Background:

All DSPT independent assessment/audit providers for IT Suppliers and Independent Providers who have been designated Operators of Essential Service must follow the 24-25 guidance  at: DSPT Independent Assessment Guides. 

A Summary of Audit arrangements for NHS Trusts (Acute, Foundation, Ambulance and Mental Health), Integrated Care Boards, Commissioning Support Units and DHSC Arm’s Length Bodies has been launched with detailed guidance to follow in the coming weeks.

Summary Guide available at: DSP Toolkit - CAF Summary Audit Guide v7 24-25 v1.0

The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system.  

It is mandated via the NHS Standard Contract and the DSPT requirement that the following organisations annually complete a DSPT audit/independent assessment following this guidance:

- Independent Providers who have been designated Operators of Essential Service.

- IT Suppliers

Organisational Requirements:

Independent Providers who have been designated Operators of Essential Service and IT Suppliers must ensure that their audit provider follows the mandated scope which for this year is set out in the DSPT Independent Assessment Guide and detailed below.

The scope applies to mandatory evidence items only and with the highlighted evidence items out of scope. Evidence items which are covered by an exemption for CE+ and/or ISO27001 will not require further auditing, once it is confirmed that the scope of the certification covers all the health and care data being processed.

1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency (Auditors are not required to include 1.1.7 and 1.1.8 in the audit scope)
2.2 Staff contracts set out responsibilities for data security
3.1 Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness
3.2 Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents
4.5 You ensure your passwords are suitable for the information you are protecting 
5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents
6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway
7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services
8.2 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed 
9.2 A penetration test has been scoped and undertaken
9.5 You securely configure the network and information systems that support the delivery of essential services
9.6 The organisation is protected by a well-managed firewall
10.2 Basic due diligence has been undertaken against each supplier that handles personal information 

Organisational Audit provider requirement

Organisations shall ensure that their chosen audit provider is aware of the mandated framework which needs to be followed. The hallmark of the methodology is an output which includes: a risk rating against each of the 10 data security standards; an overall risk rating (based on the 10 individual ratings); and an overall confidence rating.

The example in the link below is from a previous year’s report (i.e. a different scope applies this year)

DSPT Audit Table.png

The presentation of these items can vary but it is vital that they are present, and that the framework is utilised in full

To meet the requirement, the DSPT audit functionality must be used.