The Data Security and Protection Toolkit (DSPT) continues to evolve with a key update launched on 15 October 2025: NHS England’s clarification of the mandatory audit areas for 2025–26.
For organisations subject to independent audit, it’s critical to understand exactly which outcomes are must-haves and how things have shifted compared to prior years.
Here’s a breakdown of the DSPT changes – and practical advice for preparing to meet them.
Mandatory Audit Areas (from 15 Oct 2025)
The DSPT team published a formal list of areas that are now mandatory for audit in the 2025–26 cycle. These differ by sector (such as NHS Trusts, ICBs, Genomics, IT Suppliers and others – for a full list visit the NHS website)
For all NHS Trusts, ICBs, ALBs and CSUs there are nine mandated outcomes. Organisations must also select three additional outcomes to audit, based on risk. The categories range from board direction, to backups and incident root cause analysis.
For independent providers (OES) and genomics eight of the outcomes must be audited, plus four additional outcomes of their choice.
For IT suppliers, rather than outcomes, there are 12 mandated assertions to be audited, such as accountability and governance for data protection.
All organisations will now be expected to compile a digital asset register (for hardware and software). This can be combined with an existing information asset register.
In addition, all administrators will be expected to sign an agreement holding them to a higher level of accountability to reflect either the greater sensitivity of data they can access or the wide range of data they can access.
Why These Changes Matter
CAF-aligned DSPT Framework
The DSPT is now more closely aligned with the National Cyber Security Centre’s Cyber Assessment Framework (CAF). This means more outcome-based auditing, focused on how well organisations achieve the intended security and governance goals. Auditors are expected to apply professional judgement in assessing how evidence maps to these outcomes.
Risk-based Flexibility
For NHS organisations, the updates give more control, allowing for prioritisation on the areas that are most critical or high risk in each specific context. The selection of additional outcomes should be board-approved.
Increased Assurance Focus
The DSPT now has a stronger emphasis on detection, investigation, and learning from security incidents, ensuring organisations stay on top of risk and threats.
Directive National Policy Areas
While the DSPT is outcome-based, some outcomes have national policy requirements, such as the multi-factor authentication (MFA). This means organisations don’t have carte blanche, for certain risks, there’s a minimum policy standard that must be followed.
One top tip for preparing for a DSPT audit is to start early.
It can take considerable time and resources to collect relevant evidence and to apply any specific areas of the audit, depending on the type of organisation conducting the DSPT audit. BLS Stay Compliant regularly works with organisations around their DSPT audit, whether that’s guidance, assistance writing or completing an audit. Visit our webpages for more information or for more specific guidance, please do get in touch.
