If your company handles NHS patient data or provides services to NHS organisations, you're likely familiar with the Data Security and Protection Toolkit (DSPT). The DSPT is an online self-assessment tool that allows organisations to demonstrate they are practising good data security and protection. Each year, organisations must complete and publish their DSPT assessment. For the 2024/25 cycle, the deadline is 30th June 2025.
Missing the NHS DSPT deadline can have serious consequences—non-compliance with NHS contractual requirements, loss of NHS data access, and reputational damage. For those who must comply, the DSPT is not optional; it’s an annual requirement.
However, meeting the DSPT standards isn’t just about ticking boxes. One particular requirement—Evidence Item 9.4.5—is gaining attention because it goes beyond self-assessment and introduces a mandatory independent audit.
Let’s break down what 9.4.5 means, why it matters, and how your company, if you are an NHS IT supplier, can comply confidently.
Within the DSP Toolkit, Evidence Item 9.4.5 requires an independent audit of your DSPT submission. In simple terms, this means that after completing the self-assessment, your organisation must undergo a third-party review to validate your data protection practices.
The DSPT portal specifically asks:
“What level of assurance (overall risk rating and confidence level rating) did the independent audit of your Data Security and Protection Toolkit provide to your organisation?”
You’re also required to upload a full audit report as supporting evidence.
This audit must be conducted by an impartial expert and should include:
Findings and Ratings – How well your organisation meets each of the DSPT's ten data security standards, typically with individual risk ratings.
Overall Assurance Level – A summary risk rating (e.g., low, moderate, high).
Confidence Level – An auditor’s confidence in your controls and evidence.
This process ensures that self-declared compliance is independently verified—adding credibility and trust to your DSPT return.
Note: Evidence Item 9.4.5 falls under Data Security Standard 9 (IT Protection), which includes controls such as penetration testing, vulnerability management, and broader IT risk mitigation.
Periculo provides independent DSPT audits specifically for NHS IT Suppliers. While Requirement 9.4.5 applies to a broader range of organisations (e.g. NHS Trusts, ICSs, OES healthcare providers), our audit service is tailored exclusively for IT suppliers working with the NHS.
This specialism allows us to focus deeply on the specific needs, risks, and expectations of NHS-facing tech organisations.
We focus our audit on the mandatory assertions required by NHS England under the DSPT. These are the core elements that determine whether your DSPT submission is accepted.
However, our approach goes beyond just checking the minimum. We assess additional areas where relevant to provide value-added recommendations—practical, actionable steps to improve your overall security posture. In other words, we help you meet the requirement and make measurable improvements in how you manage data security.
An independent audit gives NHS partners, commissioners, and clients confidence in your commitment to data protection. It proves your self-assessment is more than lip service.
NHS England mandates these audits to ensure all relevant organisations are assessed consistently, helping surface sector-wide risks and weaknesses.
The audit isn’t about passing or failing—it’s about improvement. The insights can help identify blind spots, tighten up gaps, and prevent incidents before they happen.
If you’re supplying software, hosting, integration, or technical support to NHS organisations, this audit is mandatory. Missing it risks an incomplete submission, jeopardising your NHS contracts and data access.
At Periculo, we help NHS IT suppliers complete their independent DSPT audit with clarity, speed, and accuracy.
We provide a clear, itemised checklist so you know exactly what evidence to prepare.
Our auditors review your key documents offline—policies, incident logs, risk registers, DPIAs, and ISO certifications, where relevant.
In structured interviews with your team, we verify that policies are not only written but also followed in practice.
You’ll receive a report that includes:
Your official risk and confidence levels (as required by DSPT)
A breakdown of strengths and gaps
Targeted recommendations to enhance your data security posture
We tailor findings so they’re meaningful and relevant to your environment, not generic templates.
NHS-compliant audits for IT suppliers
Focused on mandatory assertions—but with real improvement insights
Efficient, fast turnaround
Real people, clear communication—no checkbox bureaucracy
The NHS 30th June DSPT deadline is fast approaching. If 9.4.5 applies to your organisation, now is the time to act.
We’ll help you meet the requirement confidently and efficiently—and demonstrate to your NHS partners that you take data protection seriously.