Supplying digital products or services to the NHS is no longer just about functionality, uptime, and integration. You are part of a highly targeted supply chain, and NHS organisations increasingly expect clear assurance that your security controls are effective, repeatable, and evidenced.

For larger IT suppliers, that assurance includes a mandatory independent audit as part of the DSPT submission. This guide explains who is in scope, what the audit focuses on, and how to build an evidence trail that stands up to scrutiny.

Key points at a glance:

  • The DSPT is an NHS self-assessment used to demonstrate alignment with the National Data Guardian’s data security standards.
  • Larger suppliers that meet the IT Supplier criteria should be prepared for an independent audit as part of DSPT.
  • The audit focuses on a defined set of mandatory assertions for 2025/26, so you can plan evidence collection early.
  • A strong submission is less about writing and more about proving controls through practical evidence.
Creative Networks 38 scaled

1) Are you in scope as a Category 2 NHS IT supplier?

The DSPT uses organisation types and evidence levels to match requirements to risk and scale. For suppliers, the simplest way to sense-check your position is to confirm whether you fall into the IT Supplier category.

You are typically treated as an IT supplier if you meet all of the following:

  • You supply digital goods or services into health and social care.
  • You have 50 or more staff.
  • You have £10m or more turnover.

If you do not meet all criteria, you may be assessed under a different organisation type, which can change the evidence expectations.

Scoping note: Your DSPT scope should focus on the services, systems, and processes involved in handling health and care data, rather than every dataset and internal function across the whole business. Clear scoping reduces audit friction and prevents evidence bloat.

2) What matters in 2025/26 for suppliers?

The biggest practical change for many suppliers is not the paperwork; it is the expectation of demonstrable assurance. That means you should assume auditors will look beyond “policy exists” and ask, “Does this operate day to day?”

In 2025/26, the independent audit requirement remains in place for in-scope IT suppliers, and the audit scope is defined by a list of mandatory assertions. Your aim is to map those assertions to real, current evidence, then address any gaps early enough that you are not rushing remediation close to submission time.

3) What the independent audit must cover: the 12 mandatory assertions

The 2025/26 supplier audit focuses on a specific set of mandatory assertions. A useful way to handle these is to group them into themes that align to internal ownership across security, IT operations, leadership, and service delivery.

A) Governance and accountability

  • Accountability and governance for data protection and data security.

What “good” looks like: named owners, clear reporting lines, security risk visibility at the senior level, and evidence that governance meets routinely and drives actions.

B) Identity, access, and privileged control

  • Identity and access control management.
  • Privileged user access is tightly controlled.

What “good” looks like: joiner, mover, and leaver processes; strong authentication; regular access reviews; separation of admin accounts; and tight controls around elevated access.

C) Incident reporting and learning

  • Confidential reporting for breaches and near misses.
  • Vulnerabilities acted upon and lessons learned from incidents and near misses.

What “good” looks like: a culture and mechanism for reporting, plus proof that you learn and improve through post-incident actions, not just documentation.

D) Resilience and response capability

  • Continuity and disaster recovery testing for security incidents.
  • Ability to enact incident response, limit impact, and make timely decisions.

What “good” looks like: tested recovery processes, documented exercises, and clear decision-making during incidents.

E) Vulnerability and patch management

  • Systems kept up-to-date with security patches.
  • Known vulnerabilities managed to prevent disruption.
  • Protection from exploitation of known vulnerabilities.

What “good” looks like: regular scanning, risk-based prioritisation, patching timelines, exception handling, and verifiable closure of high-risk findings.

F) Network protection and supplier visibility

  • Well-managed firewall.
  • Supplier register listing products or services delivered and contract durations.

What “good” looks like: controlled change processes for firewall rules, periodic reviews, and a complete supplier register that reflects real dependencies, not just major vendors.

4) How independent audits typically run

While each auditor may approach fieldwork slightly differently, most independent audits follow a familiar pattern:

  1. Scoping and planning:
    Confirm what is in scope, which services handle health and care data, and what boundaries apply.
  2. Evidence review:
    Assess policies, procedures, records, and artefacts for completeness, consistency, and relevance.
  3. Validation:
    Sample testing, interviews, and technical proof points confirm controls operate in practice.
  4. Reporting and close-out:
    Document findings, highlight non-conformities or improvement areas, and confirm what is required for submission.

The smoother your evidence, the faster the audit. If an auditor has to interpret what you meant, chase screenshots, or reconcile inconsistent statements, the process slows and the chance of uncomfortable late findings increases.

Creative Networks 52 scaled

5) Build an audit-ready evidence pack

Instead of collecting documents ad hoc, build an evidence pack that mirrors the audit themes. This makes it easy to share, easy to validate internally, and easy for auditors to navigate.

Evidence pack section 1: Governance and accountability:

  • Security governance structure and responsibilities.
  • Risk register extracts relevant to NHS-facing services.
  • Leadership reporting examples (security updates, risk summaries, action tracking).

Evidence pack section 2: Access and privileged control:

  • Joiner, mover, and leaver workflow with timestamps and approvals.
  • Authentication and access control configurations.
  • Privileged access approach, approvals, and regular reviews.
  • Evidence of access review outcomes and removals.

Evidence pack section 3: Vulnerability and patch discipline:

  • Vulnerability scanning outputs with remediation tracking.
  • Patch management reports aligned to defined timelines.
  • Exception process and compensating controls
  • Evidence of verification (how you confirm remediation worked).

Evidence pack section 4: Incidents and learning:

  • Incident response plan and escalation routes.
  • Logs or tickets showing near misses and incidents (redacted as needed).
  • Post-incident review records and action completion proof.

Evidence pack section 5: Resilience and recovery:

  • DR plan and recovery targets.
  • Restore testing records and outcomes.
  • Evidence that security incident scenarios are tested, not just hardware failure.

Evidence pack section 6: Network controls and supplier register:

  • Firewall change control process, approvals, and periodic rule reviews.
  • Supplier register with services delivered, contract durations, and key dependencies.

6) Common pitfalls that slow down audits

  • Misclassification or unclear scoping, causing evidence to be too broad or irrelevant.
  • Policies without operational proof (no tickets, logs, reviews, or testing records).
  • Disaster recovery plans that have not been tested recently.
  • Vulnerability scanning without prioritisation or closure evidence.
  • An incomplete supplier register that misses subcontractors, cloud dependencies, or service providers.

7) A sensible timeline to avoid last-minute stress

To avoid a rush near submission, work backwards from your internal deadline and plan around evidence creation and remediation lead times.

A sensible approach:

  • 10 to 12 weeks out: confirm scope, map evidence to assertions, launch gap remediation.
  • 8 to 10 weeks out: evidence pack assembled, internal review, fix easy gaps.
  • 6 to 8 weeks out: audit fieldwork and follow-up questions.
  • 4 to 6 weeks out: close findings, finalise reporting, prepare submission artefacts.
  • Ongoing: keep evidence current (access reviews, patch reporting, incident exercises).

Even if your business has strong controls, the key is consistency. Auditors are looking for repeatable practice, not a one-off sprint.

8) How Creative Networks can support your DSPT audit readiness

If you are preparing for the DSPT independent audit as an in-scope NHS IT supplier, the fastest route to confidence is an evidence-led readiness approach.

Creative Networks can help with:

  • DSPT readiness support and evidence pack preparation.
  • Gap assessments across access control, vulnerability management, incident response, and resilience.
  • Practical remediation planning to close findings before audit.
  • Ongoing security operations support that keeps evidence “live” throughout the year.

Final thoughts

Treat the 2025/26 DSPT independent audit as a chance to strengthen operational discipline, not just pass a compliance milestone. If your access, vulnerability management, incident response, and resilience controls are genuinely working and well-evidenced, the audit becomes a confirmation exercise rather than a scramble.

GET IN TOUCH