Background:

All DSPT independent assessment/audit providers for IT Suppliers, and Independent Providers who have been designated Operators of Essential Service, must follow the 24-25 guidance  at: DSPT Independent Assessment Guides. 

A summary of audit arrangements for NHS Trusts (Acute, Foundation, Ambulance and Mental Health), Integrated Care Boards, Commissioning Support Units and DHSC Arm’s Length Bodies has been launched, with detailed guidance to follow in a couple of weeks (mid December 2024). 

Summary Guide available at: DSP Toolkit - CAF Summary Audit Guide v7 24-25 v1.0

Scope of audit for NHS Trusts (Acute, Foundation, Ambulance and Mental Health), Integrated Care Boards, Commissioning Support Units and DHSC Arm’s Length Bodies.

There is a total of 47 outcomes in the CAF-aligned DSPT, which will all be assessed over a multi-year period. Each year, a selection of outcomes from across the five objectives will be tested by independent assessment providers. NHSE will mandate a common core set outcomes to be assessed for all organisations that undertake the CAF-aligned DSPT, while a further four outcomes will be selected by individual organisations. These outcomes should be approved by the Board of each organisation (or peson with delegated responsibility), and will reflect areas of concern that warrant additional assurance over the controls in place during that audit period.

Mandatory Outcomes

A2.a Risk management process
Your organisation has effective internal processes for managing risks to the security and governance of information, systems and networks related to the operation of your essential function(s) and communicating associated activities. This includes a process for data protection impact assessments (DPIAs).

A4.a Supply chain
The organisation understands and manages security and IG risks to information, systems and networks supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

B2.a - Identity verification, authentication and authorisation
You robustly verify, authenticate and authorise access to the information, systems and networks supporting your essential function(s).

B4.d - Vulnerability management
You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s).

C1.a Monitoring coverage
The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function(s).

D1.a - Response plan
You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function(s) and covers a range of incident scenarios.

E2.b – Consent
You have a good understanding of requirements around consent and privacy, including the common law duty of confidentiality, and use these to manage consent.

E3.a Using and sharing information sharing for direct care
You lawfully and appropriately use and share information for direct care.

The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system.  

It is mandated via the NHS Standard Contract and the DSPT requirement that the following organisations annually complete a DSPT audit/independent assessment following this guidance:

- Independent Providers who have been designated Operators of Essential Service.

- IT Suppliers

Organisational Requirements:

IT Suppliers (and Independent Providers that have been designated Operators of Essential Service) must ensure that their audit provider follows the mandated scope which, for this year, is set out in the DSPT Independent Assessment Guide and detailed below.

The scope applies to mandatory evidence items only and with the highlighted evidence items out of scope. Evidence items which are covered by an exemption for CE+ and/or ISO27001 will not require further auditing, once it is confirmed that the scope of the certification covers all the health and care data being processed.

1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency (auditors are not required to include 1.1.7 and 1.1.8 in the audit scope)
2.2 Staff contracts set out responsibilities for data security
3.1 Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness
3.2 Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents
4.5 You ensure your passwords are suitable for the information you are protecting 
5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents
6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway
7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services
8.2 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed 
9.2 A penetration test has been scoped and undertaken
9.5 You securely configure the network and information systems that support the delivery of essential services
9.6 The organisation is protected by a well-managed firewall
10.2 Basic due diligence has been undertaken against each supplier that handles personal information 

Organisational Audit provider requirement

Organisations shall ensure that their chosen audit provider is aware of the mandated framework which needs to be followed. The hallmark of the methodology is an output which includes: a risk rating against each of the 10 data security standards; an overall risk rating (based on the 10 individual ratings); and an overall confidence rating.

The example in the link below is from a previous year’s report (i.e. a different scope applies this year)

DSPT Audit Table.png

The presentation of these items can vary but it is vital that they are present, and that the framework is utilised in full

To meet the requirement, the DSPT audit functionality must be used.