Your web browser does not appear to have javascript enabled.

The Data Security and Protection Toolkit requires javascript to be enabled.

If you are unable to re-instate the javascript option on your browser please contact us and we will be able to help.

DSPT Audit 25-26 Areas of Mandatory Audit (15 October 2025)

The outcomes and assertions of the DSPT which must be included in a 25-26 DSPT Audit for NHS Trusts, ICBs, ALBs, CSU, OES, Genomics and IT Suppliers. Note slight change to IT Supplier mandatory audit requirements)

DSPT Audit 25-26 Areas of Mandatory Audit

NHS Trusts, ICBs, ALBs, and CSUs

For NHS Trusts, ICBs, ALBs, and CSUs there are 9 mandated outcomes to be audited (listed below) with organisations selecting 3 outcomes of their choice.

A1.a Board direction
B1.a Policy, process and procedure development
B4.a Secure by design
B5.a Resilience preparation
B5.c Backups
C1.b Securing logs
D2.a Incident root cause analysis
E2.a Managing data subject rights under UK GDPR
E2.c National data opt-out policy

Independent providers who are designated Operators of Essential Services (OES) and Genomics organisations (as nominated by the Department of Health and Social Care)

For OES providers and Genomics organisations there are 8 mandated outcomes to be audited (listed below) with organisations selecting 4 outcomes of their choice.

A2.a Risk management process
A4.a Supply chain
B2.a Identity verification, authentication and authorisation
B4.d Vulnerability management
C1.a Monitoring coverage
D1.a Response plan
E2.b Consent
E3.a Using and sharing information sharing for direct care

IT Suppliers

For IT Suppliers there are 12 mandated assertions to be audited (listed below).

1.3      Accountability and Governance in place for data protection and data security
4.2      The organisation assures good management and maintenance of identity and access control for it's networks and information systems
4.4      You closely manage privileged user access to networks and information systems supporting the essential service
6.1      A confidential system for reporting data security and protection breaches and near misses is in place and actively used
6.3      Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses
7.2      There is an effective test of the continuity plan and disaster recovery plan for data security incidents
7.3      You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions
8.3      Supported systems are kept up-to-date with the latest security patches
8.4      You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service
9.3      Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities 9.6      The organisation is protected by a well managed firewall
10.1    The organisation can name its suppliers, the products and services they deliver and the contract durations

(Note: 3.3 has been removed as it does not contain any mandatory evidence items for IT Suppliers)

Further information and guidance about the DSPT Audit is available at: https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides