Freedom of Information Request – Ref: FOI 298-2025
Thank you for your recent Freedom of Information request. Please find our response below.
You asked:
Please provide information for the period 1 January 2018 – 31 December 2024 (inclusive) or the most recent complete year available.
1. Governance framework — The framework used for cybersecurity governance (e.g. NCSC CAF, DSPT, ISO 27001) and the year of its latest board approval.
Our response:
DSPT includes CAF this is approved every year via the Board appropriate committee.
You asked:
2. Board review frequency — How often the board or an executive committee formally reviews cyber resilience or cybersecurity governance (e.g. annually, quarterly, ad hoc).
Our response:
Bi Monthly review at one Executive committee.
Every 6 months at one Executive committee.
You asked:
3. Most recent review — The title and month/year of the latest board or committee paper or report relating to cyber resilience (no internal findings required).
Our response:
Cyber Assurance Report October 2025.
You asked:
4. Reporting line — The current reporting structure for cybersecurity governance (e.g. CISO → CIO → Board).
Our response:
AD Digital Services – CIO – Board.
ICS Cyber Security Lead dotted line Trusts governance.
You asked:
5. External assurance — Whether the Trust has undergone external assurance such as CAF self-assessment, DSPT validation, independent audit, or security testing (e.g. penetration test / red-team). If so, please indicate only the type and frequency, not the scope or results.
Our response:
DSPT Annual validation.
Pen Test Annually.
You asked:
6. Concurrent improvement programmes — Approximate number of cybersecurity-related improvement programmes or initiatives active concurrently in a typical year (2018–2024) and trend (increasing/decreasing/stable).
Our response:
10 – 15 – Trend increasing.
You asked:
7. Internal coordination — Whether a steering group, programme office, or committee coordinates concurrent cybersecurity initiatives within the Trust, and its reporting level (executive/board).
Our response:
Weekly operational Cyber meeting
Monthly ICS Cyber meeting.
Projects and risks managed through current Digital governance process as opposed to separate that reports into appropriate board committees.
You asked:
8. Cross-Trust coordination — Whether the Trust participates in structured coordination or information-sharing mechanisms with other NHS Trusts or regional bodies on cyber-resilience governance (e.g. ICS cyber networks), and at what level (regional/national).
Our response:
Monthly ICS Cyber Meeting.
ICS Cyber Assurance report to Monthly Digital Execs meeting.
SW Cyber Meeting.
You asked:
9. Board learning — Whether board-level training sessions or workshops on cyber resilience have been held since 2018, and in which years.
Our response:
All Board members are required to undertake annual IG training, which includes elements of cyber training.
All Board members form 2025 are also required to undertake the NCSC cyber training
August 2022 – Board development session held on Digital – delivered by Digital Boards
Next steps:
Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:
Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk
If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.