DSPT Update

The DSPT has had major updates for this year. The submission deadline is 30th June 2026, and you are advised to take note of the following.

The outcomes and assertions of the DSPT which must be included in a 25-26 DSPT Audit for NHS Trusts, ICBs, ALBs, CSU, OES, Genomics and IT Suppliers. Note the slight change to IT Supplier mandatory audit requirements.

DSPT Audit 25-26 Areas of Mandatory Audit (October 2025)

NHS Trusts, ICBs, ALBs and CSUs

For NHS Trusts, Integrated Care Boards (ICBs), Arm’s Length Bodies (ALBs) and Commissioning Support Units (CSUs), there are 9 mandated outcomes to be audited (listed below) with organisations selecting 3 outcomes of their choice.

• A1.a Board direction
• B1.a Policy, process and procedure development
• B4.a Secure by design
• B5.a Resilience preparation
• B5.c Backups
• C1.b Securing logs
• D2.a Incident root cause analysis
• E2.a Managing data subject rights under UK GDPR
• E2.c National data opt-out policy

Independent providers who are designated Operators of Essential Services (OES) and Genomics organisations (as nominated by the Department of Health and Social Care)

For OES providers and Genomics organisations, there are 8 mandated outcomes to be audited (listed below) with organisations selecting 4 outcomes of their choice.

• A2.a Risk management process
• A4.a Supply chain
• B2.a Identity verification, authentication and authorisation
• B4.d Vulnerability management
• C1.a Monitoring coverage
• D1.a Response plan
• E2.b Consent
• E3.a Using and sharing information sharing for direct care

IT Suppliers

For IT Suppliers, there are 12 mandated assertions to be audited (listed below).

• 1.3      Accountability and Governance in place for data protection and data security  
• 4.2      The organisation assures good management and maintenance of identity and access control for its networks and information systems
• 4.4      You closely manage privileged user access to networks and information systems supporting the essential service
• 6.1      A confidential system for reporting data security and protection breaches and near misses is in place and actively used
• 6.3      Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses  
• 7.2      There is an effective test of the continuity plan and disaster recovery plan for data security incidents
• 7.3      You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions
• 8.3      Supported systems are kept up-to-date with the latest security patches
• 8.4      You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service  
• 9.3      Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
• 9.6      The organisation is protected by a well-managed firewall
• 10.1    The organisation can name its suppliers, the products and services they deliver and the contract durations

(Note: 3.3 has been removed as it does not contain any mandatory evidence items for IT Suppliers).

If you have not yet submitted and published your DSPT, please get in touch so we can help you.