Skip to Content
TS-TDT-02 Trust & Stewardship Technology & Digital Transformation CORE Excellence v2.9.7

Core Systems Management (e.g., CRM)

Assesses the effective management of core information systems (e.g., CRM, Case Management, Student Information System) including product ownership, change control, and configuration management. It focuses on securing stakeholder data through privacy-by-design, integrated governance, and strict adherence to data protection laws (lawful basis, minimisation, retention, rights). This reflects the Islamic principle of Amanah (trust), treating digital records as a sacred responsibility. Furthermore, it upholds Hifz al-Huquq (preservation of rights) by ensuring robust systems safeguard individual privacy.

Assessment Questions
  1. Show the RoPA entry for this system and how each processing purpose is mapped to a lawful basis (Art.6) and special category condition (Art.9) if applicable.
  2. Provide the signed Data Processing Agreement (Art.28) for the vendor, including the list of sub-processors and the international transfer mechanism (IDTA/SCCs).
  3. Demonstrate the system's role-based access controls (RBAC), MFA status, and the report from the last quarterly access recertification.
  4. Show the automated retention rules configured in the system and how they align with your retention schedule.
  5. Provide the report from the most recent Disaster Recovery (DR) or backup restore test, confirming RTO/RPO targets were met.
  6. Walk through a recent Data Subject Access Request (DSAR) handled in the system, showing intake, redaction, and response time.
  7. If processing children's data, show the Children's Code assessment and age-appropriate design controls.
Evidence Requirements
  • RoPA excerpt specifically for the core system.
  • Signed DPA with vendor, including transfer assessment (TRA/IDTA) if data is hosted outside UK/EEA.
  • Latest DPIA and Change Control log for the system.
  • Retention schedule document and screenshots of automated deletion/archiving rules in the system.
  • Quarterly access recertification report and current user access list.
  • Disaster Recovery / Backup restore test report.
  • DSAR register (redacted) showing SLA performance.
  • Appropriate Policy Document (APD) if handling special category/criminal data.
Scoring Guidelines
LevelRatingDescription
5 5/5 A fully integrated system with privacy-preserving analytics, automated retention, and a data ethics culture driving continuous improvement.
4 4/5 Central system used well; automated retention, quarterly access recertification, and transfer controls are evidenced.
3 3/5 System in place with basic governance (RoPA entry, RBAC, MFA, tested DSAR process) but manual retention or data quality issues exist.
2 2/5 Multiple, disconnected spreadsheets or a system used without formal governance (no RoPA, shared logins).
1 1/5 No central system; data managed ad-hoc with high risk.

Related Criteria

TS-TDT-01 Digital Transformation Roadmap
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 12:01:06.909987

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Full import from mizan-297.json

Sign in to post a comment.

Back to Criteria