What’s the difference between Cyber Essentials and the DSPT?
Some local authorities might ask providers for Cyber Essentials. Cyber Essentials is a useful resource that helps organisations to protect themselves from common cyber threats. The DSPT covers the same topics as cyber essentials, but also helps organisations to protect their data security arrangements and meet their minimum GDPR requirements.
We’ve developed a quick guide on Cyber Essentials and the DSPT to help people understand the differences.
The Local Government Association (LGA) recommends that “commissioners should support providers to complete the DSPT to Standards Met level“. Other than including the DSPT in contracts, commissioners can also support providers by putting them in touch with their Local Support Organisation or signposting them to resources available from Better Security, Better Care.
| DSPT | Cyber Essentials and Cyber Essentials Plus |
|---|---|
| Covers all aspects of information governance including: paper records and systems; verbal disclosures of information; digital systems; cyber security; and the duty to share information to support someone’s care. | Covers cyber security and digitally held or transferred data only. It does not cover paper records or information shared verbally. |
| Is designed specifically for adult social care providers in England. All of the questions relate to social care settings and requirements. | Is designed for all businesses and not tailored for social care. |
| Is a free toolkit, backed up by a free national, regional and local support programme to complete and implement the DSPT, led by care sector experts. | Access to Cyber Essentials varies from £320 + VAT for organisations with up to 9 employees, to £600 + VAT for organisations with over 250 employees. Cyber Essentials Plus is priced according to size and complexity of the organisation’s network. |
| As of July 2024, it does not include an optional independent audit | Cyber Essentials Plus requires an additional independent technical audit of the organisations’ IT systems. This is an additional cost. |
| Is a requirement in all NHS service delivery contracts and is frequently included in local authority contracts. | Is not a requirement in local NHS contracts, is frequently required in local authority contracts, and is a requirement in delivery of services directly to national government departments. |
| Is recognised in the CQC's Single Assessment Framework as a key source of evidence. | Is not referenced in CQC’s Single Assessment Framework. |
| Is recognised as a ‘success measure’ on safe practice in the Government’s guidance - Digital working in adult social care: What Good Looks Like. | Is not referenced in What Good Looks Like. |
| Does not include cyber liability insurance but can be used as evidence in an insurance claim. | Includes cyber liability insurance up to £25,000 if the organisation achieves Cyber Essentials certification for the whole organisation, and turnover is under £2m. The insurance does not cover money stolen by electronic means or cyber fraud. |
| Is based on the National Data Guardian’s 10 data security standards. These are the same standards within the DSPT for NHS organisations. As a result, having the DSPT in place can enable access to shared patient information systems. | Is based on the UK Government’s minimum baseline standard for cyber security. It does not enable access to NHS patient information systems. |
| Is an annual self-assessment. If not completed on time, the DSPT certificate is no longer valid and cannot be used. | Is an annual self-assessment. If not completed on time, the Cyber Essentials certificate is no longer valid and cannot be used. |
| Is funded by NHS England and the Department of Health and Social Care. The support programme (Better Security, Better Care) is delivered by a small national team within Digital Care Hub and local partners who are primarily trade associations representing care providers. | Is managed by the Government’s National Cyber Security Centre and delivered by IASME - a cyber security certification company. |
