How is your organisation planning to manage the transition to CAF-aligned DSPT compliance?

In September 2024, NHS England’s Data Security and Protection Toolkit (DSPT) adopted the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as the foundation for cyber security and information governance (IG) assurance. This shift means that NHS Trusts, Clinical Commissioning Groups (CCGs), Arm’s Length Bodies (ALBs), and Integrated Care Boards (ICBs) now face new compliance requirements, with a revised framework structured around ‘Objectives,’ ‘Principles,’ and ‘Outcomes’. Organisations are now required to self-assess their compliance with each outcome, using Indicators of Good Practice (IGPs) as a guide. The submission process to NHS England remains unchanged, with national assurance still involving both independent audits of self-assessments and national sampling audits.

In response, ITHealth has introduced an advanced CAF-DSPT workflow module within its ITHealth Dashboard, designed to support NHS IT and IG teams in navigating these new standards with ease. This module addresses the need for efficient compliance tracking, offering a comprehensive solution for task delegation, real-time monitoring, and seamless auditing preparation.

 

Enhancing compliance efficiency with the ITHealth CAF-DSPT workflow

The new module simplifies the compliance process through an intuitive, checkbox-based workflow system. IT and IG teams can delegate each Indicator of Good Practice within the CAF-DSPT framework to specific team members – whether an internal ITHealth Dashboard user or external member. By organising responsibilities and monitoring individual progress, the module ensures that each Indicator of Good Practice (IGP) is addressed effectively, allowing teams to systematically meet the criteria for each contributing outcome and overall Principle. This approach not only enhances accountability, but also ensures that all necessary components are thoroughly reviewed, ultimately strengthening compliance with the overarching CAF-DSPT standards.

 

Key features of the new module include:

► Streamlined task assignment: Tasks can be assigned per IGP, allowing delegation to both internal and external users as needed. This enables clear accountability for each compliance area and ensures that no critical step is overlooked.
► Real-time compliance tracking: Monitor progress against each Objective, Principle and Contributing Outcome with a summary matrix that provides a comprehensive overview of compliance status, including updates on ‘Last Reviewed,’ ‘Reviewed by’ and ‘Approved’ dates.
► Facilitate audits with reliable records: Simplify the audit process by granting auditors direct access to comprehensive data and compliance notes, ensuring transparency and keeping your organisation audit-ready.
► Seamless integration with previous DSPT submissions: Easily access, reference, and map supporting notes and evidence, where applicable, from DSPT v6 submissions into the new CAF-DSPT v7 framework, ensuring continuity and reducing manual effort.
► Supporting statements made simple: The module auto-generates supporting statements for each contributing outcome, based on notes provided by assigned owners for each IGP, simplifying uploads to the NHS portal.
► User-specific view of assigned IGPs: Quickly view assigned IGPs per user, complete with compliance status and update history, plus automated email templates for progress updates or reminders.
► Quick reference to CAF guidance: The module includes quick links to view CAF guidance and example evidence for each contributing outcome.

Fig. 1. The Matrix Summary within the new CAF-DSPT module of the ITHealth Dashboard.

Distinct advantages of the ITHealth CAF-DSPT workflow module

This new module provides a level of workflow management that exceeds what is available on the official DSPT-CAF toolkit portal, adding value by organising the complex compliance requirements into an accessible, user-friendly system. From assigning responsibilities to tracking compliance progress, this module is specifically designed to alleviate the workload on NHS IT and IG teams, so they can focus on the bigger picture -ensuring their organisation’s cyber security and IG readiness.

The ITHealth Dashboard continues to be a trusted platform for NHS security and compliance management, and with the addition of the CAF-DSPT workflow module, it now offers even greater support for teams looking to streamline their compliance processes.

For NHS IT and IG teams aiming to stay ahead in the fast-evolving compliance landscape, this tool provides an invaluable resource for managing CAF-aligned DSPT standards efficiently.

Fig. 2. Contributing outcome view by IGPs – shows assigned users, response notes, compliance status, and auto-generated outcome summary.

About the ITHealth Dashboard

The ITHealth Dashboard is specifically designed for NHS IT, providing unified security visibility for all IT, IoT, IoMT, and OT assets—both on and off the network. Used by over 150 NHS organisations, it ensures compliance with local and national regulations and offers both agentless and agent-based scanning for complete visibility of all assets, including legacy systems and unmanaged equipment.