Next steps – planning for your review

The below are suggested next steps to conduct ahead of the issuance of the Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) independent assessment guide in November 2024.

These steps will enable your organisation to plan effectively for the review:

1. Understand requirements - discuss with an independent assessor the timelines and requirements for an independent assessment to be conducted between January and May 2025, including staff requirements and financial resourcing.
2. Understand CAF profile - review the CAF profile as set out for your organisation.
3. Understand expected achievement levels - review the objectives, principles, outcomes, indicators of good practice (IGPs) and expected achievement levels for the assessment of your organisations set out in our Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) guidance.
4. Update leadership - provide an update to the board and audit committee of your organisation, indicating expected timelines, scope of assessment and the results of the self-assessment.

There is a total of 47 outcomes in the CAF-aligned DSPT, which will all be assessed over a multi-year period. Each year, a selection of outcomes from across the 5 objectives will be tested by independent assessment providers. NHS England (NHSE) will mandate a common core set of outcomes to be assessed for all organisations that undertake the CAF-aligned DSPT, while a further number will be selected by individual organisations.

These outcomes should be approved by the board of each organisation, and will reflect areas of concern that warrant additional assurance over the controls in place during that audit period.

More information will be made available in the independent assessment framework, to be published in November 2024. Further updates will be provided on the DSPT news page.

Audit - an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations.  

CAF - the Cyber Assessment Framework (CAF) is a systematic and comprehensive approach designed by the National Cyber Security Centre (NCSC) to assess the extent to which cyber risk to essential functions are being managed.

CAF-aligned DSPT independent assessment providers - organisations who are commissioned directly by health and social care organisations to complete a CAF-aligned DSPT assessment or review.

Control - any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Cyber security - the protection of devices, services, and networks and the information on them from unauthorised access, theft or damage.

Effectiveness - the degree to which something is successful in producing a desired result.

Evidence - the information, documents or supporting statements that are analysed by independent assessment providers to assess the posture of an organisation’s operations.

Fieldwork - the evaluation phase of the assessment.

Information governance - information governance (IG) is a strategic framework that involves policies, processes, and controls to manage, protect, and maximise the value of an organisation's information.

Multi-factor authentication - multi-factor authentication (MFA) is an identity verification method in which a user must supply at least 2 pieces of evidence, such as their password and a temporary passcode, to prove their identity.

UK GDPR - UK General Data Protection Regulation is a regulation on data protection and privacy. It outlines protected classes of information and expectations for processing and storing protected information. UK GDPR guidance and resources can be found on the ICO website.