How to approach it

Before assigning specific responsibilities and tasks, you should take some time to undertake a preliminary assessment of the content in all the contributing outcomes of the Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT).

This will help you understand if there are any gaps in your current cyber security and information governance (IG) procedures before you start gathering specific evidence. The detailed guidance which has been written for each specific contributing outcome, which is linked directly from the DSPT assessment screen, should help you identify areas where the expectations of the CAF-aligned DSPT go beyond the minimal compliance level requirements of the previous 23-24 DSPT. 

You can plan and prioritise the DSPT-related activities that need to be completed over the course of the year accordingly.

You will also need to undertake a scoping exercise to understand which information, systems and networks should be covered by your DSPT submission.

See guidance on scoping essential functions for more information.

You will be able to assign owners for each outcome independently and can use this functionality to ensure that responsibility for each outcome sits with the most appropriate person. Your organisation’s cyber security and IG departments are responsible for reading through the CAF-aligned DSPT and deciding how to most suitably allocate ownership of each contributing outcome.

The CAF-aligned DSPT requirements have been created with collaboration in mind across cyber security and IG departments. Where outcomes are shared, you will need responsible teams to collaborate to complete the submission. You should ensure you have robustly considered the cyber security and IG implications of each contributing outcome before allocating ownership.

The CAF-aligned DSPT also has national directive policy requirements. The intention of these policy requirements is to constrain how you meet certain contributing outcomes, ensuring that your practices align with NHS England and Department of Health and Social Care (DHSC) policies set at the national level. 

Where a national directive policy is referenced, you must respond 'Yes' or 'No' to indicate whether your organisation is complying with it. If the policy links to more detailed national guidance, you must have regard to the guidance. If your response is 'No', you will automatically be categorised as ‘Not achieved’ for the contributing outcome which the national directive policy sits within.

The CAF-aligned DSPT is organised into:

• objectives – overarching goals of your organisation’s cyber security and IG activities
• principles – concepts which underpin your organisation’s cyber security and IG ‘objectives’
• contributing outcomes – key markers against which your organisation will judge the effectiveness of your cyber security and IG practices. These are the key element of the toolkit which you will be prompted to record results against. The combination of all recorded ‘contributing outcome’ results will determine whether your organisation has achieved ‘standards met’
• indicators of good practice – concrete examples of procedures and processes which help inform your organisation’s decision about whether it has achieved a contributing outcome

For each contributing outcome, you will be shown indicators of good practice and the option to select ‘Not achieved’, ‘Partially achieved’ or ‘Achieved’.

In the previous DSPT, you needed to be 'Achieved' on all mandatory assertions to be ‘Standards met’. This is not the case for the CAF-aligned DSPT. 

The CAF-aligned DSPT sets an expected achievement level of ‘Not achieved’, ‘Partially achieved’ or ‘Achieved’ for each contributing outcome. To be ‘Standards met’, you need to meet the expected achievement level for each outcome stated in the interface. These expected achievement levels have been determined by a mapping exercise conducted by NHS England and DHSC which ensures that standards are no less stringent than the previous DSPT. 

You should use your own professional judgment, assisted by the guidance created by NHS England and DHSC, to decide which category of achievement you fall into for each contributing outcome.

To decide your achievement level, you should read the indicators of good practice under each contributing outcome and decide whether your organisation’s practices reflect them. 

To be ‘Partially achieved’ or ‘Achieved’ on the contributing outcome, your organisation’s practices and behaviours should be aligned with all indicators of good practice underneath the ‘Partially achieved’ or ‘Achieved’ columns. If your practices are not aligned with one of the indicators of good practice, you must select ‘Not achieved’ for that contributing outcome, unless you can justify that you have achieved the outcome by different means.

There are some contributing outcomes where standards may still be met if the outcome is ‘Not achieved’. The reason for this is that the activities required to meet ‘Partially achieved’ within these outcomes are beyond the legacy DSPT requirements, and a need has been identified to support their implementation with a longer-term roadmap.

For contributing outcomes where the expected achievement level is ‘Not achieved’, you are still required to assess your organisation’s performance against the outcome and provide a response, showing you have considered the implications for your organisation’s cyber security and IG activities.

The DSPT ‘Standards met’ expectation should be regarded as a minimum compliance level, not the end goal of your organisation’s cyber security and IG activities. 

You should read each indicator of good practice carefully and think about what it means in the context of your own organisation’s cyber security and IG assurance procedures. 

To understand what is being assessed, it helps to break the indicator of good practice down into its component parts.

Example

You should first think about your security and IG risks.

For your organisation, these security and IG risks could be: 

• not being able to recruit and retain data security and protection staff
• not having enough financial resources to replace unsupported or legacy operating systems
• staff members experiencing difficulty accessing patient records 

Secondly, think about how you have identified, analysed, prioritised and managed these risks.

For your organisation, this could be through:

• risk management frameworks or policies
• risk management lifecycle processes
• risk registers
• risk assessments (including data protection impact assessments)

If you are assured that your organisation’s processes are effective in ensuring that your security and wider IG risks are appropriately identified, analysed, prioritised and managed, then your organisation has aligned itself with this indicator of good practice, and you are on track to meet the achievement level of the contributing outcome which the indicator of good practice sits within.

There may be some instances where your organisation judges that it has met a contributing outcome in a way which does not correspond to or align with a particular indicator of good practice. This is acceptable, but you must be prepared to rationalise how your activities are a sufficient equivalent to the indicator of good practice for achieving the outcome.

See the section ‘Using IGPs’ in the NCSC’s Introduction to the Cyber Assessment Framework guidance for more information.

Under each contributing outcome, the DSPT interface requires you to write a supporting statement and you should either upload, reference or provide a link to relevant documents.

You should use your supporting statement and relevant documents to justify your decision to categorise your organisation as ‘Not achieved’, ‘Partially achieved’ or ‘Achieved’, in a way which should be understandable to other members of your team, external auditors, NHS England and DHSC.

It also provides a secure central location which you and your colleagues can use to monitor your organisation’s progress through the toolkit and check what evidence has been gathered so far. 

Your supporting statement recorded against each contributing outcome should justify your decision for categorising yourself as ‘Not achieved’, ‘Partially achieved’ or ‘Achieved’. It should be written simply and concisely so that your senior board members, external auditors, NHS England or DHSC can understand your rationale. 

Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers.

The information you provide should be kept to what is strictly relevant for the contributing outcome being assessed.

Practical examples of how organisations can complete their supporting statements can be accessed below.

Example supporting statement for A1.b Roles and responsibilities
Example supporting statement for B1.a Policy, process and procedure development 

The templates are to be used as an example only. The information you provide in your supporting statement must be relevant to your organisation and you are encouraged to choose an approach that best suits you.

As per the DSPT privacy notice, it is good practice for organisations to apply reasonable controls to the information they provide in their CAF-aligned DSPT responses. This might mean: 

• providing references to where files are stored instead of uploading documents
• provide high level information, going into detail only where necessary
• redacting details where appropriate