Introduction

This statement is intended for use by those organisations using the services of National Programme for IT (NPfIT) suppliers and requiring an overview of the information security compliance surrounding those services. This statement should be used as part of the evidence for an organisation's information security assessment or audit.

NHS Connecting for Health maintains a more detailed picture on the information security compliance for NPfIT suppliers and can discuss specific queries with organisations. Any query should be made to igteam@nhs.net in the first instance.

With respect to the suppliers contracted under the National Programme for IT, as managed by NHS Connecting for Health, the following statement provides assurance and evidence that they are working at levels of information security commensurate with processing sensitive personal data, specifically health data.

Initial evaluation

From the initial contract tendering process, assessment and compliance to strict information security controls was paramount before suppliers were allowed to process health data as part of the NPfIT. Supplier responses were evaluated for evidence of industry best practices and to ensure they met the standards and requirements stipulated in the Output Based Specification (OBS).

These standards and requirements were incorporated into the contracts ensuring that suppliers would maintain levels stated at contract award. Industry best practice included elements from Information Security, Business Continuity, Systems Management and Audit. All of the contracted suppliers have a strong reputation within the industry for robust information security practices which they wish to maintain.

On-going compliance

Since the award of each contract each supplier has provided self-assessment and evidence of compliance to the applicable standards and requirements. The use of the ISO27001, and the earlier BS7799, standard has provided the key element in a structure for on-going compliance and further elaborates on the standards and requirements in the contract.

Each supplier's monthly submission on their compliance is reviewed by NHS Connecting for Health and further information sought if required. Suppliers are expected to achieve a minimum score and provide justification for any degradation to compliance levels.

Each supplier is required to produce and maintain an Information Security Policy. These are lodged with NHS Connecting for Health and updated annually; all suppliers have completed this for 2007. Any enhancements and changes to the Security Policy are discussed at the Information Security Management Forum (ISMF) chaired by NHS Connecting for Health. All contracted suppliers are required to observe the governance and remit of the ISMF.

NHS Connecting for Health has a healthy and close working relationship with its contracted suppliers which allows for regular sharing of practices and open review of approaches to information security. Often NHS Connecting for Health staff are co-located with the supplier and operate a collaborative approach to design.