NHS Patient Portal

Health & Social Care · assessment opened 14 Apr 2026 · 11 weeks in

Verdict On track but ownership-thin. Strong discovery and rising identity maturity are offset by an unstaffed Operations phase and two accepted risks that ripple into connected systems.
31/ 100
Gap Index ▼ 16 QoQ higher = worse · components with no data are excluded, never scored 0
Coverage
31% + in score

+ includesThe 49 canonical security outcomes, each counted once at its latest status.

− excludesEarlier-phase prep (discovery, journey) — it feeds the outcomes but is not counted here; N/A outcomes can be marked out.

benefitTells you in one figure how much of the security picture has actually been reached.

Open questions
12% + in score

+ includesEvery item answered 'Get Help' that is still unresolved.

− excludesResolved Get-Helps (now answered) and items never opened.

benefitSurfaces the known-unknowns waiting on a person, so they get chased — not lost.

Maturity shortfall
40% + in score

+ includesSeven evidenced dimensions — completeness, depth, timeliness, accountability, evidence, engagement, remediation.

− excludesThe portfolio-only 'coverage across systems' dimension (meaningless for one system) and any system with no activity.

benefitCaptures the quality of the work, not just whether boxes were ticked.

Residual risk
55% + in score
Overdue actions
10% + in score

+ includesTracked deadlines and committed actions now past their date.

− excludesDeadlines renegotiated before they passed, and items with no deadline set.

benefitThe earliest signal that delivery is slipping — before it hardens into a gap.

Unowned items
20% + in score

+ includesClaims with no confirmed accountable owner.

− excludesItems referred onward (an owner is being found) and confirmed-owned items.

benefitPinpoints exactly where accountability is missing — the unmanaged risk.

What A single 0–100 score of how much of the security picture is still open or unowned (higher = worse).

How A weight-normalised blend of six gaps: coverage, open questions, maturity shortfall, residual risk, overdue actions and unowned items.

Why One number a board can track period on period — and drill into the systems driving it.

Good Trending down. Under 25 is strong; the breakdown tells you where to push next.

+ Includes Every component that has data — coverage, open questions, maturity, residual risk, overdue actions, unowned items.

− Excludes Any component with no data yet — excluded from the score (never scored zero), shown as 'not enough data'.

Benefit One number to govern by that always shows what it is built from — defensible to a board and a regulator.

Maturity matrix

Completeness Developing 2/5
Depth Managed 4/5
Timeliness Optimised 5/5
Accountability Developing 2/5
Evidence Defined 3/5
Engagement Managed 4/5
Remediation Defined 3/5

What Outcome-based maturity across seven dimensions, 1–5, each backed by evidence.

How Existing captured data mapped to a 1–5 band per dimension, then averaged.

Why Shows where the system is strong versus thin, not just a single percentage.

Good Rising over time; 4+ across the board.

Gap Index over time

88W164W447W831W11

What Whether the portfolio's open gaps are being closed faster than new ones open.

How Gap Index at each period close, charted across the year.

Why The clearest single picture of whether the programme is winning.

Good A downward burndown — gaps closing faster than they appear.

Response time to delegated questions

< 24h
48%
1–3d
22%
3–7d
21%
7d+
9%
Phase 0 — Data Strong
Response 4h medianQuality High — all ownedCompletion 100%

Strengths

+ All special-category data classified with named risk owners

+ UK GDPR + Art-9 conditions recorded at declaration

Weaknesses

− Children's-data handling declared but its owner is unconfirmed

Benefit Confirm the children's-data owner and Phase 0 is airtight — every downstream ask then routes correctly.

Discovery Strong
Response 11h medianQuality Strong — evidencedCompletion 93%

Strengths

+ 13 of 14 areas confirmed by a named SME

+ Evidence attached to every access-control claim

Weaknesses

− Logging area left as Get-Help, now past its find-out-by date

Benefit Close the logging Get-Help and detection coverage becomes evidenced rather than assumed.

Operations Weak
Response 6.2d meanQuality Thin — low evidenceCompletion 51%

Strengths

+ Backup / restore tested and evidenced

Weaknesses

− No accountable owner for 3 operational areas

− Mean 6.2 days to respond — the project bottleneck

Benefit Staff the 3 operational areas and the project's biggest bottleneck clears — response velocity roughly doubles.

Outcomes Mixed
Response 1.5d medianQuality MixedCompletion 38%

Strengths

+ Identity & Access raised 2 → 3 after access reviews

+ Monitoring outcomes assessed with evidence

Weaknesses

− 2 outcomes Get-Help with no find-out-by date

− Resilience outcome not yet assessed

Benefit Set deadlines on the 2 open outcomes and assess resilience to lift maturity from 3.1 toward 4.

Risk / Residual Mixed
Response 2.3d medianQuality DocumentedCompletion 2 accepted

Strengths

+ Accepted risks documented with rationale and a named approver

Weaknesses

− 1 accepted risk sits on a heavily-depended-on system — wide blast radius

Benefit Re-examine the high-blast accepted risk and the residual component — the largest single driver — drops fastest.

+ Counts

+ All 49 canonical outcomes and every recorded response (latest per item)

+ Evidence, delegations and decisions attached to this system

+ Confirmed owners and the full accountability funnel

− Leaves out

− Archived systems and superseded answers (only the latest counts)

− Outcomes marked Not-applicable

− Components with no data yet — shown as 'not enough data', never scored 0

Bottleneck Operations — 6.2 days mean response velocity 2.4 items/wk

What Where work stalls, and how fast it is moving overall.

How Mean response time per phase (slowest = bottleneck) and items completed per week.

Why Tells you where to add people or chase, not just that things are slow.

Good No single phase dominating; steady velocity.

Ownership coverage 82% owned 3 unowned · 1 referred onward

What How much of the system has a confirmed accountable owner.

How Confirmed-owner claims ÷ total, from the accountability funnel.

Why Coverage gaps here are exactly where accountability is missing.

Good 95%+; anything unowned is flagged for assignment.

file Access review Q2.xlsx A. Singh · 6 May · B2 Identity & access
link SIEM monitoring dashboard SecOps · C1 Monitoring
note DPIA sign-off recorded DPO · 28 Apr
file Backup restore test.pdf Infrastructure · D1 Resilience

Enterprise

Export as branded PDF Run over your own systems Schedule to your board

These examples are read-only. Book a demo to run reporting on your own data.