The central team has taken a number of queries recently asking whether we are able to provide a list of “IG Statement of Compliance approved” third parties. The fact of a completed IGSoC does not remove the requirement for commissioners to assure themselves that their providers/suppliers are meeting and maintaining information governance standards. Commissioners should therefore take into account the following information:

Where an organisation has assessed itself as meeting the IGSoC requirements to an appropriate level, and has recorded its assessment within the IG Toolkit, this provides a clear and structured basis for auditing the organisation to obtain assurance that IG standards are being met. A self-assessed IGSoC does not itself provide this assurance and bodies contracting, or otherwise engaging, with organisations who have gone through the IGSoC process must ensure themselves that there is robust evidence of performance. It is the responsibility of all NHS Contracting Authorities to ensure that appropriate IG assurance is obtained when contracting for the delivery of information services.