DSPT readiness and support
We help you complete the toolkit honestly, evidence the controls, and prepare for the move to the CAF-aligned version where it applies to you.
Handle NHS patient data and the Data Security and Protection Toolkit applies to you, every year. Increasingly, NHS contracts also expect Cyber Essentials Plus. We help NHS suppliers, care providers and digital health teams meet the bar and evidence it. From an IASME Certification Body that has certified UK organisations since 2014.
Prefer email? hello@layer7.uk
The Data Security and Protection Toolkit is an annual self-assessment that every organisation with access to NHS patient data must complete and publish. The deadline is 30 June each year. It covers data security and information governance, and it is not a one-off.
The DSPT is moving to align with the NCSC Cyber Assessment Framework. The change is rolling out progressively by organisation type: large trusts and integrated care boards first, then operators of essential services and genomics organisations, with everyone else following as NHS England moves them across.
At the same time, PPN 014 lets NHS buyers require Cyber Essentials or Cyber Essentials Plus from suppliers, especially where personal or sensitive data is involved. NHS Supply Chain has signalled it expects suppliers handling personal data or delivering IT to hold Cyber Essentials Plus.
Cyber Essentials Plus does not replace the DSPT. But holding it, or ISO 27001, can evidence and reduce duplication on the DSPT's technical controls, provided the scope covers the data you process.
We help you complete the toolkit honestly, evidence the controls, and prepare for the move to the CAF-aligned version where it applies to you.
The audited certification NHS contracts increasingly require, certified directly by us, evidencing your DSPT technical assertions in one step.
The baseline, certified directly, for suppliers and providers early in their journey.
For trusts, integrated care boards and operators of essential services moving to the CAF-aligned DSPT, we score you against the framework and build the plan to close the gaps.
CREST and Cyber Scheme qualified testing for the systems that hold patient data.
Patient data and email live in Microsoft 365. We harden identity and Defender, and watch sign-ins, so a phishing attempt does not become a notifiable breach.
We have certified UK organisations since 2014 and work with regulated, data-sensitive clients. We do the fix, not just the finding: we prioritise by real risk, help you close the gaps, and give you the evidence the toolkit and your NHS customers actually want to see. One firm across certification, testing and readiness, so nothing falls between a report and the day to day.
The North East has a dense health and care economy, from major NHS trusts and the regional integrated care board to a large independent care sector and a growing life-sciences cluster. We help organisations across the region meet their data-security obligations, on site or remotely.
The Data Security and Protection Toolkit is an annual online self-assessment of data security and information governance. Every organisation with access to NHS patient data and systems must complete and publish it, from NHS trusts and GP practices to care providers and IT suppliers. The deadline is 30 June each year.
Yes, progressively. NHS England is moving organisations from the older DSPT to a version aligned with the NCSC Cyber Assessment Framework, in phases by organisation type. Large trusts and integrated care boards moved first, then operators of essential services and genomics organisations. Others follow when NHS England moves them.
Under PPN 014, NHS buyers can require Cyber Essentials or Cyber Essentials Plus, especially where personal or sensitive data is involved, and NHS Supply Chain expects suppliers handling personal data or delivering IT to hold Cyber Essentials Plus. We help you get certified and keep it current.
No. You still complete the DSPT. But holding Cyber Essentials Plus, or ISO 27001, can evidence and reduce duplication on the toolkit's technical controls, as long as the certification scope covers the data you process.
Yes. Smaller providers are usually still on the original DSPT. We help you complete it and get Cyber Essentials in place, proportionately and without jargon.
Yes. We help digital health teams with Cyber Essentials, Cyber Essentials Plus and the technical security evidence NHS buyers ask for.
Prefer email? hello@layer7.uk