Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit (DSPT) changed in September 2024 for NHS trusts and foundation trusts (acute, mental health, community and ambulance), integrated care boards (ICBs), commissioning support units (CSUs) and Department of Health and Social Care (DHSC) arm’s length bodies to align with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).

This was a commitment made in the DHSC cyber security strategy for Health and Social Care to 2030 to enhance the cyber security assurance of government organisations, which underpins the 5 pillars of the strategy.

The CAF-aligned DSPT approach is geared towards using principles and expert judgment to guide competent decision-making, with a focus on achieving key outcomes. This new approach will affect the way that people, processes and technology are evaluated and assured in cyber security and information governance. This evaluation will be evidenced through indicators of good practice for each outcome and will be required to meet expected achievement levels.

Cyber security plays a critical role in all sectors, but its importance is amplified in the healthcare industry, where sensitive patient data and even lives are at stake.

In the NHS, a cyber attack could compromise confidential medical records, disrupt critical medical equipment, or even delay life-saving treatments. Information governance takes centre stage in the NHS, as patients trust their health and care providers with deeply personal and sensitive information. A breach of information governance could lead to added stress for patients and staff alike, disrupting care and leading to a loss of trust.

DHSC, as the competent authority under the Network and Information Systems Regulations 2018, may access information from the CAF-aligned DSPT, including the independent assessment report, to fulfil its regulatory purpose.

For more information, we recommend that you read the our Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) guidance.

Enhance risk management

Emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level where those risks can most effectively be managed.

Foster a continuous improvement culture

Support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes, and expend effort on what works, not what ticks a compliance box.

Improve threat management

Create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks.

Several things will be different this year, including the:

• timing and duration of assessments
• introduction of an outcome-based testing methodology
• skills and requirements of both the independent assessors and the relevant departments of the assessed organisation
• approach to nationally directed technologies and processes, such as multi-factor authentication (MFA)

Assessment duration and planning

We anticipate that assessments this year will need to be conducted between January and June 2025. We expect there will be a minimum of 2 weeks of fieldwork for the review. Additional time should be planned before and after the field work for pre-review planning and report write up (read appendix B for an indicative timeline).

With the DSPT aligning with CAF, greater reliance on evidence and input from the cyber security and information governance teams should be factored into planning to ensure the CAF-aligned DSPT assessment is completed before the mandatory deadline of 30 June 2025.

Further information on assessment planning will be available in the independent assessment guide and future communication from NHS England (NHSE).

Arranging assessments

NHSE encourages organisations to choose assessors from the NCSC Cyber Resilience Audit (CRA) scheme, or equivalent.

Due to the change in focus and nature of the assessment, it's encouraged that independent assessments are conducted by qualified and skilled assessors who are experienced in and can competently assess against the CAF (read appendix A for an indicative RACI for the independent assessments).

Approach to testing

The CAF-aligned DSPT is less prescriptive in what an organisation presents as evidence for each outcome than the previous DSPT.

Indicators of good practice (IGP) give examples of procedures and processes which organisations can refer to when deciding whether they have met the expected achievement levels. There may be some instances where organisations judge that they have met a contributing outcome in a way which does not correspond to, or align with, the suggested IGPs.

Assessors will need to work closely with organisations to understand how they can evidence success against the outcomes and expected achievement levels.

For a number of outcomes, sample testing will be required by assessors to verify the achievement of one or more IGPs.

Where sample testing is required, the organisation will need to provide a list of the entire population, along with evidence that the population is complete and accurate. The assessor will select a sample, the size of which will be a representative proportion of the entire population.

Assessors will also now be required to follow up on management actions post-assessment to check that they are aligned to the original assessment findings and to confirm their implementation status. The results of this work should be reported to NHSE.

Outcomes-based approach, with certain national directive policy requirement

The CAF-aligned DSPT framework primarily adopts an outcome-based approach, emphasising the achievement of best practices without dictating specific methods for their implementation.

This flexibility empowers organisations to tailor their practices to their unique circumstances while ensuring adherence to the desired outcomes. However, the framework also has a limited number of national directive policy requirements, deemed essential for achieving the desired outcomes, for example the MFA policy.

More information can be found in the independent assessment framework, to be published in November 2024.