Part of Strengthening assurance – independent assessment: summary of guides
Overview of the independent assessment framework and guide
This section provides the purpose, scope, benefits, and an overview of the:
- independent assessment guide
- independent assessment framework
Both of these documents will be published in November 2024.
Purpose and scope
| Purpose | Scope | |
|---|---|---|
| CAF-DSPT independent assessment guide | The guide supports organisations and assessors in gaining a deeper understanding of each of the 5 objectives that make up the Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT). It sets out how the independent assessment is scoped, undertaken and reported on. It also details on scoring methodology and provides templates for terms of reference and reports. | The guide details the purpose of each underlying principle and how each supports the design of a robust and resilient organisation. The guide is not exhaustive and will not cover every eventuality. As such, professional judgement will be required when using its contents in preparation for, or during, a CAF-aligned DSPT independent assessment. |
| CAF-DSPT independent assessment framework | The independent assessment framework will provide specific information about each outcome to the assessors and the cyber security and information governance teams. This will include the approach to be taken when assessing each outcome, as well as identifying the type of evidence to be reviewed to confirm the expected minimum achievement levels have been met. | The framework covers the 4 CAF objectives as well as the additional data security objective specific to the healthcare sector. It provides an explanation for each indicator of good practice (IGP), as well as a recommended approach to test the organisation against it, and indication of the type of evidence to be reviewed. The framework also details the necessary thresholds to reach the expected minimum achievement level of each outcome. |
High level CAF-aligned DSPT independent assessment programme timeline
September 2024: DSPT-CAF summary guide (this document)
November 2024: Independent assessment framework and guide
December 2024: Baseline assessment
January to June 2025: Independent assessments
30 June 2025: Self-assessment submission
Benefits of the independent assessment framework and guide
The CAF-aligned DSPT harnesses a less prescriptive approach in the response to each outcome and therefore warrants its own guidance to reflect the changes in the toolkit.
This updated guidance is intended to provide the following benefits to health and social care organisations, independent assessment providers, and the health and social care system as a whole:
Health and social care organisations
As the focus of DSPT shifts from verifying the implementation of specific controls mandated by evidence items, to assessing adherence to the desired outcomes under the CAF-aligned DSPT independent assessments, organisations will receive an opinion over the effectiveness of their control environments to adhere to the specified outcomes.
This would ultimately support them in identifying cyber security and information governance gaps between the organisation’s self-assessment and the independent assessment result, that should be mitigated to improve the posture of the organisation. In addition, the increased insight that national bodies will have into the cyber security and information governance posture of multiple organisations across the sector will enable them to support individual organisations in improving their controls.
Independent assessment providers
In recent times, independent assessment providers have been expected to provide an increased level of assurance, over a wider range of data security and protection controls (including more technical cyber-related controls introduced in the CAF-aligned DSPT).
The guidance is not designed to replace the existing expertise, knowledge and professional judgement of independent assessment providers, but should instead support them in identifying how to effectively assess the organisation against the objectives of the CAF-aligned DSPT. It will also help inform the work of cyber security and information governance professionals that are new to the health and social care system, helping them to understand assessor’s requirements to validate the posture of the organisation during the assessment.
National bodies/health and social care system
When followed and widely used across the system, the CAF-aligned DSPT framework and guide should provide national bodies with greater insight into the effectiveness of health and social care organisations’ cyber security and information governance control environments, as well as their alignment to regulations such as the Network and Information Systems (NIS) Regulation 2018.
This will enable new national data security services and guidance to align to known areas of weakness and support shared learnings across the sector from examples of good practice, as well as provide additional support to organisations that may have issues in this area. The Department of Health and Social Care (DHSC), as the competent authority for the health and care sector under the NIS regulations, may access information from the CAF-aligned DSPT to fulfil its regulatory purpose.
Overview of the independent assessment framework
The following summary outlines the purpose and scope of the CAF aligned DSPT independent assessment framework.
The NHS England (NHSE) CAF-aligned DSPT independent assessment framework is a resource, created by NHSE, for independent assessors of health and care organisations.
The framework is the resource that the assessor should use to assess the organisation against the requirements of the CAF-aligned DSPT. It can act as the basis of scoping the terms of reference for each CAF-aligned DSPT assessment, the approach that the assessor could take during their review, and inform the type of evidence that the assessor could request and review as part of their work.
Further detail on the framework, and how to navigate it, will be provided in the framework itself.
There are 5 (A to E) objectives within the CAF-aligned DSPT. The CAF-aligned DSPT independent assessment framework outlines the principles that make up each objective, highlighting the area of scope for each principle. Each principle contains several outcomes, which can be 'Achieved', 'Partially Achieved' or 'Not Achieved', depending on the results of their respective indicators of good practice.
The below diagram demonstrates the structure for objective A, principle A2, which has 2 outcomes with the associated achievement levels for each outcome.
Each organisation will be assigned a profile, which will be based on the type and size of the organisation. This profile will be used to identify the expected achievement levels for each outcome.
The framework details:
- the control objective of each outcome and IGP
- provides guidance as to how to assess the organisation’s control environment against the IGPs
- provides indication as to the on-site tests that could be performed and documents that the assessor should typically request and review as part of their work
It also includes details on whether or not the IGP is required for this year’s assessment for each category of health and social care organisation.
The framework is designed to be used by independent assessment providers. It will enable independent assessment providers to carry out their assessments in an efficient and consistent manner.
It's advised that independent assessment providers have experience in reviewing cyber security and information governance control environments, and the assessment approach is not intended to be exhaustive or overly prescriptive, though it does aim to promote consistency of approach.
Assessors are expected to use their professional judgement and expertise in further investigating and analysing the specific control environment, and associated risk, of each health and social care organisation.
Last edited: 21 January 2025 3:42 pm