The Data Security and Protection Toolkit is an online tool that healthcare organisations can use. It allows them to measure their performance against the Department of Health and Social Care’s (DHSC) data security and information governance requirements. The DSPT Standard has been reviewed for 2020-21 and is being implemented from 1 October 2020. But what does this mean for you and how can CRIBB Cyber Security help? Read on to find out more about the DSP Toolkit.

Who is the toolkit for?

One DHSC requirement stipulates that any organisation with access to NHS patient data and systems must use the Toolkit. This is to show that all information is dealt with in the correct manner. It also demonstrates that they have a dedicated approach to data security. There are four categories of organisation:

1 – NHS Trusts (Foundation, Acute, Ambulance, Mental Health, Community, Care Trusts)

2 – Arm’s Length Bodies, CCGs and CSUs

3 – AQP Clinical & Non-Clinical Services; Care Homes; Charities & Hospices; NHS & Private Dentists; Domiciliary Care Organisations; Local Authorities; NHS Business Partners; Opticians; Pharmacies; Prisons; Researchers; Secondary Use Organisations; Universities

4 – GP Practices

Top Tip

You must demonstrate compliance with the new data security and information governance requirements by 31 March 2021. The experts at CRIBB Cyber Security have an in-depth knowledge of the healthcare sector that is second-to-none. Contact us today and we can complete the DSPT online assessment on your behalf. Or, we can help you to successfully navigate through it, getting you closer to total cyber resilience.

Changes to the DSP Toolkit

These have been implemented in direct response to user feedback and lessons learnt during the DSPT’s second year. The changes are also due to new mandatory requirements:

You must install Antivirus / anti-malware software in all internet connected devices

Regular data backups must also be performed

Other crucial new developments revolve around annual IT penetration testing. Cyber Essentials will also be a mandatory element in the 2020-21 period.

Cyber Essentials & Cyber Essentials Plus

What is Cyber Essentials?

It is a set of five baseline technical controls established by the UK government as a way of assisting organisations and companies of all sizes with their cyber security defences. The scheme is designed to address common forms of internet-based attacks that can be performed without great skill, and embracing it is also a good demonstration of your overall commitment to becoming cyber resilient and maintaining strong data integrity.

The 5 controls:

Secure configuration | Boundary firewalls & internet gateways | Access control & administrative privilege management | Patch management | Malware protection

Cyber Essentials is a self-assessment certification which is independently verified; for those seeking a more robust solution, however, there is always Cyber Essentials PLUS…

What is Cyber Essentials PLUS?

PLUS requires internal and external tests of networks and computers along with a visit to your site(s) and offers a much higher degree of assurance than the more basic Cyber Essentials Scheme; those certified in the PLUS scheme are also exempt from penetration test requirements.

Find out more about cyber security certifications.

Who are CRIBB Cyber Security?

As an IASME Consortium Gold Certified Company, CRIBB Cyber Security is an official certification body that can help you with both Cyber Essentials and Cyber Essentials PLUS certification.

Our certification programmes are all backed up by HP, the MoD and Cisco, and our experts have worked alongside the IASME Consortium to deliver Cyber Essentials and Cyber Essentials PLUS to clients in healthcare for many years.

In April 2020, our long-term faith in IASME was fully justified when they were announced as being the National Cyber Security Centre’s (NCSC) sole Cyber Essentials partner.

We can help you with penetration testing, vulnerability testing, completion of the DSP Toolkit online assessment, CE and CE PLUS – get in touch to take your first steps along theICEway.

We enable theICEway ecosystem of companies to adopt a security by design approach from the outset, with a simple yet effective mantra: Be careful – Be defensive – Be compliant – Be Secure.


Arm’s Length Bodies – These establish national standards, regulate the health and social care system, protect patients and provide central services to the NHS

CCGs – Clinical Commissioning Groups, these are responsible for planning and purchasing NHS services and designing local health services

CSUs – Commissioning Support Units, these are responsible for supporting CCGs with the admin and performance of their functions

AQP Clinical & Non-Clinical Services – Any Qualified Provider, these currently include Musculo-skeletal services for neck and back pain, adult hearing aid services, continence services, diagnostic tests, wheelchair services, podiatry services, venous leg ulcer and wound healing and adult primary care psychological therapies