Everything you need to know
Security and customers first

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.


Thank you for your request


In the meantime, connect with Hicomply for insights on authentication and fraud prevention


ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub


What is the NHS DSPT?

The NHS Data Security and Protection Toolkit (DSPT) is a required self-assessment for every organisation that has access to UK NHS patient data, including organisations that use NHSmail and the e-referral service.

Required evidence falls under the following categories:

  • Staffing and Roles
  • Policies and Procedures
  • Data Security
  • IT Systems and Devices

What are the possible DSPT assessment results?

Approaching Standards

Your organisation will achieve ‘Approaching Standards’ when you have completed all the mandatory evidence items.

Standards Met

If you complete all evidence items, your organisation will achieve ‘Standards Met.’

Standards Exceeded

If your organisation achieves Standards Met and has a current Cyber Essentials Plus certification recorded in its organisation profile, its status will show as ‘Standards Exceeded’.

What are the DSPT evidence assertions?

1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency

1.2 Individuals’ rights are respected and supported

1.3 Accountability and Governance in place for data protection and data security

1.4 Records are maintained appropriately

2.1 Staff are supported in understanding their obligations under the National Data Guardian’s Data Security Standards

3.1 There has been an assessment of data security and protection training needs across the organisation

3.2 Staff pass the data security and protection mandatory test

3.3 Staff with specialist roles receive data security and protection training suitable to their role

3.4 Leaders and board members receive suitable data protection and security training

4.1 The organisation maintains a current record of staff and their roles

4.2 The organisation assures good management and maintenance of identity and access control for it's networks and information systems

4.3 All staff understand that their activities on IT systems will be monitored and recorded for security purposes

4.4 You closely manage privileged user access to networks and information systems supporting the essential service

4.5 You ensure your passwords are suitable for the information you are protecting

5.1 Process reviews are held at least once per year where data security is put at risk and following data security incidents

5.2 Participation in reviews is comprehensive, and clinicians are actively involved

5.3 Action is taken to address problem processes as a result of feedback at meetings or in year

6.1 A confidential system for reporting data security and protection breaches and near misses is in place and actively used

6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway

6.3 Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses

7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services

7.2 There is an effective test of the continuity plan and disaster recovery plan for data security incidents

7.3 You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions

8.1 All software and hardware has been surveyed to understand if it is supported and up to date

8.2 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed

8.3 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed

8.4 You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service

9.1 All networking components have had their default passwords changed

9.2 A penetration test has been scoped and undertaken

9.3 Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities

9.4 You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services

9.5 You securely configure the network and information systems that support the delivery of essential services

9.6 The organisation is protected by a well-managed firewall

10.1 The organisation can name its suppliers, the products and services they deliver and the contract durations

10.2 Basic due diligence has been undertaken against each supplier that handles personal information

10.3 All disputes between the organisation and its suppliers have been recorded and any risks posed to data security have been documented

10.4 All instances where organisations cannot comply with the NDG Standards because of supplier-related issues are recorded and discussed at board

10.5 The organisation understands and manages security risks to networks and information systems from your supply chain.

More Resource Hub

SOC 2 Controls: CC9 Risk Mitigation
SOC 2 Controls: CC8 Change Management
SOC 2 Controls: CC7 System Operations