Principle: B1 Policies, Processes, and Procedures
B1.a Policy, Process, and Procedure Development
Key Point:
Your organisation must develop and continuously improve a set of cyber security and information governance (IG) policies, processes, and procedures that effectively manage risks to your essential functions.
Overview:
This outcome focuses on ensuring that your organisation has a well-defined set of policies, processes, and procedures to manage cyber security and IG risks. These should be regularly reviewed and updated to remain effective and compliant with the latest legislation and regulations.
How to Meet the Requirement:
Your organisation should have a comprehensive suite of policies that guide its cyber security and IG activities. These policies should be risk-driven and signed off by a board representative. Ensure that policies are reviewed periodically and after significant changes, and that they are documented in a central location accessible to all relevant staff.
The policies should cover:
- Information governance topics like confidentiality, data protection, data breaches, and transparency.
- Cyber security topics such as acceptable use of IT, asset management, encryption, and patch management.
- Supply chain management addressing procurement and supplier obligations.
It’s also important to ensure that your policies align with national legal and regulatory requirements, such as the NHS’s DSPT framework, UK GDPR, and the National Cyber Security Centre (NCSC) guidance.
Evidence to Provide:
Submit documents like:
- Policies, procedures, and strategy documents
- Logs showing the approval, review, and management of policies
- Minutes from board meetings discussing policy updates
- Risk assessments or technical security practice reviews
Ensure your evidence shows how your policies support the overall governance and risk management of your organisation’s data security and protection efforts.
Indicators of Good Practice:
- Your policies clearly define security governance and risk management approaches.
- Policies are reviewed regularly to ensure they are practical and relevant to your organisation's essential functions.
B1.b Policy, Process, and Procedure Implementation
Key Point:
Your organisation must ensure that all staff are aware of and follow the policies, processes, and procedures designed to protect data and manage security risks.
Overview:
This outcome ensures that your policies, processes, and procedures are effectively implemented and followed by staff. Monitoring and evaluating adherence is crucial to ensure policies are not only in place but are being used correctly.
How to Meet the Requirement:
You should develop monitoring mechanisms to assess whether staff are following policies and procedures. This can include spot checks, staff feedback, and audits of areas such as asset management, access control, and incident reporting.
You must have a process for identifying and addressing breaches of policy. When breaches occur, conduct a thorough investigation and ensure improvements are made to prevent future incidents. Training should reinforce staff awareness and accountability for following these policies, particularly when handling confidential or personal data.
Evidence to Provide:
- Monitoring reports and logs from spot checks
- Incident response records
- Training materials and reports demonstrating staff awareness of policies
- Communication records between departments showing policy integration
Ensure your documentation illustrates how the policies have been implemented and how breaches or non-compliance are addressed and corrected.
Indicators of Good Practice:
- Policies, processes, and procedures are regularly followed and monitored.
- Breaches of policy are fully investigated, and corrective actions are taken.
- There are clear mechanisms for tracking policy compliance across the organisation.
B1 Policy, Process, and Procedure: Key Considerations
Policy Scope and Relevance:
Policies should be tailored to the needs of your organisation’s essential functions. They must address both high-level governance and detailed technical security practices, ensuring comprehensive coverage of risk management areas.
Monitoring Compliance:
Regular monitoring is essential to ensure that policies are being followed. This could involve:
- Spot checks on access controls
- Regular reviews of privileged user access
- Verifying compliance with incident reporting and response processes
Incident Reporting and Breach Investigation:
In cases of policy breaches, it is vital to investigate promptly and take corrective action. This may involve retraining staff, updating procedures, or adjusting access controls to mitigate risks.
Ensure your organisation’s cyber security and IG policies are robust, up to date, and fully implemented. Need help creating or refining policies, improving compliance, or investigating breaches? Periculo can support you in developing strong governance frameworks to safeguard your organisation’s essential functions. Contact us now to ensure your policies are effective and compliant!
