Blog
Compliance
ISO 27001
NHS DSPT
April 16, 2026
Approx 9 min read

ISO 27001 and DSPT v8: Map Evidence Faster

If your organisation already holds ISO 27001:2022 certification, the DSPT v8 submission due by 30 June 2026 should take weeks, not months. The toolkit recognises your certificate and auto-completes applicable evidence items. But "applicable" is doing a lot of work in that sentence.

ISO 27001:2022 covers information security management. DSPT v8 covers that plus NHS-specific data handling, Caldicott principles, and health records management. The overlap is substantial, but the gaps are specific to NHS data governance and predictable if you know where to look. This guide maps both, control by control, so you can focus your effort where it actually matters.

Why ISO 27001 DSPT v8 submissions still require work

The DSPT toolkit has accepted ISO 27001 certificates since version 5.3 in December 2018. NHS England's FAQ states that "where a Company or Arms-Length Body holds ISO 27001 with a scope encompassing ALL health and care data processing, applicable evidence items will be marked as complete" (dsptoolkit.nhs.uk).

Two conditions limit that auto-completion. First, the certificate scope must cover all health and care data processing, not just the IT department or a single product line. If your Statement of Applicability excludes any systems that touch NHS data, the auto-completion will not apply to those areas.

Second, auto-completion covers the information security evidence items. It does not cover the NHS-specific requirements under Objective E, which deal with transparency, patient rights, Caldicott principles, and records management. These have no equivalent in ISO 27001:2022 because they are specific to health and care data governance in England.

The NHS Strengthening Assurance Framework confirms that "if an organisation already has ISO 27001 or Cyber Essentials+ certification, it will reduce the scope of your audit" (NHS England, 2024). The scope of audit is reduced, but several NHS-specific requirements remain.

What DSPT v8 actually assesses

DSPT v8 aligns to the NCSC Cyber Assessment Framework (CAF) v3.4. It is structured around five objectives:

  • Objective A: Managing security risk
  • Objective B: Protecting against cyber attack
  • Objective C: Detecting cyber security events
  • Objective D: Minimising the impact of cyber security incidents
  • Objective E: Using and sharing information appropriately (NHS-specific)

Across these objectives sit 47 contributing outcomes. Thirty-nine come directly from the CAF. Eight are health-sector additions under Objective E (NHS England, DSPT v8 technical documentation, dsptoolkit.nhs.uk).

For Category 2 and 3 IT suppliers, the practical interface consists of 12 mandatory assertions backed by approximately 42 mandatory evidence items. Your ISO 27001:2022 certificate can satisfy a significant portion of these, provided the scope condition is met.

For the full structural breakdown, see our DSPT v8 requirements guide.

Where ISO 27001:2022 evidence satisfies DSPT v8 requirements

No official NHS control-by-control mapping document exists between ISO 27001:2022 and DSPT v8. The following analysis is based on ISO/IEC 27001:2022 Annex A controls (ISO, 2022) and DSPT v8 evidence items published by NHS England (dsptoolkit.nhs.uk, 2025).

The overlap is strongest across Objectives A through D. Where an ISO 27001:2022 Annex A control or ISMS clause directly addresses the same security domain as a DSPT v8 evidence area, your existing evidence should transfer with minimal rework.

Governance and leadership

DSPT v8 requires board-level accountability for data security and documented security policies. ISO 27001:2022 Annex A controls A.5.1 (information security policies), A.5.2 (information security roles), and A.5.4 (management responsibilities) map directly. Your ISMS governance documentation, management review minutes, and policy framework should satisfy these items with little adaptation.

Risk management

DSPT v8's risk assessment requirements align closely with ISO 27001:2022 clause 6.1 (actions to address risks), clause 8.2 (information security risk assessment), and Annex A controls A.5.7 (threat intelligence) and A.8.8 (management of technical vulnerabilities). If your risk register and treatment plan cover health data systems, this area transfers cleanly.

Asset management

Annex A controls A.5.9 through A.5.13 cover inventory of information assets, acceptable use, return of assets, classification, and labelling. DSPT v8 requires equivalent asset visibility. Strong overlap here.

Identity and access control

A.5.15 through A.5.18 (access control policy, identity management, authentication, access rights) plus A.8.2 (privileged access), A.8.3 (information access restriction), and A.8.5 (secure authentication) cover most DSPT v8 access control evidence items. One significant exception exists around multi-factor authentication, covered in detail below.

Data security and encryption

A.8.11 (data masking), A.8.12 (data leakage prevention), and A.8.24 (use of cryptography) align well with DSPT v8 encryption and data protection requirements. Your encryption policies, key management procedures, and data-in-transit controls should map across.

System security and patching

A.8.8 (management of technical vulnerabilities), A.8.9 (configuration management), A.8.19 (installation of software), and A.8.32 (change management) address the patching and system hardening requirements in DSPT v8. If your vulnerability management programme includes health-facing systems, the evidence transfers.

Business continuity

A.5.29 (information security during disruption), A.5.30 (ICT readiness for business continuity), A.8.13 (information backup), and A.8.14 (redundancy of information processing facilities) cover DSPT v8's continuity and resilience requirements.

Incident management

A.5.24 through A.5.27 cover incident management planning, assessment, response, and learning from incidents. DSPT v8 requires documented incident response procedures and evidence of testing. Your ISO 27001:2022 incident management process should satisfy this, provided it includes NHS notification requirements.

Supply chain security

A.5.19 through A.5.22 (information security in supplier relationships, addressing security within agreements, managing the supply chain, monitoring and review) map to DSPT v8's supplier assurance requirements. Your supplier risk assessment process and contractual security requirements should transfer.

Staff training and awareness

A.6.3 (information security awareness, education, and training) partially satisfies DSPT v8 training requirements. The gap here is that DSPT v8 mandates NHS-specific annual data security awareness training with a mandatory pass test. Generic information security training from your ISMS programme will not fully satisfy this item. Staff who handle NHS data need the NHS-specific module.

Monitoring and logging

A.8.15 (logging) and A.8.16 (monitoring activities) align with DSPT v8's detection and monitoring requirements under Objective C. Your SIEM configuration, log retention policies, and monitoring procedures should map across.

Gaps that ISO 27001:2022 does not cover

Objective E is where ISO 27001:2022 runs out. These eight contributing outcomes are specific to health and care data governance in England. They address obligations that exist only within the NHS context, with no corresponding ISO 27001:2022 controls.

E1: Transparency

NHS-specific privacy notices that explain how patient data is used. Your ISO 27001:2022 privacy documentation covers general data processing transparency, but NHS patients must receive notices aligned with the NHS transparency framework.

E2: Upholding rights

GDPR data subject rights management is partially covered by ISO 27001:2022's data protection controls, but DSPT v8 adds Caldicott principles and the national data opt-out. The national data opt-out gives patients the right to opt out of their confidential patient information being used for research and planning. Your ISMS will not have a process for this unless you have built one specifically.

E3: Using and sharing information

Organisations must appoint a Caldicott Guardian, maintain data sharing agreements that follow NHS data sharing guidance, and demonstrate compliance with the common law duty of confidentiality. The Caldicott Guardian role has no ISO 27001:2022 equivalent. It is a senior person responsible for protecting the confidentiality of patient information and enabling appropriate sharing.

E4: Records management

NHS records management code compliance and clinical coding standards. ISO 27001:2022 A.5.33 covers protection of records generally, but NHS records management has specific retention schedules, destruction requirements, and clinical coding obligations that sit outside the information security domain entirely.

Additional NHS-specific items include Data Protection Impact Assessments specific to health data processing, and Registration Authority/Smartcard management for organisations using NHS Smartcards.

MFA evidence that catches IT suppliers

Evidence item 4.5.3 deserves its own section because it has tripped up more IT suppliers than any other single requirement in DSPT v8.

In previous toolkit versions, Cyber Essentials Plus certification provided equivalence for MFA requirements. That equivalence was removed in DSPT v8. ISO 27001:2022 Annex A control A.8.5 requires "secure authentication" but is technology-neutral. It does not mandate multi-factor authentication specifically.

NHS England's MFA policy is not technology-neutral. It mandates MFA on all remote user access to all systems and all privileged user access to externally hosted systems. The policy specifies three tiers of acceptable MFA: Best (hardware tokens, FIDO2), Better (software tokens, push notifications), and Basic (SMS, email codes).

A.8.5 in your ISMS may describe MFA as a control, but the DSPT v8 evidence item requires you to demonstrate alignment with the NHS MFA policy specifically. If your secure authentication procedure does not reference these tiers or does not enforce MFA on all the access scenarios the NHS requires, there is a gap to close.

For the full context on CE+ equivalence removal, see our DSPT v8 requirements guide.

Where ISO 27001:2022 exceeds DSPT v8 requirements

The mapping works in both directions. Organisations that hold ISO 27001:2022 have several capabilities that exceed DSPT v8 baseline requirements.

ISO 27001:2022 is an internationally recognised certification with formal third-party audit. DSPT v8, for most organisations, is a self-assessment. Your ISO 27001:2022 certificate provides stronger external assurance to NHS procurement teams than a DSPT v8 submission alone.

Clause 10 of ISO 27001:2022 mandates continual improvement through internal audits, management reviews, and corrective actions. DSPT v8 requires annual submission but does not impose the same structured improvement cycle.

Annex A controls A.8.25 through A.8.31 cover the secure development lifecycle, including secure coding, testing, and separation of environments. These go beyond DSPT v8's system security requirements and are increasingly relevant as NHS procurement evaluates supplier development practices.

A.5.23 (information security for cloud services) addresses cloud-specific risks that DSPT v8 does not cover in equivalent depth. A.5.7 (threat intelligence) provides a structured approach to tracking emerging threats that feeds into both your ISMS risk assessment and your DSPT v8 risk management evidence.

When NHS trusts and integrated care boards evaluate suppliers, an ISO 27001:2022 certificate alongside a completed DSPT v8 submission signals a maturity level above the baseline. It can shorten procurement cycles by answering security questions before they are raised. Vormats, an NHS supplier on the Naq platform, reported faster trust onboarding after completing both frameworks through a single evidence collection process.

How to map your evidence in practice

The practical steps, in order:

Verify your ISO 27001:2022 scope. Check your Statement of Applicability and certificate scope. It must cover all health and care data processing, not a subset. If your scope excludes any systems, locations, or processes that touch NHS data, either extend the scope or prepare to evidence those areas separately in the DSPT v8.

Upload your certificate to the DSPT toolkit. The toolkit will auto-complete applicable evidence items. Review what has been marked as complete and verify the auto-completion matches your expectations.

Identify auto-completed items versus outstanding items. Work through the remaining evidence items systematically. Most will fall into the Objective E categories or the MFA requirement.

Address Objective E gaps. Appoint or confirm your Caldicott Guardian. Review your NHS-specific privacy notices. Implement the national data opt-out process. Ensure your records management aligns with the NHS records management code. Complete NHS-specific data security awareness training for all staff who handle health data.

Verify MFA coverage against NHS policy. Map your current MFA deployment against the NHS MFA policy requirements. Confirm coverage on all remote access and all privileged access to externally hosted systems. Document which MFA tier (Best, Better, Basic) you use for each access scenario.

Submit before 30 June 2026. Non-completion blocks procurement eligibility for NHS contracts. For Operators of Essential Services, it triggers regulatory enforcement.

How Naq maps evidence across both frameworks

Naq's compliance platform automates both ISO 27001:2022 and DSPT v8 from a single dashboard. Evidence collected for one framework maps automatically across the other, cutting the duplication that manual compliance creates.

For DSPT v8, the platform automates over 80% of the submission, saving approximately 140 hours of manual evidence gathering and formatting, based on Naq platform data from organisations completing DSPT v8 on the platform. For ISO 27001:2022, the same automation saves over 200 hours across the certification cycle.

The platform connects to over 300 integrations to pull evidence directly from your existing tools. Policy templates, risk registers, and training records populate automatically. When evidence satisfies controls in both frameworks, it is collected once and mapped to both.

Naq holds its own ISO 27001, Cyber Essentials, Cyber Essentials Plus, and NHS DSPT certifications. The platform is built by a team that has been through both processes.

Book a demo to see how your existing ISO 27001:2022 evidence maps to DSPT v8.

Frequently asked questions

Does ISO 27001 automatically complete DSPT v8?

Partially. The DSPT toolkit accepts ISO 27001:2022 certificates and auto-completes information security evidence items, provided the certificate scope covers all health and care data processing. NHS-specific requirements under Objective E, including Caldicott principles and records management, remain outstanding regardless of your ISO 27001 DSPT overlap.

What DSPT v8 requirements does ISO 27001 not cover?

Eight contributing outcomes under Objective E sit outside ISO 27001:2022's scope entirely. These include appointing a Caldicott Guardian, implementing the national data opt-out, NHS-specific privacy notices, records management code compliance, and clinical coding standards. The MFA evidence item (4.5.3) also requires NHS-specific policy alignment that goes beyond ISO 27001:2022's technology-neutral approach.

Can I use ISO 27001 evidence for my DSPT v8 submission?

Yes, for the overlapping areas. Governance documentation, risk registers, access control policies, incident response procedures, and business continuity plans from your ISMS should transfer with minimal adaptation. Upload your certificate to the DSPT toolkit first, then address the remaining items that were not auto-completed.

When is the DSPT v8 deadline for 2026?

The DSPT v8 submission deadline is 30 June 2026 for all organisations that process NHS data. Non-completion blocks procurement eligibility for NHS contracts (NHS England, dsptoolkit.nhs.uk).

How long does DSPT v8 take if I already have ISO 27001?

With ISO 27001:2022 already in place, the remaining DSPT v8 work focuses on Objective E (NHS-specific data governance) and MFA policy alignment. Organisations using Naq's platform to map evidence across both frameworks report completing the outstanding items in weeks rather than months, based on Naq platform data.

Internal linking suggestions:1. DSPT v8 requirements guide (existing blog, link from sections 2 and 5)2. ISO 27001 UK guide (companion piece, link from section 6)3. Naq platform page or compliance automation page (link from platform close)

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
NHS DTAC
What Is DSPT Compliance and Why Is It Mandatory for NHS Suppliers?
February 16, 2026
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What Compliance Requirements Do You Need to Sell into the NHS?
October 1, 2025
Compliance
What 2025 Taught Us About Digital Health Compliance And What Will Matter in 2026
January 7, 2026
Compliance
NHS DTAC
Navigating NHS DTAC: Creating a User Journey for your Digital Health Solution
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy