Get DSPT-ready and pass your CAF-aligned audit with confidence
Facing a DSPT submission and not sure your evidence will survive a CAF-aligned audit? We are a Cyber Essentials certification body and a CREST-approved testing team, so your independent penetration test, your certificate, and an audit-ready report come from one partner. Get your fixed quote in 24 hours.
The DSPT changed, and it now expects a real penetration test
If your organisation handles NHS patient data, you complete the Data Security and Protection Toolkit (DSPT) every year. The DSPT has moved to the NCSC Cyber Assessment Framework (CAF) for NHS trusts, and from September 2025 for designated operators of essential services and genomics organisations, with wider supplier adoption expected. The CAF is outcome-based: it is no longer enough to tick a box, you have to show evidence that your security actually works. Its outcomes around vulnerability management and testing expect an independent penetration test carried out by an accredited provider.
As a Cyber Essentials and Cyber Essentials Plus certification body and a CREST-affiliated testing provider, we cover the security outcomes the DSPT and CAF care about from one team.
WHAT THE CAF EXPECTS
What the new DSPT expects on security, in plain English
The CAF-aligned DSPT scores outcomes, not checkboxes. These are the four security outcomes most suppliers need independent evidence for, in line with the NCSC Cyber Assessment Framework.
Independent penetration testing
The CAF expects you to test your defences and act on what you find. Our CREST team tests your applications, APIs and infrastructure by hand, against recognised standards, and scores every finding with CVSS.
Vulnerability management evidence
CAF outcome B4 wants proof you find and fix vulnerabilities on an ongoing basis. We give you a clear, prioritised remediation plan and confirm closure on retest.
Cyber Essentials and Cyber Essentials Plus
A current certificate remains a baseline expectation. As a certification body we assess and certify you directly, and we will tell you honestly which level your DSPT and contracts require.
An audit-ready evidence pack
An executive summary plus a technical report, written so your DSPT assessor or independent auditor can see exactly what was tested, what was found and what was fixed.
HOW WE GET YOU READY
From scoping to an audit-ready submission
One team, one timeline, from a fixed quote to written confirmation that your findings are closed, mapped to the relevant CAF outcomes.
Scope in 24 hours
Tell us your systems and your DSPT deadline. We return a fixed quote and scope within a day.
Certify
We assess your Cyber Essentials or Cyber Essentials Plus to sit alongside your test evidence.
Test by hand
Senior CREST testers run a focused assessment against the risks the CAF and NHS data demand.
Report for audit
You receive a CVSS-scored report mapped to the relevant CAF outcomes, ready for your DSPT submission.
Retest and confirm
We retest Critical and High findings and issue written confirmation of closure.
Frequently asked questions about the DSPT
Does the DSPT require a penetration test?
The DSPT now follows the NCSC Cyber Assessment Framework, whose outcomes on testing and vulnerability management expect an independent penetration test by an accredited provider. We deliver a CREST test and a report written for your DSPT submission. Get a fixed quote.
What changed when the DSPT moved to the CAF?
The DSPT shifted from a checklist to an outcome-based model. Instead of asserting that controls exist, you now show evidence that they work, including testing your systems and demonstrating you act on the findings. That makes independent penetration testing and clear remediation evidence far more important.
Is the DSPT mandatory?
In practice, yes, for any organisation that handles NHS patient data or connects to national NHS systems. A completed DSPT with a satisfactory standard is a common condition of NHS contracts and data-sharing agreements, so failing to complete it can stop you from winning or keeping the work.
Who has to complete the DSPT?
NHS organisations and the suppliers and processors that handle NHS patient data complete the DSPT annually. Many suppliers and higher-risk organisations also face an independent audit on an annual cycle.
How often must NHS suppliers complete the DSPT?
The DSPT is an annual assessment, so you complete and submit it once a year. Because the CAF-aligned outcomes expect testing and vulnerability management on an ongoing basis, most suppliers commission a penetration test at least once a year to keep their evidence current.
Do I need Cyber Essentials or Cyber Essentials Plus for the DSPT?
Cyber Essentials remains a baseline expectation, with Cyber Essentials Plus often required for higher-risk systems and certain contracts. We are a certification body for both and will advise honestly on the level you need.
How does the DSPT relate to NHS DTAC?
Think of it like driving in the UK. The DSPT is your driving licence: it assures that you, the organisation, are fit to handle NHS patient data, and you renew it every year. DTAC is the MOT for a specific vehicle: it assures that one product is fit for purpose before an NHS buyer adopts it. So the DSPT applies if your organisation handles NHS patient data, DTAC applies if you are putting a specific digital product in front of an NHS buyer, and both apply if you are doing the two together. They overlap on security evidence, and each expects an independent penetration test. We support suppliers with both. See our NHS DTAC penetration testing page.
What about DCB0129 and DCB0160?
Those are clinical risk management standards covering clinical safety, which is a separate discipline from cyber security. Our remit is the technical security evidence, penetration testing and Cyber Essentials. We are happy to point you in the right direction for clinical safety support.
TRANSPARENT PRICING
Transparent, fixed pricing
Your price is your scope in days, every tester senior or principal, at a flat day rate of around £1,200. No hidden sales process. See the full UK pen test pricing guide.
3 to 5 tester-days
A single application or external infrastructure test for a smaller NHS supplier, with a report written for your DSPT submission.
5 to 9 tester-days
Application, API and external infrastructure, plus Cyber Essentials or Cyber Essentials Plus and a remediation retest. The usual DSPT evidence pack.
9 to 14 tester-days
A multi-system estate with cloud and internal network in scope, for larger NHS suppliers facing an independent audit.
The price is fixed and agreed before we start. The quote is free and there is no obligation to proceed, and a CREST tester replies within 24 hours.
Get my exact quote in 24hDELIVERABLES
What you get
Not a scanner export. A clear evidence pack your DSPT assessor can read, mapped to the outcomes the CAF cares about.
Technical report with CVSS-rated findings
Every issue rated, evidenced and reproducible, in the format your engineers and DSPT assessor expect.
Plain-English executive summary
The business risk in language your board and your NHS buyer can read without a translator.
Findings mapped to CAF outcomes
Each result tied back to the relevant testing and vulnerability management outcomes, so your submission writes itself.
Prioritised remediation guidance
What to fix first for the biggest reduction in risk, with practical, tested advice.
A live debrief call with the tester
Time with the person who did the work, to walk your team through every finding.
A free retest of every fix
We re-test everything you remediate, at no extra cost, so you can prove it is closed.
“Thorough, well-documented and actionable findings, methodical and aligned with industry best practices.”
– IT Director, International Property Group
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Get your DSPT evidence ready before the deadline
The CAF-aligned DSPT expects a real penetration test, and audit deadlines do not move. Lock in a fixed quote in 24 hours.
