This section covers operational compliance: vendor risk management, privacy compliance, and the incident response programme. These are the areas where compliance decisions meet day-to-day operations.
Vendor Register (database below)
All third-party vendors tracked by risk tier, BAA status, PHI access level, and review schedule. One overdue review is flagged.
Vendor Risk Management Core (section below)
The full VRM programme suite covering the master framework, risk assessment procedure, vendor classification standard, due diligence questionnaire, risk assessment template, vendor inventory register, vendor risk register, contractual requirements standard, and vendor offboarding checklist. Nine documents structured as a connected programme.
Incident Response Suite (Evidence Repository)
The full nine-document IRP suite is documented in the Evidence Repository as "Incident Response Suite - IRP-01 through IRP-09 - Summary". It covers current status of each procedure and flags the critical gap in breach notification validation.
Privacy Documents (Evidence Repository)
The ROPA, DPIA, and Data Retention Schedule are stored in the Evidence Repository. Each page contains the full document content and is linked from the document index.
Change Management Suite (Evidence Repository)
The Change Management Procedure (ISMS-PROC-CHG-01) and Change Request Form (ISMS-PROC-CHG-FRM-01) are stored in the Evidence Repository. These govern all changes to systems, infrastructure, and ISMS-scope configurations, including production PHI environments. Change management is a direct control against R10.1 (EHR ransomware) and R9.1 (HR database integrity).
| Tier | Vendors | PHI Access | BAA Status |
|---|---|---|---|
| Tier 1 - High | 4 | Yes / Limited | All executed |
| Tier 2 - Medium | 1 | No | Not required (DPA in place) |
One Tier 1 vendor (ClinAnalytics Ltd) has an overdue annual security review. This is tracked in the Vendor Register and flagged in the Executive Dashboard.
| Document | Status | Key Note |
|---|---|---|
| IRP-01 Core Framework | Approved | Operational |
| IRP-02 IR Procedure | Approved | Procedure documented, not tested |
| IRP-03 Categorisation | Approved | Operational |
| IRP-04 Severity Classification | Approved | Operational |
| IRP-05 Communication Plan | Approved | Operational |
| IRP-06 Digital Forensics | Approved | Operational |
| IRP-07 Metrics and Reporting | Approved | Operational |
| IRP-08 Playbook Framework | Approved | Playbooks not yet written for all scenarios |
| IRP-09 Case Management | Approved | Operational |