NHS DSPT Audit – The Mandatory Assertions (2025–26 Edition)

1.3 — Accountability and Governance

Purpose:
To ensure that data security and protection have clear ownership at senior level. Leadership must actively oversee compliance, not delegate it entirely to IT or compliance staff.

Requirements:

• A named Data Protection Officer (DPO) or Senior Information Risk Owner (SIRO)

• Documented information governance structure and reporting lines

• Regular reviews of data security performance at board or senior management level

Evidence Examples:

• Governance meeting minutes

• IG policy and organogram

• Annual data security report signed by the SIRO

Best Practice Tips:

• Include DSPT progress as a standing agenda item at leadership meetings

• Use dashboards or KPIs for visibility

Related Standards: ISO 27001 A.5 (Leadership & Commitment), NCSC Cyber Governance Guidance

4.2 — Identity and Access Management

Purpose:
To ensure users have the correct access at all times and unauthorised access is prevented.

Requirements:

• Documented Joiners, Movers, Leavers (JML) process

• Multi-factor authentication (MFA) for all critical systems

• Regular access reviews (at least quarterly)

Evidence Examples:

• User access logs and audit trails

• Policy defining least-privilege principles

• MFA configuration reports

Best Practice Tips:

• Automate account provisioning and removal

• Implement role-based access control (RBAC)

Related Standards: ISO 27001 A.9, Cyber Essentials Plus (User Access Control)

4.4 — Privileged User Access

Purpose:
To restrict and monitor administrative access that could modify systems or data.

Requirements:

• Dedicated admin accounts, separate from user accounts

• Approval process for granting privileged access

• Monitoring and review of privileged activity

Evidence Examples:

• Privileged Access Register

• PAM (Privileged Access Management) system logs

• Change control or ticketing records

Best Practice Tips:

• Use just-in-time access tools

• Implement session recording for admin actions

Related Standards: ISO 27001 A.9.2, NCSC Principle 3 (Access Control)

6.1 — Incident and Near-Miss Reporting

Purpose:
To ensure incidents are captured, investigated, and used to drive improvement.

Requirements:

• A confidential reporting mechanism accessible to all staff

• Defined process for logging, categorising, and escalating incidents

• Feedback loop to staff on outcomes and lessons learned

Evidence Examples:

• Incident logs or service desk reports

• Training materials encouraging reporting

• Post-incident review documentation

Best Practice Tips:

• Run awareness campaigns promoting “report, don’t hide”

• Use near-miss data to prevent future breaches

Related Standards: ISO 27001 A.16, NHS Digital Incident Reporting Guidelines

6.3 — Vulnerability Management

Purpose:
To ensure known vulnerabilities are addressed promptly and effectively.

Requirements:

• Formal patching and remediation policy

• Monitoring of NHS Digital alerts (CareCERT)

• Lessons learned from prior incidents applied

Evidence Examples:

• Patch deployment schedules

• Vulnerability scans before and after remediation

• Change control documentation

Best Practice Tips:

• Track vulnerabilities via a risk register

• Prioritise critical patches within 14 days

Related Standards: ISO 27001 A.12.6, NCSC Vulnerability Management Guidance

7.2 — Continuity and Disaster Recovery Testing

Purpose:
To confirm the organisation can recover data and services following a disruption.

Requirements:

• Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan in place

• Annual testing of recovery processes

• Clear Recovery Time and Recovery Point Objectives (RTO/RPO)

Evidence Examples:

• Test reports and outcomes

• Lessons-learned logs

• Board sign-off on plan updates

Best Practice Tips:

• Test both IT and business recovery

• Include communications and stakeholder updates in scenarios

Related Standards: ISO 27001 A.17, NHS DSPT Business Continuity Requirements

7.3 — Incident Response Capability

Purpose:
To ensure the organisation can detect, contain, and recover from cyber incidents rapidly.

Requirements:

• Documented Incident Response Plan (IRP)

• Trained incident response team

• Access to monitoring and forensic data

Evidence Examples:

• Tabletop exercise records

• Escalation flowcharts

• Incident playbooks

Best Practice Tips:

• Conduct at least one live simulation annually

• Define communication plans for patients, staff, and regulators

Related Standards: ISO 27035, NCSC Incident Management Guidelines

8.3 — Patch Management

Purpose:
To keep all systems supported and up to date.

Requirements:

• Central patch management policy

• Monthly patching cycle or as per vendor guidance

• Records of verification and success rates

Evidence Examples:

• Patch deployment logs

• Reports from WSUS/SCCM/Intune or equivalent tools

• Vulnerability scanner validation

Best Practice Tips:

• Maintain asset inventory to track patch status

• Automate patch reporting and exceptions

Related Standards: ISO 27001 A.12.6, Cyber Essentials Plus (Security Update Control)

8.4 — Vulnerability Management (Network Focus)

Purpose:
To identify and mitigate technical weaknesses before attackers exploit them.

Requirements:

• Regular vulnerability scans of networks and systems

• Documented remediation workflows

• Executive reporting on remediation progress

Evidence Examples:

• Scanner outputs and risk ratings

• Remediation tracker logs

• Penetration test results

Best Practice Tips:

• Schedule quarterly internal scans and annual external penetration tests

• Integrate results into SIEM or ticketing platforms

Related Standards: ISO 27001 A.12.6, NCSC 10 Steps – Vulnerability Management

9.3 — System Security

Purpose:
To protect critical systems and applications from exploitation.

Requirements:

• Hardened configurations and secure builds

• Patch compliance and monitoring

• Regular security assessments

Evidence Examples:

• Secure configuration checklists

• Test results for clinical or operational systems

• Penetration test reports

Best Practice Tips:

• Apply CIS or NCSC hardening benchmarks

• Implement configuration drift monitoring

Related Standards: ISO 27001 A.14, NCSC System Hardening Guidance

9.6 — Firewall Management

Purpose:
To ensure firewalls effectively protect the organisation from external threats.

Requirements:

• Documented firewall policy

• Change control for rule updates

• Regular review of configurations and logs

Evidence Examples:

• Firewall configuration review reports

• Change-request tickets

• Monitoring alerts or log summaries

Best Practice Tips:

• Conduct quarterly rule-set reviews

• Use intrusion-prevention and application-layer filtering

Related Standards: ISO 27001 A.13, NCSC Boundary Protection Guidance

10.1 — Supplier Assurance

Purpose:
To ensure all third-party suppliers meet data-security expectations.

Requirements:

• Supplier register with contract details and risk ratings

• Evidence of DSPT, CE+, or ISO 27001 compliance

• Annual supplier assurance reviews

Evidence Examples:

• Supplier assurance questionnaires

• Signed data-processing agreements

• Certificates of compliance

Best Practice Tips:

• Tier suppliers by risk level

• Include cyber clauses in all new contracts

Related Standards: NCSC Supply Chain Security Guidance

NHS DSPT Online Checker and Assessment

Take our NHS DSPT Online Checker and Assessment Tool today to quickly identify your current compliance level and uncover tailored actions to strengthen your data security. It only takes a few minutes — and gives you instant, actionable insight into how to improve your DSPT score and cyber resilience.
Try the DSPT Checker now