Purpose:
To ensure that data security and protection have clear ownership at senior level. Leadership must actively oversee compliance, not delegate it entirely to IT or compliance staff.
Requirements:
A named Data Protection Officer (DPO) or Senior Information Risk Owner (SIRO)
Documented information governance structure and reporting lines
Regular reviews of data security performance at board or senior management level
Evidence Examples:
Governance meeting minutes
IG policy and organogram
Annual data security report signed by the SIRO
Best Practice Tips:
Include DSPT progress as a standing agenda item at leadership meetings
Use dashboards or KPIs for visibility
Related Standards: ISO 27001 A.5 (Leadership & Commitment), NCSC Cyber Governance Guidance
Purpose:
To ensure users have the correct access at all times and unauthorised access is prevented.
Requirements:
Documented Joiners, Movers, Leavers (JML) process
Multi-factor authentication (MFA) for all critical systems
Regular access reviews (at least quarterly)
Evidence Examples:
User access logs and audit trails
Policy defining least-privilege principles
MFA configuration reports
Best Practice Tips:
Automate account provisioning and removal
Implement role-based access control (RBAC)
Related Standards: ISO 27001 A.9, Cyber Essentials Plus (User Access Control)
Purpose:
To restrict and monitor administrative access that could modify systems or data.
Requirements:
Dedicated admin accounts, separate from user accounts
Approval process for granting privileged access
Monitoring and review of privileged activity
Evidence Examples:
Privileged Access Register
PAM (Privileged Access Management) system logs
Change control or ticketing records
Best Practice Tips:
Use just-in-time access tools
Implement session recording for admin actions
Related Standards: ISO 27001 A.9.2, NCSC Principle 3 (Access Control)
Purpose:
To ensure incidents are captured, investigated, and used to drive improvement.
Requirements:
A confidential reporting mechanism accessible to all staff
Defined process for logging, categorising, and escalating incidents
Feedback loop to staff on outcomes and lessons learned
Evidence Examples:
Incident logs or service desk reports
Training materials encouraging reporting
Post-incident review documentation
Best Practice Tips:
Run awareness campaigns promoting “report, don’t hide”
Use near-miss data to prevent future breaches
Related Standards: ISO 27001 A.16, NHS Digital Incident Reporting Guidelines
Purpose:
To ensure known vulnerabilities are addressed promptly and effectively.
Requirements:
Formal patching and remediation policy
Monitoring of NHS Digital alerts (CareCERT)
Lessons learned from prior incidents applied
Evidence Examples:
Patch deployment schedules
Vulnerability scans before and after remediation
Change control documentation
Best Practice Tips:
Track vulnerabilities via a risk register
Prioritise critical patches within 14 days
Related Standards: ISO 27001 A.12.6, NCSC Vulnerability Management Guidance
Purpose:
To confirm the organisation can recover data and services following a disruption.
Requirements:
Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan in place
Annual testing of recovery processes
Clear Recovery Time and Recovery Point Objectives (RTO/RPO)
Evidence Examples:
Test reports and outcomes
Lessons-learned logs
Board sign-off on plan updates
Best Practice Tips:
Test both IT and business recovery
Include communications and stakeholder updates in scenarios
Related Standards: ISO 27001 A.17, NHS DSPT Business Continuity Requirements
Purpose:
To ensure the organisation can detect, contain, and recover from cyber incidents rapidly.
Requirements:
Documented Incident Response Plan (IRP)
Trained incident response team
Access to monitoring and forensic data
Evidence Examples:
Tabletop exercise records
Escalation flowcharts
Incident playbooks
Best Practice Tips:
Conduct at least one live simulation annually
Define communication plans for patients, staff, and regulators
Related Standards: ISO 27035, NCSC Incident Management Guidelines
Purpose:
To keep all systems supported and up to date.
Requirements:
Central patch management policy
Monthly patching cycle or as per vendor guidance
Records of verification and success rates
Evidence Examples:
Patch deployment logs
Reports from WSUS/SCCM/Intune or equivalent tools
Vulnerability scanner validation
Best Practice Tips:
Maintain asset inventory to track patch status
Automate patch reporting and exceptions
Related Standards: ISO 27001 A.12.6, Cyber Essentials Plus (Security Update Control)
Purpose:
To identify and mitigate technical weaknesses before attackers exploit them.
Requirements:
Regular vulnerability scans of networks and systems
Documented remediation workflows
Executive reporting on remediation progress
Evidence Examples:
Scanner outputs and risk ratings
Remediation tracker logs
Penetration test results
Best Practice Tips:
Schedule quarterly internal scans and annual external penetration tests
Integrate results into SIEM or ticketing platforms
Related Standards: ISO 27001 A.12.6, NCSC 10 Steps – Vulnerability Management
Purpose:
To protect critical systems and applications from exploitation.
Requirements:
Hardened configurations and secure builds
Patch compliance and monitoring
Regular security assessments
Evidence Examples:
Secure configuration checklists
Test results for clinical or operational systems
Penetration test reports
Best Practice Tips:
Apply CIS or NCSC hardening benchmarks
Implement configuration drift monitoring
Related Standards: ISO 27001 A.14, NCSC System Hardening Guidance
Purpose:
To ensure firewalls effectively protect the organisation from external threats.
Requirements:
Documented firewall policy
Change control for rule updates
Regular review of configurations and logs
Evidence Examples:
Firewall configuration review reports
Change-request tickets
Monitoring alerts or log summaries
Best Practice Tips:
Conduct quarterly rule-set reviews
Use intrusion-prevention and application-layer filtering
Related Standards: ISO 27001 A.13, NCSC Boundary Protection Guidance
Purpose:
To ensure all third-party suppliers meet data-security expectations.
Requirements:
Supplier register with contract details and risk ratings
Evidence of DSPT, CE+, or ISO 27001 compliance
Annual supplier assurance reviews
Evidence Examples:
Supplier assurance questionnaires
Signed data-processing agreements
Certificates of compliance
Best Practice Tips:
Tier suppliers by risk level
Include cyber clauses in all new contracts
Related Standards: ISO 27036, NCSC Supply Chain Security Guidance