Information Governance Toolkit Information Security Requirement 5102 Checklist

Information Governance Toolkit V5 – Information Security Requirement 302Checklist

Does the PCT have documented and accessible information security event reporting and management procedures in place that are explained to all staff?
L1 / L1 / L1 / L1 / L1
PCT-wide / Has the PCT documented arrangements and responsibilities for reporting, investigating and managing information security events? / Does ISMO audit relevant systems to detect information security weaknesses, threats and incidents? / Are information security events reported to the Information Governance Board or its equivalent? / Are staff and third parties made aware of the importance of reporting information security events? / Do staff and third parties know how to report information security events, and who to report them to?
Yes/No
( or X)
Does the PCT have documented and accessible information security event reporting and management procedures in place that are explained to all staff?
L2 / L2 / L2 / L2
PCT-wide / Has the Information Governance Board (or its equivalent) approved formal documented information security event reporting, control and investigation procedures? / Has the Information Governance Board (or its equivalent) approved a formal documented information security event training and awareness strategy? / Does the ISMO liaise with the PCT’s other Risk Managers to discuss and assess the relevance of other incident reports? / Is written evidence kept that users have been given training in information security event reporting?
Yes/No
( or X)
Does the PCT have documented and accessible information security event reporting and management procedures in place that are explained to all staff?
L3 / L3 / L3 / L3
PCT-wide / Does the PCT have a unified incident reporting scheme, which includes information security events? / Has the Information Governance Board (or its equivalent) approved formal documented information security event reporting, control and investigation procedures that are in line with national guidelines? / Are information security event reporting, control and investigation procedures subject to regular review? / Is the PCT’s information security event training and awareness strategy subject to regular review?
Yes/No
( or X)