Introduction

This guide aims to provide summary guidance for all stakeholders involved in the Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) independent assessments.

It outlines the use of the CAF-aligned DSPT independent assessment guide and framework (to be published in November 2024), and how these resources should be used to support the delivery of a successful CAF-aligned DSPT independent assessment.

This document also provides additional context and information on the changes taking place during the year 2024/25, as the objectives of the DSPT evolve to align closer to the CAF.

The contents of this document apply to the independent assessment arrangements of NHS trusts (acute, foundation, ambulance and mental health), integrated care boards (ICBs), commissioning support units (CSUs) and Department of Health and Social Care (DHSC) arm’s length bodies. 

More information will be made available in the NHS England (NHSE) DSPT independent assessment framework, to be published in November 2024. Further updates will be provided on the DSPT news page.    

CAF-aligned DSPT independent assessment providers

We recognise that a variety of organisations will be assessing the effectiveness of health and social care organisations’ cyber security and information governance (IG) control environments, including but not limited to providers of audit services.

The guide, and associated framework, provide guidance materials to inform these assessments, enabling a consistent approach to be applied across the sector (in line with the requirements of NHSE and DHSC), while enabling each organisation/assessor to exercise their professional judgement and knowledge of the organisation being assessed when establishing whether the outcomes have been met.

Health and social care boards

This guide will help boards understand the role of independent assessment providers in assessing the organisation's performance against the 5 objectives of the CAF-aligned DSPT.

The guide explains the requirements for arranging an independent assessment, and how this should support local assurance, as well as supporting assurance of legal and regulatory requirements, such as the UK General Data Protection Regulation (GDPR), the Network and Information Systems Regulations 2018, and national policies issued by NHSE and DHSC.

Understanding the independent assessment of the CAF-aligned DSPT supports boards in providing oversight for the organisation’s cyber and information security risk.

Senior information risk owners

It remains the responsibility of the senior information risk owner (SIRO) in each organisation to approve the CAF-aligned DSPT submission.

In the context of the CAF-aligned DSPT, this means the SIRO must give approval for the organisation’s scoping of their essential functions and final toolkit submission. This guide will provide information to help SIROs understand the differences in the assessment process between DSPT and CAF-aligned DSPT, helping them ensure their scoping of essential functions is appropriate.

Cyber security and information governance teams

This guide will ensure cyber security and information governance teams within the organisation are able to understand the purpose of the CAF-aligned DSPT controls, and are given the guidance required to design and implement effective processes to align to those controls.

It will also support the teams in understanding the appropriate evidence to be collected and provided to the independent assessors during the assessment.

Caldicott Guardians, non-executive and executive directors

This guide will inform their understanding and awareness of how the independent assessment guide and framework can be used to monitor the cyber security and information governance controls included in the CAF-aligned DSPT, and the associated risks across the organisation.