Acronyms
NCSC – National Cyber Security Centre (UK)
CAF – Cyber Assessment Framework (resilience framework)
NHS – National Health Service
DSPT – Digital Security & Protection Toolkit (compliance checklist UK)
NDG – National Data Guardian
What’s the difference?
The NHS Data Security and Protection Toolkit (DSPT) has long been the benchmark for safeguarding patient data in the UK health sector. However, cyber threats are evolving and so is compliance. DSPT is NHS-specific, focused on UK GDPR and the NDG’s 10 Data Security Standards through annual self-assessment (NHS DSPT Guidance).
The shift to the National Cyber Security Centre’s Cyber Assessment Framework (CAF) marks a strategic move toward resilience not just for healthcare but across all UK Critical National Infrastructure (CNI). Unlike DSPT’s checklist approach, CAF is outcome-based, assessing governance, risk management, supply chain security, and incident response maturity (NCSC CAF Overview)
| Area | DSPT (Past) | CAF (Future) |
|---|---|---|
| Focus | Compliance based | Risk management and outcome based |
| Use | NHS, health and social care | National Infrastructure (NI) |
| Structure | Risk, protect, detect, recover objectives | 10 defined cyber security standards |
| Assessment Frequency | Annual self assessment | Continuous improvement approach |
Think of CAF as upgrading from a security checklist to a resilience operating system built to adapt, govern, and protect critical infrastructure in real time.
Why the change and what is its importance?
“This change aligns health and care with national cyber resilience standards. While the NDG’s 10 data security standards have been essential, the rapidly changing landscape of technology and cyber threats requires the more advanced, outcome-focused approach the CAF provides.” – Joint statement by NHS England & the National Data Guardian
How can SUSAN help
The SUSAN platform simplifies this shift for your organisation with its NCSC CAF module, guiding you through compliance requirements step by step. SUSAN ensures your organisation transition to CAF’s outcome-driven governance standards, strengthening cyber resilience for the future.
Key Takeaways
NCSC CAF replaces DSPT as the UK standard for cyber resilience. Aligning with CAF ensures compliance and resilience across critical services like healthcare. Ready to adopt CAF? Explore the SUSAN platform’s CAF module for step-by-step guidance and future-proof your cyber governance today.
“NCSC CAF isn’t just replacing DSPT, it, creates a unified standard for resilience across critical services whilst also complementing UK GDPR obligations”
FAQS
We serve B2B SaaS companies, financial institutions, healthcare providers, manufacturing firms, and legal consultancies.
Yes, we have a UK-based team providing 24/7 incident response and support.
Absolutely. We specialize in regulatory compliance and offer full support from gap assessment to certification readiness.
Unlike large vendors, we provide agile, personalized cybersecurity services backed by global expertise and UK-specific support.
