The Government has restated its commitment to delivering pensions dashboards in a written statement.
Technical connection: Submit IT Health Check evidence
Guidance for pension providers, schemes and integrated service providers (ISPs)
Overview
Purpose of this step
To connect to the Pensions Dashboards Programme (PDP) ecosystem, you need to conduct an IT Health Check (ITHC) or penetration test.
This guidance explains how to submit the ITHC evidence and results to PDP.
Who completes this step?
- security lead
For more information, read the full list of roles and responsibilities.
Before you begin
Before you begin this step, you need to engage a CHECK- or CREST-accredited supplier to conduct an ITHC or penetration test.
The test needs to be repeated annually and must comply with the PDP code of connection. It must be completed before you connect to the live production environment and start using live data.
Additional resources
- Conduct an IT Health Check or penetration test
- Code of connection
- CHECK IT Health Check
- CREST penetration testing
- National vulnerability database on vulnerability metrics
- Common Vulnerability Scoring System (CVSS)
What you need to do in this step:
- Submit details of your CREST or CHECK supplier.
- Provide a summary of the test findings.
- Provide remediation plans.
- Confirm your organisation’s security policies.
Back to top
1. Submit details of your CREST/CHECK supplier
You need to:
- provide the name and address of your IT health check supplier as it appears with CHECK or CREST
- provide the supplier’s accreditation type (either CHECK or CREST)
Back to top
2. Provide a summary of the test findings
You need to:
- provide details of the test results, including the number of critical, high, medium and low findings
Back to top
3. Provide remediation plans
You need to:
- provide remediation plans for all critical, high and medium findings
Back to top
4. Confirm your organisation’s security policies
You need to:
- confirm that your organisation has in place protective monitoring and incident management plans
- provide a secondary incident management email contact if necessary
You must provide all the information required to continue with your application.
Summary
Before you submit your information, carefully review all the details you have entered.
Back to top
What happens next after ITHC results submission
The PDP Security Authority (PDPSA) will review the information you have submitted and organise a meeting where you can present the ITHC results and any associated remediation plans.
PDPSA will send out the meeting invite. Share this request with others inside your organisation that need to attend the PDPSA meeting. It may be beneficial to include the responsible person for your information security management.
Preparing for your meeting with PDPSA
You need to prepare:
- a summary table containing all of the ITHC / penetration test findings alongside the CVSS score, a brief summary of the remediation, the owner and the expected remediation date
- documents or diagrams that explain the scope of your ITHC / penetration test, including descriptions of systems and assets in scope, such as network diagrams, data flows, asset list
- the final IT Health Check / penetration test document to discuss all submitted findings
- a remediation plan to address any critical/high/medium issues (these must have dates and owners so that these can be resolved before the next annual ITHC / penetration test)
- your incident management policy including how you would escalate relevant incidents to PDPSA, such as a communications plan
- your protective monitoring policy/security operations procedures for monitoring systems and assets in scope, such as list of assets being monitored and SIEM/SOC screen shot
- any relevant security certifications, such as ISO27001 or Cyber essentials
- any other documents you may feel appropriate to share that helps with your submission
You should include a summary of these in a PowerPoint presentation or other suitable format, although PDPSA may request to see any original documents/evidence during the meeting.
Meeting agenda
The meeting agenda will include:
- list of attendees
- introductions
- purpose of the meeting:
- the scope of the ITHC / penetration tests
- the initial ITHC / penetration testing report with all findings
- the remediation plan for critical, high, and medium findings
- security incident management plan
- protective monitoring policy/security operations procedures relevant to the systems and assets in scope
- any other business
- next steps:
- internal PDPSA review
- decision to approve / reject by the Implementation Decision Authority (IDA)
- feedback on approval or rejection decisions
The meeting should not last longer than 2 hours.
Back to top
Next steps
PDPSA will make a recommendation to the PDP implementation decision authority. Once this has been reviewed, you will be notified of the outcome by email. This should be within 2 weeks.
If your submission is approved, the next step is integration testing.
If your submission is rejected, the PDPSA will provide you with reasons for rejection and the next steps. You should follow their recommendations and then resubmit. This could, for example, include and is not limited to a testing/retest of a missing component in scope, lack of remediation plans for critical, high and medium findings with owners and timeline for fixes, having no protective monitoring policy in place, having no incident management policy in place.
Support
Find answers to common queries about pensions dashboards, give feedback or get technical support.
Changelog
Last updated:12/03/2025
12 March 2025
12 March 2025
- In 'Next steps' changed the following step to 'integration testing' following connection journey reordering.