DSPT · 1 July 2026
DSPT and Cyber Essentials: how they complement each other
The Data Security and Protection Toolkit (DSPT) and Cyber Essentials are two different schemes that pull in the same direction: keeping your data and systems secure. They’re not the same thing, but they complement each other neatly, and holding one can make the other more straightforward. This guide explains how they relate.
What each scheme is
Cyber Essentials is a UK government-backed certification scheme covering the fundamentals of cyber security. It focuses on a set of technical controls that, when properly in place, protect against the most common online threats. You achieve it by demonstrating those controls, either through self-assessment or an audited version (Cyber Essentials Plus).
The DSPT is an annual online self-assessment run by NHS England. It’s broader than Cyber Essentials — covering governance, staff training, records management and incident handling as well as technical security — and it’s specific to organisations handling NHS health and care data.
In short: Cyber Essentials goes deep on technical cyber controls; the DSPT covers a wider information-governance picture, of which technical controls are one part.
The five Cyber Essentials controls
Cyber Essentials centres on five technical control areas:
- Firewalls — protecting the boundary between your network and the internet
- Secure configuration — setting up devices and software safely
- User access control — giving people only the access they need
- Malware protection — defending against viruses and malicious software
- Security update management — keeping software patched and current
If those sound familiar, it’s because the DSPT asks about the very same things.
Where they overlap
Several DSPT assertions relate directly to controls that Cyber Essentials certifies:
| DSPT theme | Cyber Essentials control |
|---|---|
| Secure device configuration | Secure configuration |
| Access and account management | User access control |
| Protecting against malware | Malware protection |
| Keeping systems updated | Security update management |
| Network protection | Firewalls |
This overlap is why holding Cyber Essentials can make the technical parts of your DSPT more straightforward. Instead of assembling ad-hoc evidence for each of these areas, you have an independent, recognised certification demonstrating the controls are in place. It also gives commissioners and partners added confidence.
Where they differ
They’re complementary, not interchangeable:
- Breadth. The DSPT covers governance, training, records, supplier assurance and incident management — areas Cyber Essentials doesn’t reach.
- Depth. Cyber Essentials goes into more technical detail on the specific controls it covers.
- Purpose. The DSPT is tied to handling NHS data and your NHS system access; Cyber Essentials is a general cyber-security baseline for any organisation.
So Cyber Essentials strengthens part of your DSPT, but it doesn’t replace it — and the DSPT’s wider scope means it addresses risks Cyber Essentials alone would miss.
Using them together
A sensible sequence for many care providers is:
- Get the technical basics right using the Cyber Essentials controls as your framework — even if you don’t certify immediately, they’re a sound checklist.
- Consider certifying with Cyber Essentials to gain independent evidence.
- Feed that evidence into your DSPT, using our DSPT evidence checklist to map it to the relevant assertions.
- Complete the wider DSPT — governance, training, records and incidents — to reach Standards Met.
Both also support your broader legal duties. The security measures they cover map onto UK GDPR requirements too, as explained in our guide on how the DSPT and UK GDPR relate.
Which should you do first?
There’s no single right order, but a few principles help. If your technical controls are shaky, working through the Cyber Essentials framework first gives you a clear, prioritised way to get the basics right — and those improvements immediately strengthen your DSPT. If your NHS system access depends on a current DSPT and the deadline is near, complete the DSPT first and treat Cyber Essentials as a follow-on that will make future renewals easier. For many care providers, the pragmatic path is to use the five Cyber Essentials controls as a checklist while completing the DSPT, then certify formally when time allows. The two efforts reinforce each other whichever way round you approach them.
Cyber Essentials Plus and deeper assurance
It’s worth knowing that Cyber Essentials comes in two forms. The standard certification is a self-assessment of your controls, while Cyber Essentials Plus adds an independent technical audit that verifies those controls are genuinely in place. For most smaller care providers, standard Cyber Essentials is a proportionate and worthwhile step. Larger organisations, or those handling particularly sensitive data at scale, may find the added assurance of Cyber Essentials Plus valuable — and either version provides evidence you can bring to your DSPT. Choose the level that matches your size and risk rather than reaching for the most demanding option by default.
A joined-up security mindset
Perhaps the most useful thing to take away is that the DSPT, Cyber Essentials and UK GDPR are not three separate burdens but three views of the same goal: handling data safely and responsibly. When you build good foundations — sensible technical controls, trained staff, clear records and a plan for when things go wrong — you satisfy all three at once. Approaching them together, rather than as isolated tasks, is both less work and more effective, and it leaves your organisation genuinely more resilient rather than merely compliant on paper.
Check where you stand
Our DSPT readiness checker gives you a quick read on your DSPT position, including the technical areas that Cyber Essentials strengthens. The glossary explains any unfamiliar terms.
How we can help
Getting the technical foundations right and then evidencing them across both schemes is very achievable with the right guidance. We offer a clear, fixed-fee engagement that joins up your cyber security and DSPT work, so your effort counts twice, and supports you through to submission. Explore our DSPT service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our DSP Toolkit (DSPT) service.