Skip to content
Contact Us
All posts

Who Needs an NHS DSPT External Audit (and Who Is Advised to Have One)?

By  Craig Pepper  ·  2 minute read

If your organisation handles NHS patient data or provides services within the health and care system, you will already be familiar with the NHS Data Security and Protection Toolkit (DSPT).

The 2024–25 update introduced the CAF-aligned DSPT, a major step forward in aligning health and care cyber security standards with the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF).

One of the most important questions for organisations completing the DSPT is: Do we need an independent audit?

This post explains who must have an audit, who is advised to have one, and what this means for your organisation now and in the coming years.

 

Listen Here
3:50

 

Mandatory NHS DSPT Audit Organisations

For the 2024–25 DSPT cycle, NHS England has made audits mandatory for the following organisations:

  • NHS Trusts

  • Integrated Care Boards (ICBs)

  • Commissioning Support Units (CSUS)

  • Arm’s Length Bodies (ALBs)

  • IT suppliers 

These bodies are considered part of the national critical infrastructure. They play a vital role in the delivery of health services and hold large volumes of sensitive patient data.
As such, they are subject to an annual independent audit of their DSPT self-assessment to ensure full compliance with the CAF-based security and information governance controls.

If your organisation falls into one of these categories, you must plan for both a DSPT submission and an external audit by 30th June of each reporting year.

 

Organisations Strongly Encouraged to Complete an Audit

For a number of other organisations, an independent audit is not yet mandatory, but it is strongly recommended by NHS England.
This applies to:

  • Large private or independent health providers delivering NHS-funded services under contract

  • Large GP federations that manage complex systems or serve multiple practices

  • Health and care organisations delivering critical infrastructure or highly integrated digital services

In these cases, while the audit is not compulsory, regulators expect a high standard of cyber security assurance.

An independent audit will give your organisation valuable insight into any gaps and will demonstrate robust compliance to partners and regulators.
It also offers early preparation should audits become mandatory in future years for these categories.

 

Organisations Not Required to Complete an Audit

The following health and care providers are not required to commission an independent audit as part of their DSPT submission:

  • GP practices

  • Community pharmacies

  • Dental practices

  • Opticians

  • Care homes

  • Small independent providers

These organisations must still complete the DSPT self-assessment and meet the relevant standards for data protection, confidentiality, and cyber security.
However, self-assessment without independent verification remains acceptable for 2024–25 and 2025–26.

 

Why It Matters

Whether your organisation is required or encouraged to undertake an audit, the DSPT remains a critical compliance standard for all health and care providers.
An audit helps to:

  • Identify weaknesses before they become serious risks

  • Provide assurance to regulators, partners, and the public

  • Demonstrate proactive governance in a fast-changing regulatory landscape

With cyber threats against health and care organisations increasing, the direction of travel is clear: more organisations will likely be brought into the audit framework in the future.

 

Get Ready

If you are unsure whether you need an audit or how to prepare, Contact Us. We are already helping NHS providers across the UK get ahead of the curve.

If you want to know how we can support you with your DSPT audit preparations, book a meeting today: