FOI/2025/26/273

Request

Please provide information for the period 1 January 2018 – 31 December 2024 (inclusive) or the most recent complete year available.

 

1.      Governance framework — The framework used for cybersecurity governance (e.g. NCSC CAF, DSPT, ISO 27001) and the year of its latest board approval.

The Trust uses the CAF DSPT of which ISO2001 is a requirement. The DSPT is approved via the Trust Information Governance Group (IGG) and submitted annually.   

 

2.      Board review frequency — How often the board or an executive committee formally reviews cyber resilience or cybersecurity governance (e.g. annually, quarterly, ad hoc).

The Board reviews cyber quarterly through the Audit Committee and on an annual basis direct to Board.

 

3.      Most recent review — The title and month/year of the latest board or committee paper or report relating to cyber resilience (no internal findings required).

Cyber security update and management of risks, October 2025

 

4.      Reporting line — The current reporting structure for cybersecurity governance (e.g. CISO → CIO → Board).

CIO – Audit Committee - Board

 

5.      External assurance — Whether the Trust has undergone external assurance such as CAF self-assessment, DSPT validation, independent audit, or security testing (e.g. penetration test / red-team). If so, please indicate only the type and frequency, not the scope or results.

The Trust undergoes CAF DSPT assurance of which penetration test is a component. This is carried  out annually and is independently audited.

 

6.      Concurrent improvement programmes — Approximate number of cybersecurity-related improvement programmes or initiatives active concurrently in a typical year (2018–2024) and trend (increasing/decreasing/stable).

1-2 stable.

 

7.      Internal coordination — Whether a steering group, programme office, or committee coordinates concurrent cybersecurity initiatives within the Trust, and its reporting level (executive/board).

Change Authority Board – Audit Committee - Board

 

8.      Cross-Trust coordination — Whether the Trust participates in structured coordination or information-sharing mechanisms with other NHS Trusts or regional bodies on cyber-resilience governance (e.g. ICS cyber networks), and at what level (regional/national).

CLCH is signed up to all of the national NHSE cyber forums and reporting, in addition we are active members of Integrated Care System cyber groups.

 

9.      Board learning — Whether board-level training sessions or workshops on cyber resilience have been held since 2018, and in which years.

Board Level cyber training are held annually with the most recent training held in October 2025.