Security Wiki

NHS DSPT Audit – The 12 Mandatory Assertions for IT Suppliers (2025–26 Edition)

Written by Craig Pepper | Oct 23, 2025 1:36:56 PM

If your organisation supplies digital goods or services to the NHS or care sector, has 50 or more employees, and an annual turnover above £10 million, you are classified as an IT Supplier under the DSPT framework. That means you are required to complete an independent audit verifying your compliance with 12 mandatory assertions by 30 June 2026.

This article walks through each of those 12 assertions — what they mean, what auditors look for, and what evidence you need to have ready.

Who this applies to

You are an IT Supplier under the DSPT if you meet all three of the following:

  • You supply digital goods or services to the NHS or social care
  • You have 50 or more employees
  • You have an annual turnover of £10 million or more

If you do not meet all three criteria, you fall under the "Other" category with a different (lighter) evidence requirement and no independent audit obligation.

The 12 Mandatory Assertions

1.3 — Accountability and Governance

Purpose: To ensure data security and protection have clear ownership at senior level, with active board oversight rather than delegation to IT or compliance staff alone.

What DSPT requires:

  • A named Data Protection Officer (DPO) or Senior Information Risk Owner (SIRO)
  • A documented information governance structure with clear reporting lines
  • Regular senior-level review of data security performance

Evidence auditors look for:

  • ICO registration number and current DPO appointment record
  • Information governance policy with named roles and sign-off
  • Governance or board meeting minutes showing DSPT/IG as a standing agenda item
  • An annual data security report reviewed and signed by the SIRO or equivalent
  • Organogram showing IG reporting lines

Best practice: Track DSPT progress using a dashboard or KPI framework reviewed at least quarterly. Ensure the SIRO has demonstrable involvement in risk decisions, not just sign-off on completed paperwork.

Related standards: ISO 27001 (2022) A.5 — Leadership and Commitment; NCSC Cyber Governance Guidance

4.2 — Identity and Access Management

Purpose: To ensure users have the correct access at all times and that unauthorised access is prevented through robust identity controls.

What DSPT requires:

  • A documented Joiners, Movers, Leavers (JML) process
  • Multi-factor authentication (MFA) enforced on all critical and NHS-connected systems
  • Regular access reviews — at minimum quarterly

Evidence auditors look for:

  • User access logs and audit trails demonstrating active account management
  • JML policy and evidence it is being followed (e.g. leaver account suspension records)
  • MFA configuration evidence (screenshots from Entra ID / Active Directory, Okta, or equivalent)
  • Role-based access control (RBAC) configuration documentation
  • Completed access review reports showing who reviewed, when, and any actions taken
  • A policy defining least-privilege principles

Best practice: Automate account provisioning and removal wherever possible. Leavers should have access revoked on or before their last working day — auditors will look for evidence of timely deprovisioning.

Related standards: ISO 27001 (2022) A.5.15–A.5.18; Cyber Essentials Plus (User Access Control)

4.4 — Privileged User Access

Purpose: To restrict, monitor, and review administrative access that could modify systems, data, or security configurations.

What DSPT requires:

  • Dedicated admin accounts separate from standard user accounts
  • A formal approval process for granting privileged access
  • Monitoring and regular review of privileged activity

Evidence auditors look for:

  • Privileged Access Register listing all admin accounts and their owners
  • Change control or ticketing records showing approval before access was granted
  • PAM (Privileged Access Management) tool logs or equivalent session records
  • Evidence of regular review — who has privilege, when it was last reviewed, and any removals
  • Policy prohibiting use of admin accounts for day-to-day activity

Best practice: Use just-in-time (JIT) access controls where possible. Implement session recording for admin actions on critical systems. Ensure all privileged accounts are covered in access reviews.

Related standards: ISO 27001 (2022) A.5.18; NCSC Privileged Access Guidance

6.1 — Incident and Near-Miss Reporting

Purpose: To ensure all staff can confidentially report data security incidents and near misses, and that these are investigated and used to drive improvement.

What DSPT requires:

  • A confidential reporting mechanism accessible to all staff
  • A defined process for logging, categorising, escalating, and investigating incidents
  • Evidence that lessons learned are fed back to staff

Evidence auditors look for:

  • Incident log or service desk records showing incidents are being captured and categorised
  • A clearly documented incident reporting policy, including the reporting mechanism (e.g. a helpdesk form, a dedicated inbox, or a named contact)
  • Training materials or communications encouraging staff to report — including near misses
  • Post-incident review documentation showing root cause analysis and actions
  • Evidence that incidents are escalated to the ICO where legally required (within 72 hours of a notifiable breach)

Best practice: Run regular awareness campaigns promoting a "report, don't hide" culture. Near-miss data is often more valuable for prevention than incident data — make it easy and non-punitive to report.

Related standards: ISO 27001 (2022) A.6.8 — Reporting Information Security Events; UK GDPR Article 33

6.3 — Vulnerability Management (Intelligence-Led)

Purpose: To ensure the organisation acts on vulnerability intelligence from trusted sources and applies lessons from past incidents.

What DSPT requires:

  • Acting on vulnerability advice from NHS Digital — the primary channel is the NHS Cyber Alert service (which replaced CareCERT Collect in 2020), supplemented by NCSC advisories
  • A formal process for reviewing and acting on vulnerability advisories
  • Evidence that lessons from previous incidents and near misses are applied

Evidence auditors look for:

  • Registration and active use of the NHS Cyber Alert service (digital.nhs.uk/services/respond-to-an-nhs-cyber-alert) — auditors will look for evidence that high-severity alerts are being received and acted upon
  • NCSC Early Warning Service registration as a supplementary source
  • A documented vulnerability advisory review process with named owner
  • Records showing specific alerts were received, reviewed, and acted upon (or risk-accepted with SIRO sign-off)
  • Post-incident or near-miss review logs showing lessons identified and actions taken
  • Patch or remediation records demonstrating follow-through from advisories

Best practice: Track all advisories against your asset inventory. Where an advisory cannot be remediated promptly, ensure the risk is formally accepted and reviewed rather than silently ignored.

Related standards: ISO 27001 (2022) A.8.8 — Management of Technical Vulnerabilities; NCSC Vulnerability Management Guidance

7.2 — Continuity and Disaster Recovery Testing

Purpose: To confirm the organisation can recover its data and services following a disruption, and that recovery plans are tested and up to date.

What DSPT requires:

  • A Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan in place and regularly tested
  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Annual testing of recovery processes with documented outcomes
  • Plans updated to reflect lessons from testing and real incidents

Evidence auditors look for:

  • Current BCP and DR plan documents with version control and SIRO/board sign-off
  • Test reports — including date, scope, participants, outcomes, and any failures or gaps identified
  • Lessons-learned logs showing how test outcomes fed into plan updates
  • Evidence of backup testing — not just that backups are taken, but that restoration has been validated
  • Communication plans for patients, staff, and regulators included in DR scenarios

Best practice: Test both IT recovery and business process recovery. Ensure backups are not solely reliant on cloud platforms such as OneDrive or SharePoint — a resilient backup strategy should follow the 3-2-1 principle (three copies, two different media, one offsite).

Related standards: ISO 27001 (2022) A.5.29–A.5.30; NHS DSPT Business Continuity Requirements

7.3 — Incident Response Capability

Purpose: To ensure the organisation can detect, contain, and recover from cyber incidents rapidly, with access to timely and accurate information throughout.

What DSPT requires:

  • A documented and tested Incident Response Plan (IRP)
  • A trained incident response team with defined roles
  • Access to monitoring data and logs to support response decisions during an incident

Evidence auditors look for:

  • Current Incident Response Plan with version history and sign-off
  • Tabletop exercise records — date, participants, scenario, outcomes
  • Defined escalation flowcharts and incident playbooks (e.g. for ransomware, data breach, system compromise)
  • Evidence of live or simulated testing — at least annually
  • SIEM, log management, or equivalent monitoring system demonstrating alerting capability
  • Communication plan for patients, staff, regulators, and the NHS during a live incident

Best practice: Conduct at least one live simulation each year in addition to tabletop exercises. Define in advance who communicates with NHS England, the ICO, and affected parties — do not leave this to be decided during a crisis.

Related standards: ISO 27035; NCSC Incident Management Guidelines

8.3 — Patch Management

Purpose: To keep all systems on supported software versions and ensure security patches are applied promptly, particularly for critical and high-risk vulnerabilities.

What DSPT requires (key sub-assertions):

  • Systems receive updates regularly, with a documented approach agreed by the SIRO (8.3.1, 8.3.3)
  • Critical or high-risk patches applied within 14 days, or the risk is formally assessed, documented, accepted, and signed off by the SIRO with auditor agreement (8.3.4)
  • Where a critical/high-risk patch has not been applied, technical remediation and risk management must be documented (8.3.5)
  • Active use of Advanced Threat Protection (e.g. Microsoft Defender for Endpoint) with regular alert review (8.3.6)
  • 95% of servers and 98% of desktops on supported OS versions, or a SIRO-approved plan to achieve this (8.3.7)
  • Registered for and actively using the NCSC Early Warning Service (8.3.8)

Evidence auditors look for:

  • Patch management policy signed off by the SIRO
  • Patch deployment logs from WSUS, SCCM, Intune, or equivalent
  • Vulnerability scanner reports confirming patch status before and after deployment cycles
  • Asset inventory showing OS versions across servers and desktops (with coverage percentages)
  • Microsoft Defender for Endpoint (or equivalent ATP) dashboard screenshots showing active alerts review
  • NCSC Early Warning Service registration confirmation
  • Exception register for any patches not applied within 14 days, with documented risk acceptance

Best practice: Automate patch deployment and reporting wherever possible. Track exceptions formally — an auditor finding an unpatched critical vulnerability with no corresponding risk register entry is a significant finding.

Related standards: ISO 27001 (2022) A.8.8; Cyber Essentials Plus (Security Update Management)

8.4 — Vulnerability Management (Network Focus)

Purpose: To identify and mitigate technical weaknesses across networks and systems before they can be exploited.

What DSPT requires (key sub-assertions):

  • Infrastructure protected from common cyber attacks through secure configuration and patching (8.4.1)
  • All infrastructure running supported, patched software; unsupported devices isolated with risk formally assessed and signed off by the SIRO (8.4.2)
  • A current understanding of hardware and software exposure to publicly known vulnerabilities (8.4.3)

Evidence auditors look for:

  • Vulnerability scan outputs with risk ratings (e.g. from Tenable, Qualys, Rapid7, or equivalent)
  • Remediation tracker or risk register showing vulnerabilities tracked to closure or formal acceptance
  • Penetration test results — typically annual external testing as a minimum
  • Asset inventory showing all devices and their support/patch status
  • CVE tracking process or tooling demonstrating awareness of public vulnerability disclosures
  • Isolation evidence for any unsupported devices (e.g. network segmentation records, firewall rules)
  • SIRO sign-off for any risk-accepted unsupported systems

Best practice: Integrate vulnerability scan results into your SIEM or ticketing platform so nothing falls through the gap between discovery and remediation.

Related standards: ISO 27001 (2022) A.8.8; NCSC 10 Steps — Vulnerability Management

9.3 — System Security

Purpose: To protect systems handling sensitive information or critical services from exploitation of known vulnerabilities.

What DSPT requires (key sub-assertions):

  • All web applications protected against OWASP Top 10 vulnerabilities (9.3.1)
  • Web filtering/DNS protection preventing access to malicious websites (9.3.3)
  • DNS change controls — only strongly authenticated and authorised administrators can modify authoritative DNS entries (9.3.4)
  • All IP ranges in use across the organisation documented (9.3.5)
  • Data in transit (including email) protected using encryption such as TLS (9.3.6)
  • A documented data security assurance process for medical devices connected to the network (9.3.9)

Evidence auditors look for:

  • Penetration test or web application assessment results confirming OWASP Top 10 coverage
  • Web filtering solution configuration (e.g. Cisco Umbrella, Zscaler, Microsoft Defender for Endpoint web protection) with evidence it is active
  • DNS provider MFA configuration evidence and change control records for DNS updates
  • IP range register or asset management documentation covering all network ranges in use
  • Email security configuration evidence: TLS enforcement, DMARC, DKIM, and SPF records
  • TLS certificate inventory and encryption policy
  • Medical device security assurance process documentation — particularly relevant for suppliers whose products connect to NHS clinical networks

Best practice: 9.3.9 (medical devices) is frequently a gap for IT suppliers. If any of your products connect to NHS networks or handle clinical data, ensure you have a documented security assurance process — even if it is lightweight, the absence of any process is an automatic finding.

Related standards: ISO 27001 (2022) A.8.9, A.8.23; NCSC System Hardening Guidance; OWASP Top 10

9.6 — Firewall Management

Purpose: To ensure firewalls effectively protect the organisation's network perimeters and that firewall configurations are well-managed and regularly reviewed.

What DSPT requires (key sub-assertions):

  • Firewalls installed at all internal network boundaries (9.6.1)
  • Firewall admin interface not accessible from the internet, and protected by MFA or restricted to a specific IP address (9.6.2)
  • All unauthenticated inbound connections blocked by default (9.6.3)
  • All inbound firewall rules (other than default deny) documented with business justification and approved through change management (9.6.4)
  • Firewall rulesets reviewed regularly and stale rules removed (9.6.5)
  • Personal firewalls (or equivalent) enabled on all desktops and laptops, configured to block unapproved inbound connections by default (9.6.6)

Evidence auditors look for:

  • Network diagram showing firewall placement at all network boundaries
  • Firewall admin interface configuration confirming it is not internet-exposed (e.g. screenshot or configuration export)
  • MFA configuration for firewall management access
  • Ruleset documentation with business justification and change approval records
  • Firewall ruleset review records — typically at minimum quarterly
  • Evidence of stale rule removal (before/after review comparisons)
  • Endpoint management configuration confirming personal firewalls are enforced (e.g. Intune compliance policy reports)

Best practice: 9.6.2 (admin interface exposure) is one of the most common audit findings. Verify that your firewall management portal cannot be reached from the internet — even if it requires authentication, internet-accessible management planes are a finding.

Related standards: ISO 27001 (2022) A.8.20–A.8.22; NCSC Boundary Firewall Guidance; Cyber Essentials (Firewalls)

10.1 — Supplier Assurance

Purpose: To ensure the organisation knows who its suppliers are, what they deliver, and that third-party contracts involving personal data meet legal requirements.

What DSPT requires (key sub-assertions):

  • An up-to-date supplier register that identifies which suppliers process personal data or provide critical IT services, including product/service details, contact details, and contract durations (10.1.1)
  • All contracts with third parties handling personal information are compliant with ICO guidance, including UK GDPR-compliant data processing agreements (10.1.2)

Evidence auditors look for:

  • Supplier register / third-party inventory — current, version-controlled, and reviewed at least annually
  • The register should explicitly flag which suppliers: (a) process personal data, and (b) provide IT services on which critical NHS services rely
  • Signed Data Processing Agreements (DPAs) or Data Processing Addendums for all relevant suppliers
  • Contracts reviewed against ICO guidance on data processor obligations
  • Contract expiry dates tracked and renewals managed proactively

Note on 10.1 vs 10.2: 10.1 is about having the register and compliant contracts. Evidence of supplier security certifications (DSPT status, CE+, ISO 27001) is relevant to assertion 10.2 (due diligence), not 10.1 — ensure your evidence pack maps correctly.

Best practice: Tier suppliers by risk level — those processing special category data or providing infrastructure that NHS services depend on should receive closer scrutiny. Include cyber security clauses in all new contracts.

Related standards: ISO 27001 (2022) A.5.19–A.5.21; ICO Guidance on Data Processors; NCSC Supply Chain Security Guidance

Preparing for your audit

Your final DSPT submission is due by 30 June 2026. Most auditors recommend booking from January 2026 onwards to avoid end-of-year bottlenecks — the audit must be completed and uploaded to the DSPT portal before the submission deadline.

Key preparation steps:

  • Map your existing controls and documentation against each of the 12 assertions now
  • Identify evidence gaps early — penetration tests, firewall reviews, DR tests, and access reviews all take time to schedule
  • Scope your audit correctly — focus on the systems, processes, and people involved in handling health and care data, not your entire business
  • Create a single evidence pack that links each piece of evidence to its specific assertion and sub-assertion
  • Ensure your SIRO is visibly involved in risk decisions, not just signing off completed paperwork
  • If you hold Cyber Essentials Plus or ISO 27001, confirm the certification scope covers your NHS-relevant services — it may reduce duplication of evidence but does not remove the audit requirement

Periculo is a cybersecurity consultancy specialising in NHS DSPT independent audits for IT Suppliers.
View full post