Who needs a DSPT audit as an IT supplier?

IT and technology suppliers are required to undergo a DSPT audit where they meet the NHS audit threshold for suppliers, which is greater than or equal to 50 employees and greater than or equal to £10 million in global annual revenue, and where they process NHS data or provide services to NHS organisations.

What is the difference between DSPT audit and DSPT audit readiness?

A DSPT audit is a formal, independent assessment that verifies whether a supplier’s DSPT assertions and supporting evidence are accurate, complete, and effective. DSPT audit readiness is a preparatory service that helps suppliers identify gaps, improve evidence quality, and address issues before or alongside a formal audit.

Can the same organisation provide DSPT audit readiness and the DSPT audit?

Yes. There is no regulatory barrier preventing the same organisation from providing DSPT audit readiness support and conducting the DSPT audit. Where both services are delivered, it is essential that audit conclusions remain objective, evidence-based, and defensible.

How long does a DSPT audit typically take?

The duration of a DSPT audit depends on the size, complexity, and maturity of the supplier. Most audits involve structured evidence review and interviews and are typically completed over several weeks, depending on evidence quality and responsiveness.

What are the most common issues identified during DSPT audits?

Common findings include incomplete or inconsistent evidence, misalignment between documented policies and operational practice, limited incident response testing, and unclear ownership of security or data protection controls.

Screenshot 2024-08-14 at 10.09.02-02.png

Data Security & Protection Toolkit (DSPT) Services for IT Suppliers

The NHS Data Security and Protection Toolkit (DSPT) is a mandatory assurance requirement for IT suppliers and technology providers that access NHS data or connect to NHS systems.

For many suppliers, DSPT compliance must be supported by independent third-party assurance, particularly where audit is contractually required or where higher levels of assurance are expected by NHS customers.

The AbedGraham Group works exclusively with IT suppliers and technology providers. We do not provide DSPT services to NHS organisations themselves.

We provide two distinct services:

Independent DSPT audits (as a third-party assessor), and
DSPT audit readiness and preparation services, supporting suppliers before formal audit.

All services are delivered directly by our specialist team.

BOOK A DISCOVERY CALL

DSPT Framework: Current Position for IT Suppliers

Current DSPT Model

IT suppliers and technology providers are currently assessed under the legacy DSPT framework, rather than the CAF-aligned model now being introduced for NHS organisations.

This means:

DSPT assertions and evidence requirements for suppliers differ from NHS bodies
Audit expectations remain evidence-driven but proportionate to supplier obligations
The framework continues to evolve year-on-year

Looking Ahead

While CAF alignment does not currently apply to IT suppliers, it is widely expected that supplier assurance requirements will increase in future years.

Suppliers that mature their governance, security controls and evidence practices early are significantly better positioned for:

Future DSPT changes
Increased procurement scrutiny
Broader UK cyber resilience expectations

Our services are designed to support current compliance while also future-proofing assurance maturity.

Our DSPT Services for IT Suppliers

The Data Security and Protection Toolkit (DSPT) is a mandatory assurance requirement for organisations supplying digital and IT services to the NHS and wider health and care sector. We provide independent audit and structured audit-readiness support to help IT suppliers meet DSPT requirements with confidence, ensuring assertions are accurate, evidence is robust, and submissions stand up to NHS customer and contractual scrutiny.

Independent DSPT Audit (Third-Party Assurance)

We act as an independent third-party DSPT auditor for IT suppliers where audit is required or contractually mandated.

This service includes:

Independent assessment of DSPT assertions and submitted evidence
Verification that controls are implemented and operating effectively
Structured audit interviews and walkthroughs
Clear, defensible audit findings
Audit reporting suitable for NHS customer and contractual scrutiny

Our audit role is independent and objective, providing confidence to NHS customers that supplier DSPT submissions are credible and trustworthy.

BOOK A DISCOVERY CALL

DSPT Audit Readiness & Preparation (Separate Service)

Many IT suppliers fail or struggle at audit not because controls are missing but because evidence is incomplete, misaligned or inconsistent.

Our DSPT Audit Readiness service helps suppliers prepare before formal audit and is delivered separately from any audit engagement.

This service includes:

DSPT gap analysis against current supplier requirements
Evidence mapping and validation
Identification of high-risk assertions
Practical remediation planning
Governance and documentation improvement
Mock audit interviews and evidence walkthroughs

This service is ideal for suppliers who:

Expect a DSPT audit now or in future years
Want to reduce audit risk and rework
Are preparing for rising assurance expectations

BOOK A DISCOVERY CALL

Why DSPT Audit & Readiness Matters for Suppliers

Contract Enablement

DSPT outcomes directly affect access to NHS systems, platforms and contracts.

Independent Assurance

Third-party audit provides confidence to NHS customers that your DSPT submission reflects real, operational controls.

Reduced Audit Risk

Preparation reduces the likelihood of adverse findings, delays or remediation cycles.

Future Readiness

Audit-ready suppliers are better positioned for evolving DSPT and cyber resilience expectations.

Who We Work With

We support IT suppliers and technology providers, including:

Digital health and health IT vendors
Software and platform providers
Cloud and hosting providers supporting NHS workloads
Infrastructure and network technology suppliers
Data processors handling NHS data

We do not provide DSPT services to NHS organisations.

BOOK A DISCOVERY CALL

Why Choose The AbedGraham Group?

Independent third-party DSPT auditor for IT suppliers
Deep experience in healthcare technology assurance
Clear separation between audit and readiness services
Evidence-led, regulator-aware approach
Trusted by suppliers operating in high-scrutiny environments

We help suppliers move beyond compliance uncertainty towards credible, defensible assurance.

Cybersecurity Expertise

We provide specialist AI compliance and assurance support for organisations operating in safety-critical and regulated sectors. Our consultants work with product, engineering and governance teams to translate complex standards into clear, defensible compliance that supports both market access and ongoing assurance.

vCISO (Virtual CISO) Services

Virtual CISO support providing senior cyber security leadership, governance and regulatory alignment for healthcare and life sciences organisations operating in the UK and Europe.

Find out more

Incident Response (Healthcare & Life Sciences)

Specialist incident response support for cyber incidents, ransomware and data breaches, designed for regulated and safety-critical healthcare and life sciences environments.

Find out more

Managed SOC / SIEM

Managed SOC and SIEM services providing continuous monitoring, threat detection and escalation for healthcare and life sciences organisations across the UK and Europe.

Find out more

ISO for Cybersecurity

The best way for organisations to meet the UK and EU's cybersecurity regulations is to implement a suite of ISO standards with our expert guidance

Find out more

Book a Discovery Call

Whether you require a formal DSPT audit or want to ensure your organisation is audit-ready, our team can help you approach DSPT with clarity and confidence.

BOOK A DISCOVERY CALL