- +44 (0)1480 775555
- [email protected]
The NHS Data Security and Protection Toolkit (DSPT) Independent Audit is a mandatory, formal review of how organisations, including healthcare providers and IT suppliers, protect NHS patient data. From 2024, the audit is now aligned with the UK Government’s Cyber Assessment Framework (CAF), raising the bar for cyber resilience and aligning health and care cybersecurity with wider critical national infrastructure standards.
The audit is based on CAF-aligned controls, which now underpin the DSPT’s implementation of the 10 National Data Guardian Standards. It covers a broad range of areas such as risk management, access control, data sharing, incident response, and cyber threat defence.
Organisations must first complete their DSPT self-assessment on the NHS Toolkit portal. If classified as a large organisation or IT supplier handling NHS data, you are then subject to an annual third-party independent audit conducted by a qualified assessor. The audit confirms whether your submitted evidence truly meets DSPT’s CAF-aligned expectations, and whether key risks to NHS data are effectively managed.
We specialise in helping healthcare organisations and IT suppliers navigate the new CAF-aligned DSPT audit process. We can assist with readiness assessments, evidence alignment, risk gap analysis, and coordination of the independent audit, ensuring a confident, compliant outcome that supports your ongoing NHS contracts.
With the new DSPT audit framework grounded in the Cyber Assessment Framework, achieving compliance means showing operational and technical maturity. Whether you’re a care provider or an NHS IT supplier, passing the audit proves your organisation is serious about data protection and resilient to cyber threats.
Demonstrates cyber maturity in line with UK Critical National Infrastructure (CNI) standards, not just box-ticking.
Applies to large care organisations and IT suppliers hosting NHS data.
A gateway to gaining or retaining NHS data access and commercial engagements.
We handle everything from audit readiness to evidence mapping and assessor engagement.
Strengthens your position as a secure, trustworthy partner to the NHS.
Get in touch today to find out more about the NHS Data Security and Protection Toolkit (DSPT) Independent Audit, and how the we can help your organisation.
Find the most frequently asked questions and find your answer
From 2024, the audit is now aligned with the UK Cyber Assessment Framework (CAF), expanding focus from compliance to cyber resilience.
Large NHS providers and IT suppliers who declare “standards met” in the DSPT and handle NHS patient data.
The Cyber Assessment Framework is the UK’s official standard for assessing cyber risk in critical sectors like health, energy, and finance. NHS England now uses it to benchmark DSPT audit compliance.
Yes. IT suppliers managing, storing, or transmitting NHS data must undergo the audit.
We provide expert-led DSPT readiness reviews, evidence mapping to CAF, and support through the full audit lifecycle.
Yes. While ISO 27001 is helpful, the DSPT audit is NHS-specific and now aligned with CAF controls — including NHS data sharing, patient privacy, and operational resilience.
NHS England may downgrade your DSPT status, pause data access, or suspend contracts until remediation is complete.
Absolutely. We collaborate with your in-house IT and governance leads to ensure audit readiness from both a technical and policy perspective.
Yes. The DSPT and CAF standards reflect many legal obligations under UK GDPR and the Data Protection Act.
With good preparation, the audit typically takes 2–4 weeks from readiness to final report.
Musketeer Solutions
Business Director Peterborough, Management Consultancy East Anglia
We are incredibly pleased with the outstanding service provided by Rob Lancaster of StarSwift in supporting us through the Cyber Essentials certification process and delivering ongoing IT security services. Rob has worked with us for several years and established an excellent understanding of our business and requirements.
Hallinans
Namita, Managing Director
We were fortunate to be invited to work with Rob and he made the process seamless, straightforward and without the jargon and complication that often comes which computers and technology. Rob’s knowledge is first rate as is his swift communication and competitive pricing. Options were always provided to us along with reasoning and recommendation. Cannot recommend Rob and StarSwift highly enough.
Lone Star Analysis
Kat Simmonds, CoS
Well organised, Rob is very clear in his explanations and communicates well throughout the assessment.
Growth Studio Group
Andy Bennett, Director
Rob was extremely helpful and responsive to questions we had with our Cyber Essentials Certification. It made the whole process seamless.
