NHS Data Security and Protection Toolkit

And demonstrate your organisation can be trusted with all personal data and information assets

Keeping patient data safe

The Data Security and Protection (DSP) Toolkit replaced the Information Governance (IG) Toolkit in April 2018. Produced by NHS Digital, it is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s (NDG) 10 data security standards. The changes being brought about by the DSP Toolkit were driven by changing regulations, namely EU GDPR, the changing threat landscape, and to move to a continuous improvement model. The NDG made it clear in their review…it’s all about Trust!

All organisations that have access to NHS patient data and systems must use the DSP Toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly. The DSP Toolkit makes continual reference to the Information Commissioner’s Office (ICO) expectations for meeting the requirements of GDPR, and therefore organisations would be wise to follow their 7 self-assessment checklists, available freely on the ICO website.

The DSP Toolkit Leadership Obligations cover the checking of certification from any supplier of IT systems. Depending on the nature and criticality of the service provided, acceptable frameworks could be, at a minimum, the basic certifications but also ISO 27001:2013 certification.

Read our free guide to achieving ISO 27001 first time

Beyond a simple declaration to demonstrating sound
information security practices that protect all your data

Responses to the DSP Toolkit are uploaded into an online portal. The assurances offered in that response are, in effect, a promise…a warranty that the requirements have been met. Arguably, it could be a ‘click-and-forget’ exercise.

That is why stakeholders seek additional assurances that organisations can demonstrate good information security practices. They need to be confident they can trust your organisation’s Information Governance and in many cases will look for certifications to demonstrate you are living and breathing information security management in practice.

Cyber Essentials, whilst a basic entry-level security certification, is not enough to cover the mandatory requirements, nor is it an externally audited certification so does not offer the highest levels of trust.

A UKAS accredited ISO 27001:2013 certification, covering the relevant scope and coupled with a meaningful way to demonstrate GDPR compliance, will go a long way to meeting the requirements of the DSP Toolkit.

Holding ISO 27001 certification provides many exemptions to the DSP Toolkit but also demonstrates good security hygiene that protects all the organisation’s valuable information assets, not just patient data.

It provides the greatest level of trust to all your valuable stakeholders.

However, as NHS Digital identified, no one framework will cover all your data security and protection responsibilities. There is now also EU GDPR and Security of Network and Information Systems Regulations (NIS) which have increased the legislative data security and protection requirements on health and care organisations.

Demonstrating you can meet the requirements in these key areas will go a long way to addressing the DSP Toolkit


Follow the ICO’s 7 checklists for GDPR to ensure you can describe and demonstrate compliance.

ISO 27001:2013

Maximise your DSP Toolkit exemptions and protect all your valuable information assets.

NIS Regulations

Meet your obligations under the new
NIS Regulations 2018.

Demonstrating compliance across multiple frameworks can be complex, time-consuming and costly.

Streamlining your approach makes perfect sense and will cut out duplication and repetition,

and help you achieve your goals faster…

See how simple it is with ISMS.online

Great news! ISMS.online makes light work of multiple compliance work…

Link together the requirements of the DSP Toolkit,  EU GDPR (the ICO 7 checklist approach), NIS Regulations, and ISO 27001 to eliminate duplication. ISMS.online provides one place to easily demonstrate compliance to them all. In fact, for GDPR we’ve already mapped relevant requirements to ISO 27001 for you. We’ve even given you a headstart with materials you can Adopt, Adapt or Add to speed up your preparation for both.

And, using our powerful tools to manage risk and other common work processes will reduce management time and ensure everything is captured in one secure, UKAS ISO 27001 certified, ‘always-on’ environment. We’ll simply add in your DSP Toolkit and NIS frameworks as required, and you are ready to streamline all your information security and data protection work in one place! You can even cover ISO 9001 and Cyber Essentials with ISMS.online.

Laptop showing an ISMS cluster

Why duplicate these essential work processes?

Easily demonstrate you have it covered in ISMS.online

  • Policy management and governance
  • Risk management tools
  • Information Asset Register
  •   Supply chain/vendor management
  • Incident management
  • Staff communications, training and engagement
  • Corrective actions and improvements
  •    Ability to link to ISO 27001:2013 Policies & Annex A controls
  •    Internal and external audit management
  •    KPIs, management reviews and reporting
  •    Full collaboration functionality for team working
  •   Business continuity planning
We’re more affordable than you’d think

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.