We've kicked off 2026 exactly where we left 2025 – busy, which is brilliant.
In this month's newsletter, we share important updates on Periculo's certifications and capabilities, the surge in DSPT audit interest, and why 2026 must be the year organisations get serious about supply chain security. Let's get into it...
We're pleased to confirm that Periculo has successfully recertified both ISO 9001 (Quality Management) and ISO 27001 (Information Security Management). These certifications demonstrate our continued commitment to maintaining the highest standards in both service delivery and information security, giving our clients confidence that we practise what we preach.
We also have some exciting changes coming to Periculo over the coming months. We can't say too much just yet, but we'd encourage you to keep an eye out for announcements. Watch this space...
Since achieving accreditation as a Certification Body for Defence Cyber Certification (DCC) Levels 0 and 1 in December, we've been working closely with clients to guide them through the certification process already. The response has been excellent, and we're already supporting organisations across both tiers to meet MOD requirements.
We're pleased to confirm that we're on track to expand our accreditation to DCC Levels 2 and 3 early this year. This will enable us to support organisations operating in higher-risk defence environments, providing comprehensive certification services across the full DCC spectrum.
Whether you're preparing for your initial DCC assessment or planning ahead for higher levels, we're here to help you navigate the requirements and achieve certification with confidence.
Find out more...
Interest in DSPT audits has ramped up significantly this month. We've already audited and supported clients to complete their submissions well ahead of the 30th June 2026 deadline, giving them peace of mind and allowing them to focus on their core operations without the last-minute rush.
For IT suppliers (external organisations supplying digital goods and services to the NHS with 50+ staff and £10m+ turnover), the 2025-26 cycle brings a mandatory independent audit requirement covering 12 key assertions spanning technical controls, governance, risk management, and incident response. Our auditors will assess whether security and data protection practices are genuinely implemented and embedded across your organisation.
If you're an IT supplier working towards your DSPT submission and would like support, now is an excellent time to get started. Early preparation not only reduces stress but also ensures you have sufficient time to address any gaps, gather robust evidence, and implement necessary improvements ahead of the audit.
Contact us now for more information.
Throughout 2025, supply chain security emerged as a critical vulnerability for UK organisations. Only 14% of UK businesses formally reviewed supplier risks, according to the Government's Cyber Security Breaches Survey, whilst supply chain attacks spiked by 35%.
The consequences were severe. Marks & Spencer suffered £300 million in losses after attackers compromised a third-party contractor, disrupting over 1,000 stores. The Co-op lost an estimated £100 million and exposed 6.5 million members' data through a similar supplier compromise. Most significantly, Jaguar Land Rover's August 2025 incident—attributed to third-party supplier vulnerabilities—became the UK's most economically damaging cyber attack, costing £1.9 billion and affecting more than 5,000 supply chain businesses.
From January 2026, NHS England is directly engaging suppliers on cybersecurity controls. Under Procurement Policy Note 014, NHS Supply Chain now requires suppliers handling personal data or providing IT services to hold Cyber Essentials Plus certification or demonstrate equivalent controls. The NHS Cyber Security Supply Chain Charter reinforces expectations around vulnerability patching, multi-factor authentication, DSPT compliance, and recovery testing.
Your organisation's security is only as strong as your weakest supplier. Whether you supply to the NHS, defence, or other regulated sectors, certifications such as Cyber Essentials Plus, DSPT compliance, and Defence Cyber Certification are becoming essential requirements, not optional extras. 2026 is the year to evaluate both your suppliers' security posture and your own credentials as a trusted supplier.
Start the year by reviewing which suppliers have access to your systems and data. Document what they can access, why they need that access, and when it was last reviewed. Remove or reduce access that's no longer necessary, and ensure all supplier access uses multi-factor authentication wherever possible.
This is the UK Government policy that sets mandatory minimum cybersecurity requirements for suppliers bidding for central government contracts. It requires suppliers to demonstrate compliance with Cyber Essentials and, where they handle personal data or provide digital services. The NHS Supply Chain has adopted PPN 014, making these requirements applicable to NHS suppliers.
Read our post on Cyber Essentials and PPN 014
Third-party involvement in data breaches doubled from 15% to 30% in 2025, with supply chain attacks occurring at twice their previous average rate. A single compromise in a supplier's systems can cascade through dozens or even hundreds of downstream organisations, making supplier security one of the most critical risks facing businesses today.
If you're planning your security and compliance roadmap for 2026, we'd be delighted to help. Get in touch to discuss how we can support your DSPT Audit, DCC, or supplier assurance requirements.