Knowledge hub
Plain-English answers to the compliance questions UK care, health and small-business teams actually ask.
DSPT
The NHS Data Security and Protection Toolkit, explained.
Common DSPT mistakes and how to avoid them
The most common DSPT mistakes UK care providers make — from weak evidence to missed deadlines — and practical steps to avoid them before you submit.
Read →DSPT and Cyber Essentials: how they complement each other
How the NHS Data Security and Protection Toolkit and Cyber Essentials relate, where they overlap, and how certification can make several DSPT assertions easier.
Read →DSPT and UK GDPR: how they relate
How the NHS Data Security and Protection Toolkit and UK GDPR overlap, where they differ, and why completing the DSPT strengthens your wider data protection compliance.
Read →DSPT assessment levels and profiles explained
How DSPT assessment levels and organisation profiles work, what determines the questions you're asked, and how to make sure you're completing the right one.
Read →The DSPT deadline and annual cycle: planning ahead
Understand the 30 June DSPT deadline, the annual reset, and how to plan the year so your Data Security and Protection Toolkit submission is never a last-minute rush.
Read →DSPT evidence checklist: what to gather for each assertion
A practical DSPT evidence checklist for UK care providers: which policies, records and technical controls map to the toolkit's assertions before you submit.
Read →DSPT for care homes: a practical guide
A plain-English DSPT guide for UK care homes: who needs it, which evidence to gather, the 30 June deadline, and how to reach 'Standards Met' without an IT team.
Read →DSPT for dental practices: a practical guide
A plain-English DSPT guide for UK dental practices: who needs it, the evidence to gather, the 30 June deadline, and how to reach 'Standards Met' each year.
Read →DSPT for domiciliary care: a practical guide
A plain-English DSPT guide for UK domiciliary care and home care providers: who needs it, the evidence to gather, the 30 June deadline, and reaching 'Standards Met'.
Read →DSPT for GP practices: a practical guide
A plain-English DSPT guide for UK GP practices: why it's essential, the evidence to prepare, the 30 June deadline, and how to reach 'Standards Met' each year.
Read →DSPT for pharmacies: a practical guide
A plain-English DSPT guide for UK community pharmacies: who needs it, the evidence to prepare, the 30 June deadline, and how to reach 'Standards Met' each year.
Read →DSPT 'Standards Met' vs 'Approaching Standards' explained
The difference between DSPT 'Standards Met' and 'Approaching Standards', what each status means for your organisation, and how to move from one to the other.
Read →What happens if you miss the DSPT deadline?
What missing the 30 June DSPT deadline can mean for your NHS system access, CQC standing and commissioners — plus practical steps to get back on track.
Read →What is the DSPT? A plain-English guide for care providers
What the NHS Data Security and Protection Toolkit is, who must complete it, the 30 June deadline, and how to reach 'Standards Met'.
Read →ISO 27001
Building and certifying an information security management system.
How to conduct an ISO 27001 risk assessment: a step-by-step guide
A practical, plain-English guide to running an ISO/IEC 27001:2022 information security risk assessment, from identifying risks to building a treatment plan.
Read →ISO 27001 Annex A controls explained: the 93 controls and 4 themes
A plain-English guide to the 93 Annex A controls in ISO/IEC 27001:2022, grouped across the four themes, and how to select the ones that fit your risks.
Read →ISO 27001 cost and timeline: the factors that drive them
What really drives the cost and timeline of ISO/IEC 27001:2022 certification for SMEs, from scope and size to readiness, and how to plan a realistic budget.
Read →ISO 27001 documentation checklist: what you actually need
A practical checklist of the mandatory documents and records required for ISO/IEC 27001:2022 certification, and how to keep them lean and audit-ready.
Read →ISO 27001 for software companies: a practical guide
Why software firms pursue ISO/IEC 27001:2022, the controls that matter most for SaaS and dev teams, and how to fit an ISMS around modern development.
Read →ISO 27001 internal audits: a practical guide
Why internal audits are mandatory under ISO/IEC 27001:2022, how to plan and run them, who can audit, and how they feed the management review and certification.
Read →ISO 27001 Stage 1 and Stage 2 audits: what to expect
How ISO/IEC 27001:2022 certification audits work, what happens at Stage 1 and Stage 2, how nonconformities are handled, and how to prepare with confidence.
Read →ISO 27001 surveillance audits: keeping your certification
What ISO/IEC 27001:2022 surveillance audits are, how the three-year certification cycle works, what auditors check each year, and how to stay audit-ready.
Read →The Statement of Applicability (SoA) explained for ISO 27001
What the ISO/IEC 27001:2022 Statement of Applicability is, why auditors focus on it, what it must contain, and how to build one that holds together.
Read →What is an ISMS? The heart of ISO/IEC 27001 explained
A plain-English guide to the Information Security Management System (ISMS) at the core of ISO/IEC 27001:2022, what it covers, and why it matters.
Read →Cyber Essentials
The five controls and the government-backed certification.
Common reasons Cyber Essentials applications fail
The most frequent reasons Cyber Essentials self-assessments get marked as non-compliant — and practical steps to avoid each one before you submit.
Read →The five Cyber Essentials controls explained
A plain-English guide to the five Cyber Essentials technical controls — firewalls, secure configuration, user access, malware protection and updates.
Read →Cyber Essentials for care providers: a practical guide
Why Cyber Essentials matters for care homes and care providers, how it fits with the DSPT and CQC expectations, and how to work through the five controls.
Read →Cyber Essentials MFA requirements explained
What Cyber Essentials expects for multi-factor authentication on cloud services, where MFA applies, the accepted methods and how to roll it out well.
Read →Cyber Essentials patch management explained
How to meet the security update management control in Cyber Essentials — the 14-day rule, supported software, mobile and firmware updates and routines.
Read →Cyber Essentials secure configuration explained
What secure configuration means under Cyber Essentials — default passwords, unnecessary accounts and software, device hardening and practical steps to comply.
Read →PCI DSS
Taking card payments securely and choosing the right SAQ.
PCI DSS explained: a plain-English guide for UK organisations
What PCI DSS is, who it applies to, the current v4.0.1 requirements, and how SAQs and scope work — a plain-English guide for UK card-taking businesses.
Read →PCI DSS for small businesses: a practical starter guide
A practical PCI DSS guide for small businesses and SMEs: who it applies to, keeping it simple, choosing the right SAQ, and reducing scope to cut the work.
Read →PCI DSS SAQ types explained: A, A-EP, B, C and D
A plain-English guide to the PCI DSS Self-Assessment Questionnaire types — SAQ A, A-EP, B, B-IP, C, C-VT, D and P2PE — and when each one applies.
Read →Reducing your PCI DSS scope: how to simplify compliance
Practical ways to reduce PCI DSS scope — outsourcing card handling, hosted payment pages, network segmentation and not storing card data — to simplify it.
Read →Data protection & UK GDPR
DPIAs, RoPA, breaches, subject access and staff training.
Data breach reporting explained: the 72-hour rule under UK GDPR
What counts as a personal data breach, when to report it to the ICO within 72 hours, and how to respond — a plain-English UK GDPR guide for organisations.
Read →Do you need a DPO? When a Data Protection Officer is required
When UK GDPR makes a Data Protection Officer mandatory, what a DPO does, and the outsourced option — a plain-English guide for UK organisations.
Read →DPIA explained: when and how to run a Data Protection Impact Assessment
What a DPIA is, when UK GDPR requires one, and how to run a Data Protection Impact Assessment step by step — a plain-English guide for UK organisations.
Read →Handling Subject Access Requests: a step-by-step SAR guide
How to handle a Subject Access Request (SAR) under UK GDPR — recognising it, the one-month deadline, exemptions and redaction — a step-by-step guide.
Read →ICO registration explained: the data protection fee and who must pay
What ICO registration is, who must pay the data protection fee, the tiers and exemptions, and how to register — a plain-English guide for UK organisations.
Read →Privacy notices explained: what to include and why they matter
What a privacy notice is, what UK GDPR requires it to contain, and how to write a clear, accessible one — a plain-English guide for UK organisations.
Read →RoPA explained: your Record of Processing Activities under UK GDPR
What a Record of Processing Activities (RoPA) is, who needs one under UK GDPR, and what to include — a plain-English guide for UK organisations.
Read →Staff data protection training: what your team needs to know
Why staff data protection training matters under UK GDPR, what to cover, and how often to run it — a practical guide for UK organisations and care providers.
Read →UK GDPR in healthcare: a guide for care and health providers
How UK GDPR applies to health and care providers — lawful bases, special-category health data, DPIAs, RoPA and breach reporting — in plain language.
Read →Comparison guides
Which standard is which — and which one you actually need.
Cyber Essentials vs Cyber Essentials Plus: what's the difference?
Cyber Essentials vs Cyber Essentials Plus explained: the same five NCSC controls, but self-assessment versus an independent hands-on technical audit. Which do you need?
Compare →Cyber Essentials vs ISO 27001: what's the difference?
Cyber Essentials vs ISO 27001 compared: five focused NCSC technical controls versus a full certified information-security management system. Which fits your organisation?
Compare →DSPT vs ISO 27001: what's the difference?
DSPT vs ISO 27001 compared for UK care providers: an NHS annual self-assessment versus a certified international ISMS standard, and whether you might need both.
Compare →UK GDPR vs DSPT: what's the difference?
UK GDPR vs DSPT explained for care providers: data-protection law enforced by the ICO versus an annual NHS self-assessment, and how the two work together in practice.
Compare →IASME Cyber Assurance vs ISO 27001: what's the difference?
IASME Cyber Assurance vs ISO 27001 compared: an SME-friendly, affordable security standard with a GDPR-aware Level 2, versus the international, UKAS-certified ISMS standard.
Compare →ISO 27001 vs PCI DSS: what's the difference?
ISO 27001 vs PCI DSS compared: a broad certified information-security standard versus a focused payment-card security requirement. Understand which applies and when both do.
Compare →Prefer to just talk it through?
Book a free readiness check and we’ll point you in the right direction.