Information governance assurance

We rely on information to make decisions. We want our information to be trusted.

By assessing how well National Highways and its suppliers manage information (in line with its policy, requirements and specifications), National Highways assures its stakeholders that it is using their information appropriately

This also helps National Highways understand any risks and improvements that need to be made.


This requirement covers tier 1 and tier 2 levels of assurance, although tier 3 and tier 4 levels may be required.

If a Supplier collects, processes or holds National Highways information, then the Supplier is required to undertake annual self-assessment to make sure that they are managing National Highways information in line with its information management requirements and specifications.

This applies to both National Highways business teams and those Suppliers managing National Highways data.

All suppliers agree to a second-tier assessment as and when requested by National Highways' data governance team.


National Highways follows a four-tier assurance framework of assessment to make sure its information is being managed in line with its policy, requirements and specifications:

  1. Self assessment – where a supplier or business area undertakes a questionnaire based self-assessment 

  2. Subject matter expert (SME) assessment – a more detailed assessment by a member of National Highways' data governance team 

  3. Internal audit assessment – by a member of National Highways' internal audit team

  4. An independent audit assessment – by an independent third party

Tier 1 - Self-assessment

  1. The Supplier completes an annual self-assessment questionnaire

  2. National Highways service or project manager sends the supplier the questionnaire

  3. The Supplier receives a report based on their responses to the questionnaire. This report may contain recommendations for improvement where necessary.

Tier 2 - SME-assessment

  1. National Highways data governance team arranges interview sessions with appropriate roles to discuss how its information policy, requirements and specifications are being applied

  2. Evidence such as supporting policy and process documents may be required to support this process

  3. On completion, a feedback session is scheduled. Any identified risks and areas for improvement will be discussed

  4. National Highways data governance team will monitor identified risks and remediation until mitigated or resolved. Until then, the frequency of self and SME assessments may be increased.