DSP Toolkit Changes September 2024

The Data Security and Protection Toolkit (DSPT) changes in September 2024 for some health and care organisations to align with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).

These organisations are:

• NHS Trusts and Foundation Trusts

• Commissioning Support Units (CSUs)

• Arm’s Length Bodies (ALBs) of the Department of Health and Social Care (DHSC)

• Integrated Care Boards (ICBs)

Other organisation types such as GP’s, Dentists and IT Suppliers will not be moving to the CAF-aligned DSPT in 2024-2025.

These changes have come from a commitment made in the Department of Health and Social Care (DHSC) cyber security strategy.

The CAF-aligned DSPT approach is geared towards using principles and expert judgement to guide competent decision-making, with a focus on achieving key outcomes. It will affect the way that people, processes and technology are evaluated and assured in cyber security and information governance (IG).

The goals of moving to the CAF-aligned DSPT are to:

• emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level where those risks can most effectively be managed.

• support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box.

• create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks.

The organisation types that will be moving to the CAF-aligned DSPT in 2024-2025 and will see a new user interface when they log in to file their submission.

For help complying with the DSP Toolkit or the new National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), please contact Romano Security Consulting.