This guide is written by the team at Precursor Security, a CREST-accredited cyber security firm with direct experience helping NHS suppliers and health and social care organisations complete their annual DSPT submission.
The NHS DSP Toolkit (NHS Data Security and Protection Toolkit) is an online self-assessment tool - administered by NHS England - that allows NHS-connected organisations, including GP practices, hospitals, and third-party suppliers, to measure their performance against the National Data Guardian's (NDG) 10 data security standards, and to demonstrate that personal data and confidential information is handled securely.
What Are the 10 NHS DSP Toolkit Standards?
The toolkit measures compliance against 10 standards set by the National Data Guardian (NDG). Each standard addresses a distinct area of data security and protection:
- Standard 1 - Personal Confidential Data: Personal confidential data is only accessible to staff who need it for their role and is only shared for lawful and appropriate purposes.
- Standard 2 - Staff Responsibilities: All staff understand their responsibilities under the National Data Guardian's data security standards and are applying them in their day-to-day work.
- Standard 3 - Training: All staff have completed appropriate data security training and annual refreshers, so they can recognise and report incidents.
- Standard 4 - Managing Data Access: Personal confidential data is only accessible to staff who need it, and access is removed promptly when a member of staff leaves or changes role.
- Standard 5 - Process Reviews: Processes are reviewed at least annually to identify and improve those that have caused or could cause data security breaches.
- Standard 6 - Responding to Incidents: Cyber attacks against services are identified and resisted, and all serious incidents are reported to relevant authorities promptly.
- Standard 7 - Continuity Planning: A continuity plan is in place to respond to threats to data security, including significant system failure or a cyber attack, and is tested at least annually.
- Standard 8 - Unsupported Systems: No unsupported operating systems, software, or internet browsers are used within the IT estate.
- Standard 9 - IT Protection: A strategy is in place to protect IT systems from cyber threats, based on a proven framework such as Cyber Essentials.
- Standard 10 - Accountable Suppliers: All suppliers and partners working with NHS data have completed a Data Security and Protection Toolkit assessment or equivalent assurance, ensuring NHS supply chains are as secure as possible.
How Do You Register for the NHS DSP Toolkit?
Firstly, you need to register your organisation on the NHS DSP Toolkit portal. After registration, you will then create your organisation's profile.
When creating your profile look to the elements marked as 'Mandatory'. These will vary depending on how your organisation is categorised, so take extra care when selecting this option. When selecting your organisation category you will typically need your ICO registration number, your organisation type (e.g., GP practice, NHS trust, or independent supplier), and your ODS code (Organisation Data Service code) if applicable - having these to hand before you begin will prevent delays.
What Are the NHS DSP Toolkit Compliance Levels?
There are essentially three levels within the NHS DSP Toolkit: Approaching Standards, Standards Met, and Standards Exceeded.
The level of Standards Exceeded should be the target for all organisations when certifying against the NHS Data Security and Protection Toolkit. It is reserved for those that achieve Standards Met and hold a current Cyber Essentials Plus certificate - see the DSPT evidence requirements for full details.
| Level | What It Means | Key Requirement | Who It Applies To |
|---|---|---|---|
| Approaching Standards | Organisation is working toward compliance but has not yet met all assertions | Partial completion; mandatory assertions may be outstanding | Organisations in their first submission year or undergoing significant change |
| Standards Met | All mandatory assertions have been satisfied | Full completion of all applicable assertions | All NHS-connected organisations |
| Standards Exceeded | Highest certification level | Standards Met plus a current Cyber Essentials Plus certificate | Organisations seeking the highest assurance level or required by contract |
A note on NHSmail
NHSmail is the national secure collaboration service for health and social care in England. As a minimum, an organisation will need to have 'Approaching Standards' to access NHSmail.
What Does Standard 9 (IT Protections) Require?
Let's take a bit of a closer look into one of the 10 Standards, specifically Standard 9, IT Protections.
The Independent Assessment Framework for this standard states:
*"A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually."*
Within this standard are several assertions. These are:
Assertion 1 - All networking components have had their default passwords changed.
Assertion 2 - A penetration test has been scoped and undertaken.
Assertion 3 - Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.
Assertion 4 - You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services.
Assertion 5 - You have a data security improvement plan with agreed implementation dates.
Assertion 6 - You securely configure the network and information systems that support the delivery of essential services.
| Assertion | Requirement Summary | Typical Evidence |
|---|---|---|
| Assertion 1 | Default passwords changed on all networking components | Network audit log or asset register showing password policy applied |
| Assertion 2 | Penetration test scoped and undertaken | Scoped pentest report from a CREST-accredited provider |
| Assertion 3 | Systems handling sensitive data protected from known vulnerabilities | Patch management policy and recent vulnerability scan results |
| Assertion 4 | Demonstrable confidence in security of technology, people, and processes | Risk register, security awareness training records |
| Assertion 5 | Data security improvement plan with agreed implementation dates | Documented DSIP with named owners and target dates |
| Assertion 6 | Network and information systems securely configured | Hardening baseline documents, firewall ruleset review |
One of the main motivations for the standard's creation was to ensure that the NHS's supply chains are as secure as possible, a priority reflected explicitly in Standard 10 (Accountable Suppliers), which the National Data Guardian frames as a direct requirement on all organisations handling NHS data. To this end the standard asks:
*"Do your organisation's IT system suppliers have cyber security certification?"*
The detail supporting the question confirms that IT suppliers can demonstrate this by:
- Having a Cyber Essentials certificate - a scheme developed and backed by the NCSC (National Cyber Security Centre) and delivered by certification bodies including IASME
- Having an ISO 27001 (the international standard for information security management) certificate
A Cyber Essentials certificate comes at two levels: Cyber Essentials and Cyber Essentials Plus.
In 2022 the NCSC released the Willow version of Cyber Essentials, introducing revised scope definitions and stronger multi-factor authentication requirements. For a summary of what changed, see the NCSC Cyber Essentials changelog.
The Precursor Security Cyber Essentials page also contains other useful information related to Cyber Essentials, including our Cyber Essentials Readiness Quiz - a self-assessed gap analysis to give you an idea of how ready your organisation is for Cyber Essentials certification.
Example: A GP Practice Completing Standard 9 for the First Time
A 10-person GP practice with a single IT administrator recently completed its first DSPT submission. The practice met Assertions 1, 3, 5, and 6 without difficulty: their existing IT supplier had a Cyber Essentials certificate, default passwords had been changed across all networking equipment, and a documented data security improvement plan was already in place. Assertion 2 was the sticking point - the practice had never commissioned a penetration test. They engaged a CREST-accredited provider to run a scoped internal and external test covering the systems relevant to their NHS environment. On receipt of the completed pentest report, they used it as direct evidence to satisfy Assertion 2 and achieved Standards Met in their first submission year.
What Evidence Do You Need for Each Standard 9 Assertion?
Standard 9 is the assertion most likely to require external support, because several of its requirements call for formal documentation that smaller organisations may not have produced before. Here is what auditors expect to see against each assertion in plain language.
Assertion 1 - Default passwords changed. An asset register or network audit log that records when each device was configured and confirms default credentials were replaced is sufficient. A statement from your IT supplier confirming this has been done is acceptable supporting evidence, but the supplier's own Cyber Essentials certificate is stronger.
Assertion 2 - Penetration test scoped and undertaken. The test must have a defined scope that covers your NHS-facing systems - a generic scan of a different environment will not satisfy this assertion. The report must come from a CREST-accredited provider, or equivalent. Organisations frequently submit test reports that predate their current infrastructure or exclude NHS-connected systems; both are rejected.
Assertion 3 - Protection from known vulnerabilities. A patch management policy explaining how you identify, prioritise, and apply security patches is the baseline requirement. Pair this with recent vulnerability scan results showing no critical or high-severity findings are outstanding beyond your agreed remediation timescales.
Assertion 4 - Demonstrable confidence in security. This is the broadest assertion and the one most open to interpretation. A current risk register that includes information security risks, alongside records showing staff have completed security awareness training, is the practical minimum. Organisations with a formal security review programme, or those that have recently passed a Cyber Essentials Plus assessment, are well-placed here.
Assertion 5 - Data security improvement plan. The plan must be documented, not verbal, and must include named owners for each action and agreed target completion dates. A plan with no owners or open-ended timelines will not satisfy the assertion.
Assertion 6 - Secure network configuration. Hardening baseline documents showing how servers, workstations, and network devices are configured, alongside a firewall ruleset review, are the standard evidence types. If your configuration management is handled by a third-party supplier, obtain written confirmation from them and ensure they hold a Cyber Essentials certificate of their own.
Common Reasons Organisations Fail Standard 9
Standard 9 accounts for a disproportionate share of incomplete submissions. Three failure points recur most frequently.
No penetration test has been commissioned. Many organisations - particularly smaller GP practices, community health providers, and NHS-connected suppliers - reach submission and discover they have never run a formal penetration test. Assertion 2 cannot be satisfied with a vulnerability scan alone; a scoped test from a CREST-accredited provider is required. The solution is to commission one early in the submission cycle, not as a last-minute fix.
The penetration test exists but was not scoped to cover the NHS environment. A test scoped to a commercial website or a previous IT infrastructure will not satisfy Assertion 2 if the systems connecting to NHS networks were excluded. Reviewers check that the scope statement in the test report matches the organisation's current NHS-facing environment. Any mismatch results in the assertion remaining incomplete.
IT suppliers have no Cyber Essentials certificate and the organisation has not documented a remediation plan. Standard 9 asks directly whether IT system suppliers hold cyber security certification. Where a supplier does not hold Cyber Essentials or ISO 27001, the organisation must document a plan - with named owners and target dates - to address the gap. Stating that the supplier "is working on it" without a written plan is not sufficient for the toolkit.
When and How Do You Submit Your NHS DSP Toolkit Assessment?
The annual submission deadline is 30 June each year. Confirm the current submission window and any extension notices on the DSPT portal.
Don't worry about having all your information to hand the first time you submit your DSPT (Data Security and Protection Toolkit) assessment. You can skip back and forth as you work through the portal.
All of your responses in the portal will be saved so you can come back and continue later. There is also no specific order you need to follow when completing your submission, just as long as it's completed in full. You can even involve as many people as you need to make sure it's right.
With evidence documented against each of the 10 standards and an annual submission to the DSPT portal by 30 June, your organisation demonstrates to NHS commissioners and data controllers that personal data is handled to the National Data Guardian's standards. If you require assistance with any component of the DSPT - particularly Standard 9, where a scoped penetration test is typically the most time-consuming element - please contact us. Precursor Security is a CREST (Council of Registered Ethical Security Testers)-accredited cyber security firm and a Cyber Essentials certification body. We can assist with penetration testing and vulnerability scanning, and Cyber Essentials certification, to satisfy the requirements of your annual DSPT submission.
Frequently Asked Questions
What is the NHS DSP Toolkit?
The NHS DSP Toolkit (Data Security and Protection Toolkit) is an online self-assessment tool administered by NHS England. It allows NHS-connected organisations - including GP practices, NHS trusts, and third-party suppliers - to measure their compliance against the National Data Guardian's 10 data security standards and demonstrate that personal data is handled securely.
How do you register for the NHS DSP Toolkit?
Register your organisation on the DSPT portal, then create your organisation's profile. You will need your ICO registration number, your organisation type (e.g., GP practice, NHS trust, or independent supplier), and your ODS code where applicable. Mandatory fields vary by organisation category, so select your category carefully before proceeding.
What are the NHS DSP Toolkit compliance levels?
There are three levels: Approaching Standards (working toward compliance, not all assertions met), Standards Met (all mandatory assertions satisfied), and Standards Exceeded (Standards Met plus a current Cyber Essentials Plus certificate). Standards Exceeded is the highest assurance level and may be required under certain NHS contracts.
What does Standard 9 (IT Protections) require?
Standard 9 requires organisations to have a cyber security strategy based on a proven framework such as Cyber Essentials, reviewed at least annually. It includes six assertions covering default password changes, penetration testing, vulnerability management, security confidence, a data security improvement plan, and secure network configuration.
When is the NHS DSP Toolkit submission deadline?
The annual submission deadline is 30 June each year. Confirm the exact date for the current submission year, and check for any extension notices, on the DSPT portal information standards page.