The new DSPT for 2025/2026 is now more closely aligned to the NCSC Cyber Assessment Framework (CAF). This means more outcome-based auditing, focused on how well organisations achieve the intended security and governance goals. Organisations are required to have an independent audit assessment to the agreed CAF-aligned DSPT audit framework.

Dionach can provide these independent assessments for organisations, which are required to validate self-assessment outcomes.

There are independent assessment guides for three groups who require assessments:

  • NHS Trusts, Integrated Care Boards (ICBs), Arm’s Length Bodies (ALBs), and Commissioning Support Units (CSUs)
  • Independent providers who are designated Operators of Essential Services (OES) and Genomics organisations (as nominated by the Department of Health and Social Care)
  • IT Suppliers

DSPT Audit 25-26 Areas of Mandatory Audit

NHS Trusts, ICBs, ALBs, and CSUs

These organisations have 9 mandatory outcomes along with 3 other outcomes chosen by the organisation. The mandatory outcomes are:

  • A1.a Board direction
  • B1.a Policy, process and procedure development
  • B4.a Secure by design
  • B5.a Resilience preparation
  • B5.c Backups
  • C1.b Securing logs
  • D2.a Incident root cause analysis
  • E2.a Managing data subject rights under UK GDPR
  • E2.c National data opt-out policy

Independent providers who are designated Operators of Essential Services (OES) and Genomics organisations (as nominated by the Department of Health and Social Care)

These organisations require an independent audit following a defined process and report template, with 8 mandated outcomes along with 4 other outcomes chosen by the organisation. The mandatory outcomes are:

  • A2.a Risk management process
  • A4.a Supply chain
  • B2.a Identity verification, authentication and authorisation
  • B4.d Vulnerability management
  • C1.a Monitoring coverage
  • D1.a Response plan
  • E2.b Consent
  • E3.a Using and sharing information sharing for direct care

IT Suppliers

For IT Suppliers there are 12 mandated assertions to be audited as listed below:

  • 1.3 Accountability and Governance in place for data protection and data security
  • 4.2 The organisation assures good management and maintenance of identity and access control for its networks and information systems
  • 4.4 You closely manage privileged user access to networks and information systems supporting the essential service
  • 6.1 A confidential system for reporting data security and protection breaches and near misses is in place and actively used
  • 6.3 Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses
  • 7.2 There is an effective test of the continuity plan and disaster recovery plan for data security incidents
  • 7.3 You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions
  • 8.3 Supported systems are kept up to date with the latest security patches
  • 8.4 You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service
  • 9.3 Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
  • 9.6 The organisation is protected by a well-managed firewall
  • 10.1 The organisation can name its suppliers, the products and services they deliver and the contract durations

The report will include overall risk assessment across all 10 National Data Guardian (NDG) Standards as well as the overall NDG standard classification based upon the assertion-level risk ratings.

Summary

he 2025/2026 Data Security and Protection Toolkit (DSPT) introduces a major shift: full alignment with the NCSC Cyber Assessment Framework (CAF). This moves organisations away from checklist-style compliance toward evidence-based, outcome-driven assurance. All NHS bodies, designated OES providers, genomics organisations, and relevant IT suppliers must now undergo an independent CAF-aligned audit to validate their DSPT self-assessment.

Each organisation type has defined mandatory outcomes or assertions that must be assessed with ranging from governance and supply chain assurance to vulnerability management, monitoring, logging, data protection rights, and incident response readiness. The independent audit report will also provide a full risk assessment across all 10 National Data Guardian (NDG) Standards, ensuring organisations can clearly demonstrate their security posture and areas for improvement.

NHS England requires all independent assessments to be completed between January and June 2026, with final DSPT submissions due 30 June 2026.

How Dionach Can Help You

Dionach is an accredited, experienced cybersecurity consultancy trusted by NHS organisations, public sector bodies, and healthcare providers for over 25 years. As the DSPT becomes more technically rigorous and aligned with CAF, Dionach helps you meet and exceed the new requirements with clarity, confidence, and minimal disruption. Our DSPT Compliance for NHS & Healthcare Providers page gives a full overview of our assessment approach.

Get in touch to arrange a call and learn how we can support your assessment, evidence preparation, and compliance journey.

References

NHS England DSPT CAF Guidance: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/caf-aligned-dspt-guidance

NHS England Independent Assessment Guides: https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides

NCSC Cyber Assessment Framework (CAF): https://www.ncsc.gov.uk/collection/cyber-assessment-framework

Like what you see? Share with a friend.