedures to ensure they meet security standards.
Evidence to Provide:
Submit documentation such as:
Ensure that your evidence shows proper sanitisation and disposal procedures for all data-holding devices.
Indicators of Good Practice:
Protect your organisation’s data across all stages—from understanding and cataloguing to securely storing, transmitting, and disposing of it. Need assistance implementing robust data security policies? Periculo can help you ensure that your data remains secure at every step. Contact us today to safeguard your essential functions from data breaches and unauthorised access!
Contact Periculo for expert cyber security solutions tailored to the digital health industry.
