Adopting the Cyber Assessment Framework

In September 2024, a major change reshaped how data security is managed across the healthcare sector. The Data Security and Protection Toolkit (DSPT) was realigned to match the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This update forms part of the Department of Health and Social Care’s (DHSC) long-term cyber security strategy, which aims to build sector-wide resilience by 2030.

But what does this alignment actually mean for organisations, and how will it affect the way cyber security and information governance (IG) are assessed?

From Compliance to Outcomes: The Shift to CAF-Aligned DSPT

The CAF-aligned DSPT represents a shift away from rigid tick-box exercises toward a more meaningful, outcome-focused model. Instead of asking “Do you have this control in place?”, the CAF encourages organisations to demonstrate that their controls are working in practice.

The framework is built around principles and expert judgment. This approach empowers organisations to make informed decisions about their security posture, focusing on what’s actually effective rather than what’s merely documented.

In short, it’s no longer just about the right tools—it’s about whether they’re working, whether staff are trained, and whether the organisation is equipped to detect, respond to, and recover from real threats.

Why This Change Matters: Three Strategic Goals

This isn’t just a toolkit update—it’s a cultural reset. The DSPT’s alignment with CAF is designed to:

1. Enable Good Decision-Making Over Box-Ticking

Organisations are encouraged to move away from pass/fail thinking and towards informed risk management. Cyber threats are constantly evolving, and the CAF allows local organisations to assess their own context and respond accordingly.

2. Promote a Culture of Evaluation and Improvement

The CAF model is cyclical, not static. Organisations are expected to regularly evaluate how effective their controls are at achieving key outcomes and to improve over time. It's not about getting a “yes” once a year; it’s about building maturity.

3. Support Adoption of Better Practice

By aligning with CAF, the DSPT opens the door for continuous improvement. Organisations are encouraged to stay up to date with new guidance, technologies, and threat intelligence—and to evolve their strategies to meet emerging risks head-on.

Understanding the CAF: Five Core Objectives

The Cyber Assessment Framework (CAF) defines what good cyber resilience looks like through five high-level objectives. These now underpin how the DSPT is structured:

1. Managing Security Risk – Strong governance, accountability, and risk management processes.

2. Protecting Against Cyber Attack – Technical and procedural controls to defend against threats.

3. Detecting Cyber Security Events – Capabilities to identify malicious activity quickly and reliably.

4. Minimising the Impact of Incidents – Effective response and recovery planning.

5. Using and Sharing Information Safely – Appropriate data access and sharing policies.

Each objective includes specific principles and expected outcomes, which are now reflected in the DSPT’s evidence items and guidance.

Key Deadlines for the 2024–25 DSPT Cycle

Organisations should be aware of the following updated submission deadlines:

• 31 December 2024 – Submit your interim DSPT self-assessment, outlining your current alignment with the CAF and any gaps identified.

• 30 June 2025 – Submit your final DSPT return, including any updated evidence and outcomes from required independent assessments.

This phased submission model gives organisations time to assess their posture, plan improvements, and engage assessors if needed.

Who Needs an Independent Assessment?

Not all organisations are required to undergo an independent audit, but many are. The following groups must complete an external assessment for the 2024–25 cycle:

• NHS Trusts

• Integrated Care Boards (ICBs)

• Commissioning Support Units (CSUs)

• Arm’s Length Bodies (ALBs)

• Key NHS IT and digital suppliers

The purpose of these assessments is to validate whether the controls reported in the DSPT are actually functioning as intended, based on CAF principles.

How to Prepare for the CAF-Aligned DSPT

If you haven’t already started planning, now is the time. Here are four actions you can take to get ahead:

• Review Your Current Practices – Are you focused on compliance or actual risk reduction? Identify areas where your current approach may fall short of CAF expectations.

• Engage Leadership – Ensure senior management and your board understand the shift in focus, the need for investment, and their role in demonstrating governance.

• Schedule Assessments Early – If you fall into a category requiring an external review, get dates booked now. Independent assessment slots may fill up fast ahead of the June 2025 deadline.

• Train and Communicate – Teams at all levels need to understand the CAF objectives and how their actions support the outcomes. Consider role-based training or awareness sessions.

The alignment of the DSPT with the CAF marks a decisive move toward meaningful cyber maturity in the NHS and social care system. By focusing on real-world outcomes and continuous improvement, this change creates opportunities to embed better security practices across the sector.

For those prepared to engage with the new framework early, the benefits are clear: improved resilience, stronger stakeholder assurance, and reduced risk in the face of increasingly sophisticated cyber threats.

If you haven’t already, now is the time to take action—and take ownership of your organisation’s cyber future. Why not book a strategy call with Cory?