NHS England has adopted the Cyber Assessment Framework, moving away from the National Data Guardian’s 10 data security standards as its assessment mechanism.

In a statement, NHS England said it is moving to the National Cyber Security Centre’s Cyber Assessment Framework (CAF), and phasing out use of the National Data Guardian 10 data security standards.

According to NHS England, this change will be done to:

• Emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level, where those risks can most effectively be managed.
• Support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box.
• Create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks.
  
  

  
  

High Bar for Achievement

NHS England said the CAF was adopted to set a high bar for achievement, and give organisations a long-term roadmap of yearly incremental improvement. “This will give clear visibility of expectations over the next five years, enabling long-term strategic investments in people, processes, and technology,” the statement said.

Also, the CAF focuses on achieving outcomes, instead of simply passing or failing defined security controls, and helps organisations apply strong information governance and cyber security principles to make informed decisions at a local level.

“This approach allows professionals to use their own judgement to implement the data protection measures that best serve their organisation, patients, and service users,” the statement said. “It also encourages professionals to apply best practice tactics against new and emerging threats.”

NHS England did confirm that while organisations will assess themselves against the CAF, the basic principles embodied in the National Data Guardian’s 10 security standards of ‘people, process and technology’, and the standards that accompany them, remain fundamental and are built into the CAF’s requirements.

Good Principles

Introduced in the National Data Guardian’s 2016 review of data security, consent and opt-outs, the 10 data security standards were designed to build on existing good principles and address the root causes of security breaches. 

However due to the rapidly changing landscape of technology and cyber threats, a more advanced approach is required, and NHS England said the CAF provides this.

Dr Nicola Byrne, the National Data Guardian, said: “I fully support this transition to the CAF. It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience. I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.