DSPT Audit 25-26 Areas of Mandatory Audit (22 September 2025)
The outcomes and assertions of the DSPT which must be included in a 25-26 DSPT Audit for NHS Trusts, ICBs, ALBs, CSU, OES, Genomics and IT Suppliers
DSPT Audit 25-26 Areas of Mandatory Audit
NHS Trusts, ICBs, ALBs, and CSUs
For NHS Trusts, ICBs, ALBs, and CSUs there are 9 mandated outcomes to be audited (listed below) with organisations selecting 3 outcomes of their choice.
A1.a Board direction
B1.a Policy, process
and procedure development
B4.a Secure by design
B5.a Resilience
preparation
B5.c Backups
C1.b Securing logs
D2.a Incident root
cause analysis
E2.a Managing data subject
rights under UK GDPR
E2.c National data opt-out
policy
Independent providers who are designated Operators of Essential Services (OES) and Genomics organisations (as nominated by the Department of Health and Social Care)
For OES providers and Genomics organisations there are 8 mandated outcomes to be audited (listed below) with organisations selecting 4 outcomes of their choice.
A2.a Risk
management process
A4.a Supply
chain
B2.a Identity
verification, authentication and authorisation
B4.d
Vulnerability management
C1.a Monitoring
coverage
D1.a Response
plan
E2.b Consent
E3.a Using and
sharing information sharing for direct care
IT Suppliers
For IT Suppliers there are 13 mandated assertions to be audited (listed below).
1.3 Accountability
and Governance in place for data protection and data security
3.3 Staff with
specialist roles receive data security and protection training suitable to
their role
4.2 The
organisation assures good management and maintenance of identity and access
control for it's networks and information systems
4.4 You closely
manage privileged user access to networks and information systems supporting
the essential service
6.1 A confidential
system for reporting data security and protection breaches and near misses is
in place and actively used
6.3 Known
vulnerabilities are acted on based on advice from NHS Digital, and lessons are
learned from previous incidents and near misses
7.2 There is an
effective test of the continuity plan and disaster recovery plan for data
security incidents
7.3 You have the
capability to enact your incident response plan, including effective limitation
of impact on your essential service. During an incident, you have access to
timely information on which to base your response decisions
8.3 Supported
systems are kept up-to-date with the latest security patches
8.4 You manage
known vulnerabilities in your network and information systems to prevent
disruption of the essential service
9.3 Systems which
handle sensitive information or key operational services shall be protected
from exploitation of known vulnerabilities
9.6 The
organisation is protected by a well managed firewall
10.1 The
organisation can name its suppliers, the products and services they deliver and
the contract durations
Further information and guidance about the DSPT Audit is available at: https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides