• An IASME Certification Body since 2014.
  • CREST and Cyber Scheme qualified testers.
  • Aligned to the DSPT, the NCSC Cyber Assessment Framework and PPN 014.
  • North East based. Delivered UK-wide.
What's forcing your hand

The DSPT, every year, and a rising supplier bar

The Data Security and Protection Toolkit is an annual self-assessment that every organisation with access to NHS patient data must complete and publish. The deadline is 30 June each year. It covers data security and information governance, and it is not a one-off.

The DSPT is moving to align with the NCSC Cyber Assessment Framework. The change is rolling out progressively by organisation type: large trusts and integrated care boards first, then operators of essential services and genomics organisations, with everyone else following as NHS England moves them across.

At the same time, PPN 014 lets NHS buyers require Cyber Essentials or Cyber Essentials Plus from suppliers, especially where personal or sensitive data is involved. NHS Supply Chain has signalled it expects suppliers handling personal data or delivering IT to hold Cyber Essentials Plus.

Cyber Essentials Plus does not replace the DSPT. But holding it, or ISO 27001, can evidence and reduce duplication on the DSPT's technical controls, provided the scope covers the data you process.

What we deliver

What we deliver for health and social care

DSPT readiness and support

We help you complete the toolkit honestly, evidence the controls, and prepare for the move to the CAF-aligned version where it applies to you.

Cyber Essentials Plus

The audited certification NHS contracts increasingly require, certified directly by us, evidencing your DSPT technical assertions in one step.

Cyber Essentials

The baseline, certified directly, for suppliers and providers early in their journey.

CAF readiness

For trusts, integrated care boards and operators of essential services moving to the CAF-aligned DSPT, we score you against the framework and build the plan to close the gaps.

Penetration testing

CREST and Cyber Scheme qualified testing for the systems that hold patient data.

Microsoft 365 hardening and monitoring

Patient data and email live in Microsoft 365. We harden identity and Defender, and watch sign-ins, so a phishing attempt does not become a notifiable breach.

Evidence the NHS will accept

We have certified UK organisations since 2014 and work with regulated, data-sensitive clients. We do the fix, not just the finding: we prioritise by real risk, help you close the gaps, and give you the evidence the toolkit and your NHS customers actually want to see. One firm across certification, testing and readiness, so nothing falls between a report and the day to day.

Regional focus

Health cyber across the North East

The North East has a dense health and care economy, from major NHS trusts and the regional integrated care board to a large independent care sector and a growing life-sciences cluster. We help organisations across the region meet their data-security obligations, on site or remotely.

  • Newcastle
  • Gateshead
  • Sunderland
  • Durham
  • Northumberland
  • Tees Valley
Questions

Health & social care FAQs

What is the DSPT and who has to complete it?

The Data Security and Protection Toolkit is an annual online self-assessment of data security and information governance. Every organisation with access to NHS patient data and systems must complete and publish it, from NHS trusts and GP practices to care providers and IT suppliers. The deadline is 30 June each year.

Is the DSPT changing to the Cyber Assessment Framework?

Yes, progressively. NHS England is moving organisations from the older DSPT to a version aligned with the NCSC Cyber Assessment Framework, in phases by organisation type. Large trusts and integrated care boards moved first, then operators of essential services and genomics organisations. Others follow when NHS England moves them.

Do NHS suppliers need Cyber Essentials or Cyber Essentials Plus?

Under PPN 014, NHS buyers can require Cyber Essentials or Cyber Essentials Plus, especially where personal or sensitive data is involved, and NHS Supply Chain expects suppliers handling personal data or delivering IT to hold Cyber Essentials Plus. We help you get certified and keep it current.

Does Cyber Essentials Plus replace the DSPT?

No. You still complete the DSPT. But holding Cyber Essentials Plus, or ISO 27001, can evidence and reduce duplication on the toolkit's technical controls, as long as the certification scope covers the data you process.

Can you help care homes and smaller providers?

Yes. Smaller providers are usually still on the original DSPT. We help you complete it and get Cyber Essentials in place, proportionately and without jargon.

Do you work with digital health suppliers?

Yes. We help digital health teams with Cyber Essentials, Cyber Essentials Plus and the technical security evidence NHS buyers ask for.

Meet the NHS bar, and prove it.