Skip to main content

NCSC assured NHS Senior Information Risk Owner (SIRO) training

We’re offering centrally funded cyber security training course to senior information risk owners (SIROs) working in NHS trusts and integrated care boards (ICBs).

Page contents

This National Cyber Security Centre (NCSC) Assured training by Templar International Group on behalf of NHS England will help SIROs and their deputies to improve their knowledge about cyber security risks. The training can be delivered in person or virtually over a day, or over 2 half days.

This tailored training and mentoring provides a safe and trusted space for discussion and enables sharing of best practice to manage cyber and information risk in a dynamic healthcare environment.

SIRO training is available to NHS trusts, ICBs and commissioning support units (CSUs).

The training can be extended also to include key information risk and assurance roles such as deputy SIROs, Caldicott Guardians, data protection officers, information governance managers and heads of cyber (up to 8 delegates including the SIRO) to build capability and support resilience.

Overview of training

Topics covered include:

  • the cyber landscape encompassing threats, vulnerabilities and the latest trends
  • NHS context - for example, Department of Health and Social Care (DHSC) cyber strategy, Data Security and Protection Toolkit (DSPT), Cyber Assessment Framework (CAF) and legal and regulatory requirements
  • understanding information assets, leadership and accountability
  • governance including best practice, strategy, leadership, policy and culture
  • information risk management including supply chain and AI
  • assurance, reporting and key priority areas (KPIs)
  • communications and culture change, including a range of resources
  • business continuity and cyber incident recovery and resilience
  • discussion in a trusted environment, including questions and answers, priorities and next steps

Benefits

Benefits include:

  • access to experienced and NCSC Assured trainers, who are able to draw on experience and insights from across public and private sectors
  • best practice advice with tailored context to support the NHS and your own organisation’s strategy and plans
  • advice and support on actions a SIRO can take to minimise the risk both on patient care and the organisation’s reputation, finance and operations

Register for the training

To register for this training or to find out more, use the NHS National IT Customer Service portal.

You will need to register for an account by providing your name, work email address and organisation ODS code. Once logged in:

  1. Raise a request by selecting 'Submit a Case'.
  2. Select the 'Cyber and Data Security' drop down on the left side.
  3. Select 'SIRO Training' and add your organisation's details and requirements.
  4. Submit the request.

We will then contact you to discuss the request further.

How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.a You have effective organisational security management led at board level and articulated clearly in corresponding policies.

A1.b Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

A1.c You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.

A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

A2.b You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.

Objective B: Defending systems against cyber attack

B1.a You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.

B1.b You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

B6.a Cyber security culture.

B6.b The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.

Objective D: Minimising the impact of cyber security incidents

D1.a You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios.

D1.b You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.

D2.b Your organisation uses lessons learned from incidents to improve your security measures.

Last edited: 26 November 2025 8:49 am