The Public Services Network (PSN) is the government’s high-performance network, which helps public-sector organisations work together. It enables commercial service providers to sell services where they can be accessed securely by public-sector organisations on the PSN.
An IT Health Check (ITHC) provides an independent assessment of your organisation’s cyber security.
It aims to provide assurance that your organisation’s external and internal systems are protected from unauthorised access or change, and they do not provide an unauthorised entry point into systems that consume PSN services.
IT Health Checks were originally called Certification audits (CAs). They were founded in 2001.
The checks followed an approach designed to make systems or information more secure and reliable. The focus of these checks was on an IT aspect of the organisation.
The approach was to check that the organisation had ensured their information was secure from unauthorised access or change, and was not a current or future point of entry into systems that consume PSN services.
An IT Health Check involves a team of independent experts (Common Criteria (CC) assessors) inspecting and assessing an organisation’s IT systems and drawing up independent reports. Public-sector organisations are expected to follow the advice in the reports. CP can withdraw certification if an organisation fails to keep to recommendations.
The reports are based on the IT management system approach (IT-Grundschutz). It is an internationally recognised good-practice reference point that provides a framework for establishing and maintaining a reasonable level of security.
The IT Health Check report provides assurance that your organisation has a sound IT management system framework in place. The report is also used to help you to improve your IT management system as well as to allow you to demonstrate that you are not using the IT management system as a cover for poor performance.
This rigorous assessment of your organisation’s network and systems combines with the second-party validation process of a commercial service provider, to show that it is using a robust framework that will protect the data it provides.
The ITHC process is ongoing, allowing an organisation to obtain an ongoing assessment of its IT management framework, including IT security controls. The ITHC cycle is environment specific and based around a set of agreed criteria (the IT-Grundschutz). The criteria have been agreed with industry and are updated regularly.