Internal Reference Number: FOI_9021
Date Request Received: 10/11/2025 00:00:00
Date Request Replied To: 24/11/2025 00:00:00
This response was sent via: By Email
Request Summary: Information on NHS cyber governance and board oversight (2018–2024)
Request Category: Researcher
| Question Number 1: I am studying how NHS Trusts organise and oversee cybersecurity governance and organisational learning. This request is made for academic, non-commercial research into NHS governance learning and decision-making My current analysis is based mainly on publicly available and published sources (NAO reports, NCSC guidance, parliamentary evidence, etc.). However, I recognise that such materials may not fully reflect how governance actually operates within individual Trusts. To ensure that my research findings reflect real-world governance practices rather than policy design alone, I would appreciate your assistance with a small set of factual, non-sensitive governance indicators under the Freedom of Information Act 2000. Please provide information for the period 1 January 2018 – 31 December 2024 (inclusive) or the most recent complete year available. Governance framework — The framework used for cybersecurity governance (e.g. NCSC CAF, DSPT, ISO 27001) and the year of its latest board approval. | |
| Answer To Question 1: The Trust adheres to the nationally defined framework, predominantly through the DSPT. | |
| Question Number 2: Board review frequency — How often the board or an executive committee formally reviews cyber resilience or cybersecurity governance (e.g. annually, quarterly, ad hoc). | |
| Answer To Question 2: Quarterly | |
| Question Number 3: Most recent review — The title and month/year of the latest board or committee paper or report relating to cyber resilience (no internal findings required). | |
| Answer To Question 3: Quarterly data protection and cyber security report, October 2025 | |
| Question Number 4: Reporting line — The current reporting structure for cybersecurity governance (e.g. CISO → CIO → Board). | |
| Answer To Question 4: Report presented by CIO, Chief Transformation and Innovation Officer is executive lead on the board. | |
| Question Number 5: External assurance — Whether the Trust has undergone external assurance such as CAF self-assessment, DSPT validation, independent audit, or security testing (e.g. penetration test / red-team). If so, please indicate only the type and frequency, not the scope or results. | |
| Answer To Question 5: The DSPT mandates an external audit and penetration test annually as a minimum which the Trust adheres to. | |
| Question Number 6: Concurrent improvement programmes — Approximate number of cybersecurity-related improvement programmes or initiatives active concurrently in a typical year (2018–2024) and trend (increasing/decreasing/stable). | |
| Answer To Question 6: S31(3) of the FOIA exemption | |
| Question Number 7: Internal coordination — Whether a steering group, programme office, or committee coordinates concurrent cybersecurity initiatives within the Trust, and its reporting level (executive/board). | |
| Answer To Question 7: Programmes are managed in line with the programme governance and there is an internal technical group to assure on existing cyber measures which then report up through to digital steering group | |
| Question Number 8: Cross-Trust coordination — Whether the Trust participates in structured coordination or information-sharing mechanisms with other NHS Trusts or regional bodies on cyber-resilience governance (e.g. ICS cyber networks), and at what level (regional/national). | |
| Answer To Question 8: The Trust is part of a range of groups including an ICS cyber technical design authority, national and regional cyber networks and have informal meetings across our Hospitals Group | |
| Question Number 9: Board learning — Whether board-level training sessions or workshops on cyber resilience have been held since 2018, and in which years. | |
| Answer To Question 9: 5 July 2018 – Trust Board Seminar Cyber Security 7 March 2019 – Trust Board Seminar Digital Strategy 13 June 2019 – Trust Board Development Day Strategy inc Digital Transformation 4 July 2019 - NHSI Making Data Count, Trust Board Seminar 2 July 2020 – Digital Strategy, Trust Board Seminar 11 February 2021 – Shared EPR, Trust Board Development Day 9 June 2022 – Digital Board Development Session NHS Providers, Trust Board Seminar 8 February 2024 – Data Strategy/BI and Cyber Risk Tolerance | |
| To return to the list of all the FOI requests please click here |
Our staff at 91Ó°ÊÓ District Hospital have long been well regarded for the quality of care and treatment they provide for our patients and for their innovation, commitment and professionalism. This has been recognised in a wide range of achievements and it is reflected in our award of NHS Foundation Trust status. This is afforded to hospitals that provide the highest standards of care.
