Skip to content
Contents

Cyber Security Governance, Board Oversight and Learning 2018-24

Reference: 25-26355

Date response sent: 20/11/2025

Details of enquiry

  1. Governance framework — The framework used for cybersecurity governance (e.g. NCSC CAF, DSPT, ISO 27001) and the year of its latest board approval.
  2. Board review frequency — How often the board or an executive committee formally reviews cyber resilience or cybersecurity governance (e.g. annually, quarterly, ad hoc)
  3. Most recent review — The title and month/year of the latest board or committee paper or report relating to cyber resilience (no internal findings required).
  4. Reporting line — The current reporting structure for cybersecurity governance (e.g. CISO → CIO → Board).
  5. External assurance — Whether the Trust has undergone external assurance such as CAF self-assessment, DSPT validation, independent audit, or security testing (e.g. penetration test / red-team). If so, please indicate only the type and frequency, not the scope or results.
  6. Concurrent improvement programmes — Approximate number of cybersecurity-related improvement programmes or initiatives active concurrently in a typical year (2018–2024) and trend (increasing/decreasing/stable).
  7. Internal coordination — Whether a steering group, programme office, or committee coordinates concurrent cybersecurity initiatives within the Trust, and its reporting level (executive/board).
  8. Cross-Trust coordination — Whether the Trust participates in structured coordination or information-sharing mechanisms with other NHS Trusts or regional bodies on cyber-resilience governance (e.g. ICS cyber networks), and at what level (regional/national).
  9. Board learning — Whether board-level training sessions or workshops on cyber resilience have been held since 2018, and in which years.

Response sent

  1. Governance framework — The framework used for cybersecurity governance (e.g. NCSC CAF, DSPT, ISO 27001) and the year of its latest board approval.
  • DSPT/CAF – approve each annual submission.
  • DSPT self-assessment is annually audited, and then presented to the Audit Committee for discussion and assurance.
  • DSPT is a mandatory framework which does not require Board Approval. Submissions are submitted and approved by the Information Governance Group in June every year.  The last one was signed off in June 2025.
  1. Board review frequency — How often the board or an executive committee formally reviews cyber resilience or cybersecurity governance (e.g. annually, quarterly, ad hoc)

There is a Cyber security risk on the Board Assurance Framework (BAF) which forms part of the BAF risk review and bi-monthly reporting cycle with oversight by the Performance Finance and Resources Committee (PFRC) and assurance to the Board of Directors.

At departmental level, the IMT department run a monthly Cyber Security Group to review Cyber Security for the Trust.

  1. Most recent review — The title and month/year of the latest board or committee paper or report relating to cyber resilience (no internal findings required).

a. BAF Report to PFRC in September 2025 (internal document)

b. Digital Metrics (including SIRO Cyber Security report) to PFRC in September 2025 (internal document); and

c. Public Board of Directors meeting in September 2025 (on Trust website) Board papers – September 2025 – Tavistock and Portman

4. Reporting line — The current reporting structure for cybersecurity governance (e.g. CISO → CIO → Board).

IMT Cyber Security Group àInformation Governance Group àPFRC àBoard

  1. External assurance — Whether the Trust has undergone external assurance such as CAF self-assessment, DSPT validation, independent audit, or security testing (e.g. penetration test / red-team). If so, please indicate only the type and frequency, not the scope or results.

a. Cyber Security Internal Audit review in 2024/25 (independent review reported to the Integrated Audit and Governance Committee)

b. Annual DSPT 2024/25

c. Annual PEN test

d. Uptake of NHSE, free of charge, cyber assessments

e. Third party cyber assessments.

  1. Concurrent improvement programmes — Approximate number of cybersecurity-related improvement programmes or initiatives active concurrently in a typical year (2018–2024) and trend (increasing/decreasing/stable).

This is part of BAU (business as usual), and is continually delivered to users.

  1. Internal coordination — Whether a steering group, programme office, or committee coordinates concurrent cybersecurity initiatives within the Trust, and its reporting level (executive/board).

The Trust has an active cyber security improvement programme whereby key areas of innovation and improvement are undertaken on an annual basis.

Please see our response to Question 4.

This reports to IGG in the form of our report to the SIRO (Senior Information Reporting Officer), then àInformation Governance Group àPFRC àBoard

  1. Cross-Trust coordination — Whether the Trust participates in structured coordination or information-sharing mechanisms with other NHS Trusts or regional bodies on cyber-resilience governance (e.g. ICS cyber networks), and at what level (regional/national).

Monthly meeting with NHS England Cyber Security Lead

  1. Board learning — Whether board-level training sessions or workshops on cyber resilience have been held since 2018, and in which years.

Board members receive cyber training as part of the Trustwide Statutory and Mandatory training

a. In 2019 the Board received a GCHQ Certified Cyber Security Board Briefing

bIn 2021 the Board received an NHS Board Briefing from NHS Cyber Training

  1. When was the last time your Trust underwent a security audit? At what frequency do these audits occur?

a. April 2022.

b. The last Cyber Security External Audit Review was for 2024/25 and began February 2025.

c. External Cyber Security Audit Reviews are conducted annually for provide assurance for the annual DSPT submission.

Back to top