Yes — an independent external audit is now mandatory for specific organisations as part of their Data Security and Protection Toolkit (DSPT) submission.
Organisations that must undergo an annual audit include:
- NHS Trusts
- Integrated Care Boards (ICBs)
- Commissioning Support Units (CSUs)
- Arm’s Length Bodies (ALBs)
- IT Suppliers with 50+ staff, turnover exceeding £10 million, and that provide software or services to the NHS
These entities are part of the national critical infrastructure and handle significant volumes of sensitive patient data. As such, NHS England requires that their DSPT self-assessments are validated through independent audit against CAF-based information governance and cyber security controls.
If your organisation falls within these categories, both the DSPT submission and independent audit must be completed by 30th June each year.
At BLS Stay Compliant, audits commence in January, allowing sufficient time to implement recommendations ahead of the deadline. Early preparation ensures accuracy, compliance confidence, and uninterrupted access to NHS systems.
