Data Security and Protection Toolkit (DSPT) 2024/2025 CAF

The new DSPT for 2024/2025 is now aligned to the NCSC Cyber Assessment Framework (CAF). This version 7 of the DSPT.

 

Organisations are required to have an independent audit assessment to the agreed CAF-aligned DSPT audit framework.

 

Dionach can provide these independent assessments for organisations, which are required to validate self-assessment outcomes. There are independent assessment guides for two groups who require assessments:

  • IT Suppliers and OES Independent providers
  • NHS Trusts, Arm’s Length Bodies, Integrated Care Boards and Commissioning Support Units

NHS Trusts (Acute, Foundation, Ambulance and Mental Health), Integrated Care Boards, Commissioning Support Units and DHSC Arm’s Length Bodies

These organisations have a set of mandatory outcomes along with other outcomes chosen by the organisation. The mandatory outcomes are:

  • a Risk management process
  • a Supply chain
  • a – Identity verification, authentication and authorisation
  • d – Vulnerability management
  • a Monitoring coverage
  • a – Response plan
  • b – Consent
  • a Using and sharing information sharing for direct care

Operators of Essential Service and IT Suppliers

These organisations require an independent audit following a defined process and report template, with the mandated scope as follows:

  • 1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency (except 1.1.7 and 1.1.8)
  • 2 Staff contracts set out responsibilities for data security
  • 1 Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness
  • 2 Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents
  • 5 You ensure your passwords are suitable for the information you are protecting
  • 1 Process reviews are held at least once per year where data security is put at risk and following DS incidents
  • 2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway
  • 1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services
  • 2 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed
  • 2 A penetration test has been scoped and undertaken
  • 5 You securely configure the network and information systems that support the delivery of essential services
  • 6 The organisation is protected by a well-managed firewall
  • 2 Basic due diligence has been undertaken against each supplier that handles personal information

The report will include risk ratings for the 10 controls and an overall risk rating.

 

Summary

NHS England expect the independent assessments to be completed between January and June 2025, with self-assessment submission by 30 June 2025.

Dionach provide independent assessments against DSPT CAF – contact Dionach to arrange a call to see how we can help you.

References:

NHS England DSPT CAF Guidance

https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/2024-25-caf-aligned-dspt-guidance  

NHS England Independent Assessment Guides

https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides

NCSC Cyber Assessment Framework (CAF)

https://www.ncsc.gov.uk/collection/cyber-assessment-framework

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call