DSPT Independent Audit for Category 2 IT Suppliers: What You Need to Know for 2025/26

If you're an IT supplier providing digital services to the NHS, the mandatory DSPT independent audit is now a critical compliance requirement you cannot ignore. For Category 2 IT suppliers—organisations with 50+ staff and £10 million+ annual turnover—the 2025/26 Data Security and Protection Toolkit submission requires comprehensive external verification of your security practices.

With the final deadline of 30 June 2026 this year, understanding what's required and starting early is essential for protecting your NHS contracts.

Who Needs a DSPT Independent Audit?

Category 2 IT suppliers must complete a mandatory independent audit as part of their DSPT submission. You're classified as a Category 2 IT supplier if you meet the following criteria: you supply digital goods or services to NHS or care organisations (including SaaS platforms, cloud hosting, EHR systems, cybersecurity services, or IT infrastructure), your organisation has 50 or more staff members, and your annual turnover exceeds £10 million.

This mandatory independent audit requirement under the sube assertion 9.4.5 was introduced in the 2024/25 DSPT cycle and remains firmly in place for 2025/26. It reflects NHS England's commitment to robust assurance for organisations providing critical infrastructure to the health service.

Non-compliance can result in contract exclusion, loss of NHS system access, and significant reputational damage.

What the DSPT Independent Audit Covers

The DSPT independent audit for IT suppliers is comprehensive and examines both your documentation and actual implementation. Auditors must follow NHS England's Independent Assessment Framework, which specifies mandatory evidence items across the National Data Guardian's 10 data security standards.

The audit scope for Category 2 IT suppliers covers 12 mandatory assertions. These represent the critical areas where NHS England requires independent verification that your security practices are genuinely implemented and effective.

Governance and Accountability:

Your organisation must demonstrate accountability and governance structures for data protection and data security, with clear board-level or senior management oversight and documented frameworks.

Access Control and Identity Management:

Auditors examine how you manage identity and access control for networks and information systems processing NHS data, including robust authentication and authorisation mechanisms. Privileged user access management receives particular scrutiny, ensuring you closely manage administrative access to systems supporting essential NHS services.

Incident Management:

You must have a confidential system for reporting data security breaches and near misses that is actively used across your organisation. Auditors verify that known vulnerabilities are acted upon based on advice from NHS Digital and that lessons learned from previous incidents drive continuous improvement.

Business Continuity and Disaster Recovery:

Effective testing of your continuity and disaster recovery plans is mandatory, with documented evidence of regular exercises. You must demonstrate capability to enact your incident response plan, including effective limitation of impact on essential NHS services, with access to timely information supporting response decisions during incidents.

Technical Security Controls:

Your patch management processes must ensure supported systems are kept up-to-date with the latest security patches. Vulnerability management processes must prevent disruption of essential services, with systems handling sensitive information or key operational services protected from exploitation of known vulnerabilities. Your organisation must be protected by a well-managed firewall with appropriate configuration and monitoring.

Supply Chain Security:

You must be able to identify all suppliers, the products and services they deliver to support your NHS services, and the contract durations. This demonstrates visibility and control over your supply chain, which is critical given that IT suppliers often rely on multiple sub-processors.

How the Independent Audit Process Works

The DSPT independent audit is a requirement under sub assertion 9.4.5. It's not simply a document review; our auditors verify that your policies are genuinely implemented across your organisation.

At Periculo, we conduct a DSPT independent audit as a structured 2-3 day engagement (depending on company size), combining 1-2 day of evidence review and technical validation with one day of comprehensive reporting and recommendations.

The process begins with a thorough review of your submitted evidence. Our auditors ensure all documentation is accurate, current, version-controlled, and directly addresses DSPT requirements. Generic policies or outdated documents will fail to meet the standard.

We then conduct interviews with your team, including senior leadership, to assess board-level accountability, information governance leads, technical staff implementing security controls, and operational personnel handling NHS data day-to-day.

Technical validation is increasingly common in DSPT independent audits for IT suppliers. This might include configuration reviews of systems processing NHS data, analysis of system logs and security monitoring outputs, and review of penetration testing results. The audit focuses on evidence of real, active compliance; having the right documents isn't enough if you cannot demonstrate they're implemented and effective.

Preparing for Your DSPT Independent Audit

Most IT suppliers need three to six months of structured preparation to gather evidence, address gaps, and ensure audit readiness.

Start by appointing a dedicated DSPT lead with both NHS-specific knowledge and cybersecurity expertise who can coordinate preparation across your organisation.

Good practice would be to gather and organise your evidence systematically. Create a comprehensive audit pack that clearly maps each piece of evidence to specific mandatory assertions, uses consistent version control and document labelling, and demonstrates implementation through supporting records like training completion logs, system configurations, or audit outputs.

Address identified gaps through targeted remediation. This might include policy development or updates to reflect current practices and NHS-specific requirements, technical work like stronger access controls or monitoring, training to address gaps in staff awareness, testing to show effective recovery, and supplier work to get the documentation from sub-processors.

Many IT suppliers benefit from conducting a pre-audit review to identify potential issues and allow time for remediation before the formal assessment. 

Common DSPT Audit Failures for IT Suppliers

Understanding common pitfalls helps you avoid them. Generic policy templates that don't reflect your specific services or NHS client relationships will immediately raise red flags. Auditors want to see policies tailored to your organisation's context as an IT supplier.

Insufficient evidence of implementation is another frequent failure. Having comprehensive policies means nothing if you cannot demonstrate through training records, technical configurations, and monitoring outputs that they're actually implemented. Auditors look for the complete lifecycle from policy through implementation to ongoing monitoring and continuous improvement.

Weak supply chain assurance is particularly problematic for IT suppliers. You remain accountable for data security even when using cloud providers, managed services, or specialist tools. The mandatory assertion requiring you to identify suppliers, products, services, and contract durations means you need comprehensive visibility of your entire supply chain. Auditors expect documented assurance for all sub-processors, including contracts with data protection clauses, evidence of equivalent security standards, and regular compliance reviews.

Missing or incomplete evidence of business continuity testing consistently causes audit failures. Auditors scrutinise whether you conduct effective tests of continuity and disaster recovery plans, whether tests are documented with results and lessons learned, and whether you can demonstrate capability to enact response plans during actual incidents.

Inadequate privileged access management represents another critical gap. With close management of privileged user access being a mandatory assertion, auditors examine whether administrative access is appropriately restricted, regularly reviewed, and comprehensively monitored.

How Periculo Supports Your DSPT Compliance Journey

As an NHS DSPT independent auditor, Periculo specialises in helping IT suppliers achieve and maintain DSPT compliance. 

DSPT Independent Audits provides the mandatory independent assessment required for Category 2 IT suppliers. Delivered as a structured 2-3 day engagement, we examine all 12 mandatory assertions, conduct technical validation, and provide comprehensive reporting that meets NHS England's Independent Assessment Framework requirements. Our audit identifies non-conformities, provides clear remediation guidance, and delivers the risk rating required for your DSPT submission.

Pre-Audit Gap Analysis helps you identify compliance gaps months before your formal audit. We assess your current state against all 12 mandatory assertions, identify specific evidence gaps, provide prioritised remediation recommendations, and create a clear roadmap to audit readiness. This service significantly increases first-time audit pass rates and reduces last-minute compliance pressure.

Contact Periculo today to book your 2025/26 DSPT independent audit or discuss pre-audit gap analysis. Our audit slots for the March to May window fill quickly, so early engagement is essential.