What actions my organisation needs to take

The secure email standard has been updated to reduce the costs of implementation and align to central government changes. Organisations are required to take action to implement these important changes:  

• following the introduction of the Data Security and Protection Toolkit (DSPT), health and social care organisations may now use their fully completed DSPT with all assertions and mandatory evidence items completed as a submission instead of ISO 27001:2013 certification as conformance
• an update to clarify how risks identified on the IT Health Check must be managed, reflecting the latest government guidance on anti-spoofing evidenced in the conformance document
• to support transparency, email providers are now required to state on their conformance statement in which country / countries data will be hosted
• ensure anti-spoofing controls are operating at, or within three months of, accreditation.

Organisations must demonstrate their service is compliant with the secure email standard by following the updated accreditation process and implementing the above new steps.