The NHS leader’s CAF & DSPT checklist: cyber resilience, compliance, and assurance in 2026

12/03/26 Wavenet
The NHS leader’s CAF & DSPT checklist: cyber resilience, compliance, and assurance in 2026 placeholder thumbnail

For NHS Trust leaders, meeting the demands of cyber security assurance has never been more urgent. With the Data Security and Protection Toolkit (DSPT) now aligned to the Cyber Assessment Framework (CAF), NHS organisations now need to demonstrate not only whether controls are in place, but how effective they are in practice.

This checklist is designed to help you plan, prioritise, and validate your approach to CAF and DSPT in 2026, ensuring your organisation can demonstrate robust cyber resilience.

Checklist overview: planning and governance

Here’s a practical step-by-step approach to help you get started.

1. Define your scope and stakeholders

Start by confirming your essential functions and assets. This should include IT systems, Operational Technology (OT), and any medical internet of things (IoT)/ internet of medical things (IoMT) devices. In the context of CAF-aligned DSPT, evidence will be assessed against outcomes that map directly to clinical and business risk.

Ensure your stakeholders are involved:

  • Chief information security officer (CISO) is responsible for cyber security strategy, risk management, and CAF alignment.
  • Senior information risk owner (SIRO) for governance sign-off.
  • Information governance (IG) lead for information governance evidence.
  • Head of IT/ cyber security sponsor to coordinate evidence.

2. Map CAF objectives to DSPT requirements

The CAF-aligned DSPT guidance organises evidence under outcome-focused objectives:

  • Objective A – Managing risk
  • Objective B – Protecting against cyber-attacks and data breaches
  • Objective C – Detecting cyber security events
  • Objective D – Minimising the impact of incidents
  • Objective E – Using and sharing information appropriately

This mapping is essential and evidence you collect for one objective often supports multiple DSPT assertions. A clear matrix that maps controls against CAF/DSPT outcomes ensures you don’t miss anything.

3. Formalise governance and assurance structures

  • Establish regular cyber risk board reviews
  • Confirm DSPT and CAF responsibilities in job descriptions
  • Ensure CISOs and executive oversight sign-off processes are documented

CAF-aligned DSPT expects organisations to show continuous risk management, not ad-hoc reporting.

Checklist for technical and operational controls

4. Network and system security

Review your network protection layers and maintain documentation showing how firewalls, segmentation, and secure configurations protect essential services. Ensure patch management schedules and evidence of execution is available, especially for systems handling patient data.

5. Asset discovery and observability

CAF-aligned assessments will look for evidence that organisations have visibility across their estate, including IoMT, operational technology, and cloud environments. Passive discovery tools and observability platforms help demonstrate that controls are working across the estate.

6. Detection and monitoring evidence

Ensure you have:

  • SIEM tools or monitoring platforms logging security events
  • Defined alert thresholds and escalation processes
  • Regular log reviews
  • Evidence of trend analysis and action on anomalies

Detection capability is a key contributor to DSPT evidence under CAF objectives.

7. Incident response readiness

You should have:

  • Updated major incident response plans
  • Evidence of at least one tested scenario (tabletop or live)
  • Post-incident review documents
  • Defined roles and response times

CAF and DSPT both emphasise preparedness before an incident, not just reports after one.

8. Data protection and governance

Data protection and governance is key. With patient information involved, you need clear evidence of:

  • Responsible data owners
  • Data classification schemes
  • Encryption policies
  • Data retention and disposal policy

Documenting how data is protected and audited will be crucial during independent assessments.

Evidence portfolio and documentation checklist

CAF-aligned DSPT is outcome-based so evidence counts more than narrative. These are the kinds of artefacts assessors will expect:

Policies and frameworks

  • Cyber security policy
  • Risk management and governance documentation
  • Access control and IAM policies
  • Patch and change management policies

Control evidence

  • Penetration and vulnerability testing logs
  • Access control reviews
  • Firewall rule sets and change logs
  • Evidence of network segmentation and device management

Audit and monitoring reports

  • SIEM event logs with analysis
  • Incident logs with lessons learned
  • Testing and review records
  • Staff training completion reports

Well maintained documentation not only supports CAF outcomes – it also future-proofs annual DSPT returns.

Practical preparation tips

  • Start planning early: Plan your 2026 audit at least 6 - 9 months in advance. Independent assessments for CAF-aligned DSPT are expected to occur between January and June 2026.
  • Use mapping templates: Mapping CAF objectives to specific DSPT evidence items early allows teams to see overlap and avoid duplication.
  • Practice dry runs: Internal mock assessments help identify gaps before the real audit. These help governance teams understand where improvements are needed early.

Leadership and assurance insights

CAF-aligned DSPT is as much a leadership framework as it is a security one. Boards are expected to understand cyber risk strategies, resourcing constraints, and mitigation plans. The senior information risk owner (SIRO) must ultimately approve the submission.

Good governance documentation goes a long way towards demonstrating organisational understanding of risk and assurance.

Final thoughts: move beyond compliance

CAF and DSPT are no longer just compliance exercises. They show that security controls work in practice and that cyber risk is actively managed across your organisation.

For NHS Trusts and healthcare providers, this shift is critical. Strong cyber resilience protects patient data, reduces service disruption risk, and builds trust in digital services that underpin modern healthcare.

Annual self-assessments shouldn’t just tick a regulatory box. Done effectively, they provide a structured opportunity to strengthen security posture, improve operational resilience, and drive continuous improvement across teams, helping your Trust stay ahead of cyber threats and confidently meet CAF & DSPT requirements.

Discover how we can assist you with DSPT and navigate its detailed requirements.

 

Frequently asked questions about CAF and DSPT

What is the Data Security and Protection Toolkit (DSPT)?
The DSPT is the UK’s annual self-assessment tool that allows NHS organisations to measure their security and information governance capability against national expectations. All organisations that access NHS patient data or systems must complete it to show they can protect sensitive information appropriately.

In recent years, DSPT has aligned more closely with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This change emphasises outcomes, effectiveness, and evidence - not just documentation.
What is the Cyber Assessment Framework (CAF)?
The Cyber Assessment Framework (CAF) is a structured set of objectives that helps organisations manage cyber risks by guiding how they protect, detect, and respond to security incidents. These objectives, covering risk management, protection, detection, and incident minimisation now underpin DSPT assessments for NHS Trusts.
How Wavenet can support you with your CAF assessment?

We help NHS Trusts move from compliance to confidence by providing structured guidance and practical support throughout your CAF-aligned DSPT assessment. This includes:

  • Gap analysis and readiness assessments – identifying areas for improvement and prioritising actions.
  • Evidence mapping – helping teams align controls and documentation to CAF objectives.
  • Technical and operational guidance – ensuring network, system, and data protection controls meet requirements.
  • Board and governance support – advising on risk management, reporting, and executive sign-off processes.
  • Ongoing support – from preparation through submission, to help your Trust build sustainable cyber resilience rather than just meeting regulatory checkboxes.

Our approach ensures that Trusts can confidently demonstrate cyber resilience, maintain compliance, and strengthen overall information governance.

Government & Healthcare, Cyber Security, Blogs

Latest blogs

See all posts
online banking
Why financial services firms need advanced connectivity & security in 2026

The UK financial services sector entered 2026 as one of the most digitally advanced industries in the world. Mobile banking dominates customer interactions, neobanks (a bank that only operates online and has no network of physical locations) continue to disrupt traditional models, and AI is rapidly expanding across fraud prevention, analytics, and customer experience. But with rapid digital acceleration comes increased cyber risk, regulatory pressure, and infrastructure demands. Financial institutions now require advanced connectivity and robust security to stay operational, competitive, and compliant.

Read more
msp it
Top 10 questions to ask before choosing an MSP in the UK (2026)

Choosing a Managed Service Provider (MSP) is one of the most important technology decisions a UK business will make in 2026. With MSPs now responsible for cyber security, cloud management, remote working, data protection, and everyday IT operations, selecting the wrong partner can create major business, financial, and regulatory risks.

Read more
windows-11
Understanding Windows 10 Extended Security Updates (ESU) - what your business needs to know in 2026

As of 14 October 2025, Microsoft officially ended free security updates for Windows 10. Organisations that continue operating Windows 10 devices today - in 2026 - are now doing so in a post‑support environment, relying either on paid Extended Security Updates (ESU) or accepting increasing cyber risk. Windows updates are the backbone of endpoint security, identifying new vulnerabilities and closing them before attackers exploit them. Since the end of support deadline passed, unpatched vulnerabilities accumulate quickly, creating growing exposure across any estate still running Windows 10. Continuing with Windows 10 in 2026 can lead to: Higher cyber‑attack risk, particularly ransomware Compliance issues (Cyber Essentials, ISO 27001, GDPR, FCA/financial sector requirements) Reduced software compatibility with modern applications and security tools Increased helpdesk overhead due to outdated hardware and OS issues For organisations, this is no longer preparation for a future deadline - it’s about reducing risk now and completing the transition to a modern, supported operating system. Your organisation’s options in 2026 Businesses now have three strategic pathways depending on their hardware, budget cycle, and deployment readiness. 1. Upgrade existing compatible devices to Windows 11 If your current hardware meets Microsoft’s requirements, upgrading remains the fastest and most cost‑effective way to move away from Windows 10 ESU dependency. Benefits include: Ongoing security updates Modern protection (TPM 2.0, enhanced kernel security, improved identity protection) Support for AI‑powered features and future Microsoft roadmaps Lower risk and long‑term stability If your business has Windows 10 machines still capable of upgrading, this should be the first route explored. 2. Refresh your estate with Windows 11‑ready devices Many Windows 10 machines still in use in 2026 are now five to eight years old, and often: Fall below modern security standards Cause productivity bottlenecks Increase support tickets Consume disproportionate IT resources A structured hardware refresh offers: Predictable lifecycle management Improved reliability and performance Standardisation across departments Compatibility with modern security and MDM tooling Wavenet supports staged refresh programmes aligned with fiscal planning, ensuring minimal business disruption. 3. Continue using Windows 10 with Extended Security Updates (ESU) Microsoft’s Windows 10 ESU programme is still available, but it is: Paid per device, per year Increasing in cost each year (designed to encourage migration) Security‑only - no features or performance improvements A temporary safety net, not a long‑term strategy ESU is most appropriate when: Line‑of‑business applications are not yet Windows 11 certified You need additional time for a phased rollout Budget cycles are delaying upgrades or refresh Remote / operational environments require longer transition periods Most organisations still using ESU in 2026 should plan to exit it within the next 12–24 months. Assessing your Windows 11 readiness in 2026 At this stage, businesses need more than a simple device‑level compatibility check. A comprehensive analysis includes: Hardware readiness across the estate Application and vendor compatibility Driver and firmware validation Intune / MDM alignment Security baselines and policy impacts User profile and data considerations Deployment sequencing and pilot planning Wavenet offers full readiness assessments to provide a clear view of which devices can be upgraded, which require replacement, and where ESU may remain temporarily necessary. Why 2026 is a critical year for migration With the end of support now behind us, delaying migration further increases: Security exposure Operational risk Compliance penalties ESU costs End‑user frustration from aging hardware A well‑structured migration programme delivers: A secure, modernised endpoint environment Lower long‑term support cost Improved employee experience Better alignment with Microsoft’s cloud and security roadmap Many organisations are now accelerating migration to remove the remaining Windows 10 footprint entirely. How Wavenet supports your Windows 11 journey Wavenet provides end‑to‑end Windows 11 migration services, including: Estate discovery & readiness assessment Hardware lifecycle planning and procurement Application compatibility testing Managed upgrade or Autopilot deployment Configuration, security baselines, and Intune alignment ESU planning (where absolutely necessary) Phased rollouts with minimal disruption Whether you’re upgrading compatible devices, refreshing your estate, or transitioning off ESU entirely, Wavenet ensures a smooth, secure, and controlled migration.

Read more
Placeholder thumbnail
Everything you need to know about network observability

This article is a useful 101 reference for network observability. What is it? Why does it matter? What are the benefits and outcomes from embracing it?

Read more
pstn
The PSTN switch-off: it's more than just telephones

The PSTN switch-off is a major shift in telecommunications. It's not just about phones. This transition affects many services beyond traditional landlines.

Read more
Cyber Essentials Plus
Cyber Essentials vs Cyber Essentials Plus

Think of your business’s digital security like a health check-up. You can fill out a detailed questionnaire yourself, confirming you’re following healthy habits. Or, you can have a doctor perform a full physical, running tests to verify everything is working as it should.

Read more