UCL ISMS Information Governance Communications Plan #

Document Name: RISM20-Communications_Plan

Classification: Public

Author: Sulyman Abdulkareem

version: Version: 1.0

Created: 20/06/2025

Last Review date: 30/01/2026

Last Reviewed by: Matthew Lilliman

Approved by: OMG

Approved date: 03/03/2026

Review Period: 3 Years

1. Purpose #

This Communication Plan sets out how information about information governance will be disseminated to all stakeholders. It defines categories of stakeholders (audiences), how they will be communicated with (channels), what type of communication they will receive, why they are being communicated with (intent), and, where appropriate, how they will be able to express their views, issues, and ideas (feedback).

2. Roles Catalogue #

2.1 Audience Groups #

2.1.1 Information Risk Governance Committee (IRGC) #

Receives reports from the Operational Management Group (OMG), provides advice and assurance to the Senior Information Risk Owner (SIRO), and acts as Top Management for the Research Data ISMS.

2.1.2 Approved Researcher #

A “safe person”. Defined by contracts, attestations and competency (training). Must complete training and sign an approved researcher agreement, which sets out responsibilities

2.1.3 Information Asset Owner (IAO) #

The Information Asset Owner is accountable for any confidential information processed by project users (see below) and is accountable for the safe use of that information.

2.1.4 Information Asset Administrator (IAA) #

Be responsible for the day-to-day management of users and act with delegated authority from an Information Asset Owner.

2.1.5 Project User #

Can access some or all data within a project’s defined boundaries. Their responsibilities are defined in the approved researcher agreement and in any project-specific data-handling requirements set by the Information Asset Owner.

2.1.6 Environment User #

Responsible for using an environment under ISMS scope and its data strictly in accordance with approved project permissions, ISMS policies, security controls, and safe-use requirements, having completed required training and agreements. The (Approved Researcher, IAO, IAA and Project Users) are all the environment users.

2.1.8 External Parties #

stakeholders external to UCL, such as NHS partners, UCL partners, etc.

The framework defining roles, responsibilities, and authorities within the ISMS is documented in RISM02-Roles_and_Responsibilities

2.2 Communication Channel Owners #

2.2.1 Information Governance (IG) Lead #

Manages the UCL Research Data ISMS and IG Framework, ensuring compliance with the NHS Data Security and Protection Toolkit (DSPT). Serves as the primary IG contact for external parties, liaises between the SIRO and research teams, and acts as the internal escalation point for IG matters.

2.2.2 Environment Owner #

Accountable for the safe development, operation, and technical controls of their environment, including defining and maintaining it, managing changes, leading incident response, representing it in audits, fulfilling standard Information Services Division/ Advanced Research Computing (ISD/ARC) product/platform/service owner duties, and approving infrastructure access for all environment IT Administrators.

2.2.3 Incident Manager #

Coordinates, assesses, and resolves information security incidents; leads root cause analysis; manages stakeholder communication; and ensures corrective actions comply with UCL’s ISMS and regulatory requirements.

3. Communication Intention #

For each piece of communication, in addition to identifying the intended audience groups, the communication intention should be identified in advance, such as:

• to consult: (two-way communication) seeking their input to shape the decisions around the future service.
• to inform: (one-way communication - push) informing stakeholders of changes to the ISMS and associated environments.
• to request: (one-way communication – pull) providing mechanisms to provide opportunities to express need, comment or ask questions on the ISMS, research studies and environments.

4. Communication Style Guide #

UCL provides clear, established guidance on communication standards. Key resources include the UCL Web Content Style Guide (covering plain English, structure, tone of voice and avoidance of jargon) and the UCL Brand & Experience writing guidance, which sets expectations for clarity, consistency, tone, and audience‑appropriate language.

ISMS communications are expected to follow these UCL-wide requirements. This includes using plain, unambiguous language; avoiding abbreviations, acronyms, and technical terminology unless clearly defined; maintaining a professional and neutral tone; structuring communications so that decisions, actions, risks, and ownership are explicit; and tailoring content to the intended audience to support effective research data governance. Further guidance on communication standards is found: https://www.ucl.ac.uk/brand-and-experience/experience/content

5. Communication Retention #

Communications related to the operation, security, and management of the ISMS are retained in line with the UCL Retention Schedule: https://www.ucl.ac.uk/library/collections/records-office/retention-schedule

6. ISMS Communication Matrix #