Assertions and evidence items - including updated ISO 27001 exemptions (Updated 04 December 2018)

For reference, the assertions and evidence items which constitute the Data Security and Protection Toolkit assessment are included in the attached excel file.


Organisation types are listed in a separate tab on the spreadsheet.


Where an evidence item is not applicable to an organisation type, the relevant cell is blank.


Version control:

V5.1 (4th May 2018) – updated to clarify that Cyber Essentials PLUS is the relevant standard to exempt a number of evidence items


V5.2 (24th October 2018) – Document updated to reflect that following a review, Local Authorities who have valid PSN certification will receive exemptions from an additional 22 evidence items.  Exemptions for 6 evidence items under assertion 6.1 and 6.3 have been removed.

The spreadsheet also includes updated wording to ‘tool tips’ where applicable and addition of pharmacy GDPR Workbook exemptions.  See version control tab for more details.

V5.3 (4th December 2018) – Where a Company or Arms-Length Body holds ISO27001 with a scope encompassing ALL health and care data processing, applicable evidence items will be marked as complete.  The mapping of ISO27001 to DSPT evidence items in the attached document has been updated.


Supporting Documents