Information governance assurance

We rely on information to make decisions. We want our information to be trusted.

We will assure our stakeholders that we are using their information appropriately by assessing how well National Highways and its suppliers manage information (in line with our policy, requirements and specifications).

This will also help us understand any risks and improvements that need to be made.


This requirement covers tier 1 and tier 2 levels of assurance, although tier 3 and tier 4 levels may be required.

If you collect, process or hold our information, you will need to undertake annual self-assessment to make sure that you are managing our information in line with our information management requirements and specifications.

This applies to both National Highways business teams and those suppliers managing National Highways data.

You will agree to a second-tier assessment as and when requested by our data governance team.


National Highways follows a four-tier assurance framework of assessment to make sure its information is being managed in line with its policy, requirements and specifications:

  1. Self assessment – where a supplier or business area undertakes a questionnaire based self-assessment 

  2. Subject matter expert (SME) assessment – a more detailed assessment by member of our data governance team 

  3. Internal audit assessment – by a member of our internal audit team

  4. An independent audit assessment – by an independent third party

Tier 1 - Self-assessment

  1. The supplier will complete an annual self-assessment questionnaire

  2. Highways England's service or project manager will send the supplier the questionnaire

  3. The supplier will receive a report based on their responses to the questionnaire. This report may contain recommendations for improvement where necessary.

Tier 2 - SME-assessment

  1. Our data governance team will arrange interview sessions with appropriate roles to discuss how our information policy, requirements and specifications are being applied

  2. Evidence such as supporting policy and process documents may be required to support this process

  3. On completion, a feedback session will be scheduled. Any identified risks and areas for improvement will be discussed

  4. Our data governance team will monitor identified risks and remediation until mitigated or resolved. Until then, the frequency of self and SME assessments may be increased.