Date of Request
08/01/2026
Request
Under the Freedom of Information Act 2000, please provide the following information for the period 1 January 2023 – 31 December 2024:
1. The number of occasions on which cyber or information security risks appeared on the agenda of your governing body (or equivalent oversight body).
2. The name(s) of any committee(s) or board(s) with formal responsibility for cyber or information security oversight.
3. Whether documented criteria exist for escalating significant cyber incidents to the governing body or senior leadership (yes/no; if yes, please provide or summarise).
4. The number of governing body members (or equivalent) who completed cyber or information security training during this period, and the total number of members in that body.
5. Whether an independent assessment of your cyber security arrangements (e.g. internal audit, external review, or third-party assessment) was reported to the governing body during this period (yes/no; if yes, please state the type of assessment). Please note: no technical details, vulnerabilities, or sensitive operational information are requested. If this information is readily available, broken down by year, please provide it; otherwise, an aggregate figure for the period is sufficient.
Response
Good Morning,
We thank you for your request for information, which has been received by Hereford and Worcester Fire and Rescue Service (the Service) and considered under the Freedom of Information Act (FOIA) 2000.
The Service can confirm that the information that you have requested is held and is as follows:
The organisation reviews all cyber‑related and information security risks on a quarterly basis. This review is undertaken by the Senior Leadership Board. During these quarterly reviews, each service’s risk entries are assessed and updated. If any new information or intelligence has been identified that would change the assessed level of risk for a service, the risk register is amended accordingly.
1. The number of occasions on which cyber or information security risks appeared on the agenda of your governing body (or equivalent oversight body).
Cyber and information security risks are discussed as an agenda Item on a regular basis and are only escalated to senior leadership when deemed necessary
2. The name(s) of any committee(s) or board(s) with formal responsibility for cyber or information security oversight.
ICT Management, Organisational SIRO, Head of ICT
3. Whether documented criteria exist for escalating significant cyber incidents to the governing body or senior leadership (yes/no; if yes, please provide or summarise).
We have a fully documented procedure according to all NCSC, NFCC, Home office requirements and best practice guidance.
4. The number of governing body members (or equivalent) who completed cyber or information security training during this period, and the total number of members in that body.
All staff have cyber security training on a bi annual basis, there are 4 members of the ICT management team and 1 SIRO in the organisation.
5. Whether an independent assessment of your cyber security arrangements (e.g. internal audit, external review, or third-party assessment) was reported to the governing body during this period (yes/no; if yes, please state the type of assessment).
We have annual Penetration tests, we have internal audits and external audits via third party assessment.
If you have any questions regarding your request, please contact Information Governance on tel: 0345 122 4454 or by e-mail at informationrequests@hwfire.org.uk. In any such communication please include the reference number assigned (see Subject).
Should you have any queries regarding the management of your request and wish to make either a complaint or request a review of the information disclosed to you, please do so by using Hereford & Worcester Fire and Rescue Service’s complaints system: Comments and Complaints. This must be done within 40 working days of our response to your request. After this date and in line with ICO guidance the Service is not obliged to provide an internal review of your request.
If you are not satisfied with the outcome of the internal review, you may appeal the decision by contacting the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, Tel: 0303 123 1113 (alternatively 01625 545745) or E-mail: casework@ico.org.uk.
Further information on Hereford & Worcester Fire and Rescue Service may be viewed at the Service’s website: www.hwfire.org.uk
Thank you for your request for information.
Kind regards,
Information Governance Team