As a large IT supplier to the NHS, you are the digital backbone of a system that millions of people rely on every day. Whether you are managing patient records, facilitating remote consultations, or streamlining administrative workflows, the sheer volume of sensitive data passing through your systems makes your security posture a matter of national importance.
This year, the Data Security and Protection Toolkit (DSPT) has refined its expectations, particularly for Category 2 organisations. While you aren’t yet required to align fully with the Cyber Assessment Framework (CAF), the scrutiny on your cybersecurity and information security is higher than ever before.
In this guide, we break down exactly what “Category 2” means for your business, why your ISO 27001 certification might not be the “get out of jail free” card you expected, and how you can navigate the audit process without derailing your daily operations.
Category 2 organisations are known as IT Suppliers. They are defined as external organisations supplying digital goods and services to the NHS, with over 50 staff and a turnover exceeding £10 million.
These organisations will complete a version of the toolkit similar to previous years, but with a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3 organisations.
IT Suppliers
Defined as external organisations supplying digital goods and services to the NHS, with over 50 staff and a turnover exceeding £10 million. These organisations will complete a version of the toolkit similar to previous years, but with a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3 organisations.
Does "Category 2" mean my DSPT submission is aligned with CAF?
The short answer is no. This year, category 2 organisations (unlike category 1) will not need to submit a CAF-aligned DSPT, but there are 58 additional mandatory evidence items compared to a category 3 submission, with a higher focus on cyber security, and the audit remains an addition for these organisations.
Is the audit mandatory for all Category 2 organisations?
Yes, an independent audit is required for Category 2 organisations.
What is the scope of the audit?
For the IT suppliers, the audit focuses on validating controls across the 12 mandatory areas of the DSPT submission.
This includes assessing the effectiveness of your accountability and governance framework for data protection and security, and that controls are established for identity & access control, access to privileged accounts, business continuity, software/vulnerability patching, and supplier management
How long does the Audit take?
Our audit process is structured to run asynchronously over 14 working days, facilitated by our support. While we will require access to several key stakeholders within your organisation, we will manage the scheduling of calls and coordinate with you to minimise any disruption to your business operations.
You can view this audit as a comprehensive step, positioned between a Cyber Essentials Plus audit and a more extensive undertaking like an ISO 27001 certification. It is a process that requires due diligence and cannot be completed in a single afternoon, but it is also not designed to cause a full week of major business interruption.
Do ISO 27001 or Cyber Essentials Plus (CE+) exempt me from the DSPT Audit?
Having ISO 27001 and CE+ does not completely exempt you from needing to conduct the DSPT Audit. However, for IT suppliers, the audit scope can be reduced in complexity if your organisation has one or both of these certifications.
Can we use our internal audit team?
No, the requirements within the DSPT specify that this needs to be an independent and external audit. There are several organisations listed on the DSPT portal as organisations you can use for this, of which we are one.
What happens if we ‘Fail’ the Audit?
The audit is not a pass/fail assessment; rather, its purpose is to identify existing gaps and areas where improvements are necessary and verify the veracity of your self-assessment submission. However, not having an independent audit that verifies your controls will mean you will not ‘pass’ the requirements of the DSPT.
We will not share your results with the NHS until you confirm you are prepared. If there are controls that need strengthening or processes that require better embedding, our expert team is available to advise and support remediation.
Do you get a certificate on completion of the Audit?
We provide all clients with a certificate and a badge for their website as proof of a successful audit.
As a large organisation handling millions of data points daily, you are the digital backbone of the NHS. The NHS relies on you to ensure the safe and effective delivery of digitally enabled healthcare. Therefore, you cannot afford to guess your compliance.
This critical responsibility necessitates robust data and cybersecurity measures, which is where we provide our support. We can help you confidently adopt the latest DSPT version, integrating it into your existing governance framework and conducting the necessary DSPT audit.
Book your free Readiness Review with a Member of our Team now.
Need help?
If you need help with any aspect of your compliance, our team are here to help. With decades of in-house experience in Data Protection, Information Security, Clinical Safety and Medical Device Regulations, we can help you meet your obligations – with candour, commitment and quality at the core.