APPENDIX 1: CHECKLIST FOR DIRECTORS – Managing Information Risk: A Director's Guide


Have we assessed the importance of information to our business?

We know what information we hold and handle.

We know the relative security, sensitivity and importance of each set of information.

We understand which information systems support the management of key information.

We know how critical this information is for the management of our business.

Have we assessed our information risks?

We have developed a risk assessment of our information.

This risk assessment looks at all of our key risks and how critical they are to our business.

This assessment follows the approach we have taken overall to risk management, and embeds information risk management within our overall business risk model.

Do we have a plan for managing these risks?

We have identified what we need to do to mitigate risks to an acceptable level, which covers all key dimensions (i.e. the need to share, as well as protect, and the need for resilience).

We have a clear plan in place, with owners of the key actions.

The plan covers all key players in the delivery chain, including arm’s-length bodies and partners.

The key players understand their role in managing these risks.

There is a regular process of assessing how well we are doing at implementing this plan.

Do all staff understand their roles and responsibilities in managing these risks?

All our staff understand their role in managing information, and the risks it poses.

All staff are clear on what’s mandatory, and where they can make decisions.

All staff are clear about to whom they report concerns and ‘near misses’, so we can learn from incidents and mistakes.

We have built this into our culture through training, performance management and governance structures.

All staff understand the consequences of not following the rules.

Does my organisation have the right skills and technical capabilities to manage these risks?

My board sufficiently understands our use of and reliance upon information and information risk to ask the right questions.

I have a capable senior information risk owner on the board.

I have a capable team and infrastructure to manage my organisation’s information, who are aware of all of the risk issues.

My IT, financial and other teams and infrastructure are attuned to the need to manage information risk.

Is management of information embedded in my business processes?

We consider information as one of many business processes and business risks.

The board considers information risk alongside, and as a contributory part of, other key risks, and gives it priority accordingly.

Information management is seen as a core skill, and is built into training, assessment and capability building processes.

From Managing Information Risk a UK Government report prepared by The National Archives, Crown copyright.