DSPT · 1 July 2026
DSPT vs ISO 27001: what's the difference?
If you deliver health or care services in the UK, you have probably come across both the Data Security and Protection Toolkit (DSPT) and ISO/IEC 27001. They both concern keeping information safe, so it is easy to assume they are two names for the same thing. They are not. One is an annual NHS self-assessment; the other is an internationally recognised, independently certified management standard. This guide explains what each is, how they differ, and why some organisations sensibly hold both.
What each one is
The DSPT is a free, online self-assessment published by NHS England. Any organisation that handles NHS patient data or connects to national systems is expected to complete it every year, with a submission deadline of 30 June. It asks you to confirm — and evidence — that you meet a set of data-security and information-governance standards. You answer the questions yourself and upload or describe your supporting evidence; there is no external auditor signing it off. Our guide what is the DSPT? covers the mechanics in detail.
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Rather than a yearly questionnaire, it is a structured way of running information security across your whole organisation — identifying risks, treating them with controls, and improving continually. Crucially, ISO 27001 is independently certified: a UKAS-accredited certification body audits you across a Stage 1 (documentation review) and Stage 2 (implementation) assessment, then carries out annual surveillance visits. Certification results in a recognised certificate you can show to customers and commissioners anywhere in the world. You can read more on our ISO 27001 service page.
Side-by-side comparison
| Feature | DSPT | ISO/IEC 27001:2022 |
|---|---|---|
| What it is | NHS annual self-assessment toolkit | International ISMS certification standard |
| Who runs it | NHS England | ISO; certified by UKAS-accredited bodies |
| Assessment type | Self-assessment, evidence-backed | Independent external audit (Stage 1 and Stage 2) |
| Recognition | UK health and care sector | Worldwide, across all sectors |
| Frequency | Every year, deadline 30 June | Certificate valid three years, annual surveillance |
| Cost | Free to complete | Certification and audit fees apply |
| Main driver | NHS data-sharing and contract requirements | Customer assurance, tenders, risk management |
| Scope | Data security and information governance | Whole-organisation information security |
| Outcome | Published DSPT status | Accredited certificate |
The key differences
The most important distinction is assurance level. The DSPT relies on you assessing yourself honestly; ISO 27001 requires an external auditor to test your claims. That independent scrutiny is why ISO 27001 carries weight with commercial customers and in competitive tenders, whereas the DSPT is primarily a requirement for working with the NHS and handling patient data.
The second difference is scope and permanence. The DSPT is a point-in-time snapshot renewed annually. ISO 27001 asks you to build a living system that runs all year, with leadership involvement, internal audits and continual improvement baked in. It is a bigger commitment, but a deeper one.
Finally, they are aimed at different audiences. The DSPT is specific to UK health and social care. ISO 27001 is sector-agnostic and internationally understood, which matters if you sell services beyond the NHS or want a credential a private-sector client will recognise.
There is also a difference in cost profile. The DSPT is free to complete — the only cost is the time your team spends gathering evidence and answering the questions. ISO 27001 carries certification and audit fees, because an accredited body is doing independent work on your behalf, and there is usually internal effort in building the ISMS in the first place. That does not make one better value than the other; they simply buy different things — annual NHS assurance in one case, an internationally recognised certificate in the other.
Which do you need?
For most care providers, the DSPT is effectively mandatory if you handle NHS patient data or use national systems such as NHS mail — so it is usually the starting point. ISO 27001 is generally optional but strategic: you pursue it when customers ask for it, when you are bidding for contracts that expect it, or when you want a rigorous, externally verified framework for managing information risk.
If you are a small provider working solely within the care sector, the DSPT alone may be all that is expected of you. If you are growing, taking on private clients, or handling data for others, ISO 27001 can open doors the DSPT cannot.
Can you need both — and how they relate?
Yes, and many organisations do. The good news is that the two overlap considerably. A well-run ISMS produces exactly the kind of evidence the DSPT asks for: risk assessments, access controls, staff training records, incident procedures and supplier assurance. If you already hold ISO 27001, completing the DSPT becomes far easier because the underlying controls are already in place and documented.
NHS England has recognised this relationship. Organisations with strong external certifications can often use them to support their DSPT submission rather than duplicating effort, which means the work you do for one standard rarely goes to waste on the other. The sensible sequence for many is: get the DSPT done to meet the immediate NHS requirement, then build towards ISO 27001 if your commercial ambitions call for it — reusing the DSPT evidence as a foundation.
It is also worth knowing where lighter-touch schemes fit. Cyber Essentials covers five core technical controls and dovetails neatly with the cyber sections of the DSPT, while IASME Cyber Assurance offers an SME-friendly stepping stone towards the full ISO 27001 standard. If any of the terminology is unfamiliar, our glossary explains the key concepts in plain English.
Not sure which you need?
Choosing between the DSPT and ISO 27001 — or working out how to make them support each other — depends on who you serve, what your contracts require and where your organisation is heading. We are happy to talk it through, map your obligations and suggest a sensible order of play through a clear, fixed-fee engagement. There is no pressure and no obligation: get in touch and we will help you find the right path.