Healthcare

DSPT evidence that actually maps to controls

The Data Security and Protection Toolkit (DSPT) is a self-assessment, but inspections are increasingly evidence-led. The difference between a submission that survives scrutiny and one that doesn't is whether each assertion is backed by a real, current control — not a screenshot from last year.

Healthcare5 min read

The shift from self-assessment to evidence

NHS England and the ICO are aligning their expectations. A DSPT 'Standards Met' status no longer ends the conversation — auditors and commissioners increasingly ask to see the evidence behind the assertions, especially for the ten National Data Guardian standards.

Organisations that prepared their DSPT as a paperwork exercise tend to fail this scrutiny, even when their underlying controls are actually adequate. The fix is to maintain a control-to-evidence map year-round rather than reconstructing it at submission time.

What inspectors actually look for

The questions are predictable. Have you mapped your data flows? Can you show the last 12 months of access reviews? Do you have evidence that patches were applied within the policy SLA? Is there a current incident response runbook with a recent tabletop exercise log?

  • Asset and data-flow inventory — current, owned, dated within 12 months.
  • Access reviews — quarterly evidence, signed off by an information asset owner.
  • Vulnerability and patch evidence — scanner output plus remediation tickets.
  • Training completion records — per role, with refresher cadence.
  • Supplier assurance — DSPT or equivalent for every data processor.
  • Incident log and tabletop exercise records from the last 12 months.

Mapping evidence to controls

The most reliable approach is a single spreadsheet (or GRC tool) that lists each DSPT assertion against the underlying technical or organisational control, the system that produces the evidence, the owner, and the date last verified. Inspections then become a matter of exporting the current evidence rather than scrambling.

  • Treat DSPT as a continuous control programme, not an annual form.
  • Pull vulnerability and patch evidence directly from your VM platform — manual screenshots age badly.
  • Reusing last year's evidence without re-validation — auditors check dates.
  • Asserting 'Standards Met' for controls you cannot evidence on demand.

Surviving an inspection

When a CQC inspection or ICO enquiry lands, the firms that fare best are the ones that can answer evidence requests within hours, not weeks. That is purely a function of operational discipline — keeping the evidence map current, automating what can be automated, and assigning clear ownership for each control.

Key takeaways
  • DSPT is increasingly evidence-led, not paperwork-led.
  • Maintain a control-to-evidence map year-round.
  • Automate evidence collection where possible — manual screenshots age.
  • Inspection readiness is operational discipline, not a once-a-year project.
Talk to us
Book a cyber security assessment
More reading
Back to all resources