Information Governance Management - Strategic Health Authorities
Guidance
Requirement 121
Does the SHA have a Board level Senior Information Risk Owner (SIRO) who
takes ownership of the SHA’s information risk policy, acts as advocate for
information risk on the board and provides written advice to the accounting
officer on the content of their Statement of Internal Control in regard to
information risk?
The establishment of the role of SIRO is one of several measures to strengthen
controls around information security outlined in a recent Cabinet Office review
and report on Data Handling. The SIRO should be an Executive or Senior
Manager on the SHA Board who is familiar with information risks and the
organisation’s response to risk and has the knowledge and skills necessary to
provide the required input and support to the Board and to the accountable
officer. The SIRO may also be the Chief Information Officer (CIO) if the latter is
on the board.
Accountability and Performance
Senior level ownership of information risk is a key factor in successfully raising the
profile of information risks and to embedding information risk management into the
overall risk management culture of the SHA. Senior leadership demonstrates the
importance of the issue and is critical in obtaining the resources and commitment
necessary to ensuring information security remains high on the Board agenda.
The role of the Accountable Officer
The Chief Executive as Accountable Officer of the SHA has overall accountability
and responsibility for Information Governance in the SHA and is required to provide
assurance, through the Statement of Internal Control that all risks to the SHA,
including those relating to information, are effectively managed and mitigated.
The role of the Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner (SIRO) will be an Executive Director, Chief
Information Officer (CIO) or Senior Manager member of the SHA Board. The SIRO
may also be the Chief Information Officer (CIO) if the latter is on the Board.
The SIRO will be expected to understand how the strategic business goals of the
SHA may be impacted by information risks and it may, therefore, be logical for this
role to be assigned to a Board member already leading on risk management or
information governance.
The SIRO will act as an advocate for information risk on the Board and in internal
discussions, and will provide written advice to the Accountable Officer on the content
of their annual Statement of Internal Control (SIC) in regard to information risk.
Working within a simple governance structure, with clear lines of Information Asset
ownership and well- defined roles and responsibilities, the SIRO will provide an
Page 1 of 3
essential role in ensuring that identified information security risks are followed up and
incidents managed. They will also ensure that the Board and the Accountable Officer
are kept up to date on all information risk issues. The role will be supported by the
SHA’s Information Asset Owners, Information Governance Manager, the SHA’s Risk
Manager, the SHA’s Information Security Manager, the SHA’s Records Manager and
the SHA’s Caldicott Guardian, although ownership of the Information Risk Policy and
risk assessment process will remain with the SIRO.
The role of Information Asset Owners (IAO)
IAOs are accountable to the SIRO and will provide assurance that information risk is
being managed effectively for those information assets that they have been assigned
ownership. IAOs will be assisted in their roles by staff acting as Information Asset
Administrators or equivalent who have day to day responsibility for management of
information risks affecting one or more assets.
Key responsibilities of the Senior Information Risk Owner






To oversee the development of an Information Risk Policy, and a Strategy for
implementing the policy within the existing Information Governance Framework.
To take ownership of risk assessment process for information risk, including
review of the annual information risk assessment to support and inform the
Statement of Internal Control.
To review and agree action in respect of identified information risks.
To ensure that the SHA’s approach to information risk is effective in terms of
resource, commitment and execution and that this is communicated to all staff.
To provide a focal point for the resolution and/or discussion of information risk
issues.
To ensure the Board is adequately briefed on information risk issues.
Training
The SIRO will be required to successfully complete strategic information risk
management training at least annually.
Improvement plans

Level 1
The SHA should nominate an Executive Director or Senior Manager Board
member to be responsible for ownership of information risk across the SHA and
to act as the SHA’s Senior Information Risk Owner (SIRO).

Level 2
An assessment of any gaps in knowledge or skills should be undertaken and
training provided to ensure that the Board member assigned responsibility for
information risk has the necessary skills and knowledge to be effective in their
role. The SHA should also ensure that the support infrastructure for the SIRO is in
place, including the nomination of Information Asset Owners as appropriate.
Page 2 of 3

Level 3
The SHA should ensure the role and responsibilities of the SIRO and the
infrastructure to support the SIRO is kept under review and remains effective. The
Board member assigned to the role should successfully complete the strategic
information risk management training at least annually.
Requirement checklist
IGM_SHA_121_V7_Checklist 09-02-05.doc
Key Guidance Document(s):
BS ISO/IEC 27000 series of information security standards
Note that only NHS Information Governance Toolkit (IGT) administrators may
download a copy of these standards for their organisation. The administrator must
be logged on to download the standards.
DH: Information Security NHS Code of Practice
The code is a guide to the methods and required standards of practice in the
management of information security for those who work within or under contract to,
or in business partnership with NHS organisations in England. It is based on current
legal requirements, relevant standards and professional best practice and replaces
HSG 1996/15 – NHS Information Management and Technology Security Manual.
NHS Information Risk Management: Good Practice Guidance
This guidance, published in January 2009, set out the role and responsibilities of
Senior Information Risk Owners and Information Asset Owners. It includes sections
dealing with Information Risk Policy, Forensic Readiness Policy and Information
Security Accreditation that are all relevant to the role of the Information Security
Officer.
System Level Security Policy (SLSP)
A template for defining system level security arrangements. This template is relevant
to the Good Practice Guide above. It should be read in conjunction with the section
specifically addressing security policy.
Useful websites:
NHS Information Governance Training Tool
NHS Connecting for Health Information Governance website
Page 3 of 3