August 1st 2024
WebinarDSPT, Cyber Essentials and Cyber Essentials Plus: a quick guide
File size: | File type:
This short guide helps care providers, and NHS and local authority commissioners to compare and understand the differences between the Data Security and Protection Toolkit (DSPT), Cyber Essentials and Cyber Essentials Plus.
All three are Government-backed, self-assessment tools to help organisations to check and improve their cyber security arrangements – but the DSPT covers all aspects of information governance, including paper records, and is specifically designed for adult social care providers in England.
The tools are compatible. For example, if a care provider has Cyber Essentials Plus, they can indicate this on their DSPT entry, and it will enable them to skip some questions. If they reach Standards Met on the DSPT and they also have Cyber Essentials Plus, they can get to Standards Exceeded on the DSPT.
At a glance
The key differences and similarities are summarised below.
| DSPT | Cyber Essentials and Cyber Essentials Plus |
|---|---|
| Covers all aspects of information governance including: paper records and systems; verbal disclosures of information; digital systems; cyber security; and the duty to share information to support someone’s care. | Covers cyber security and digitally held or transferred data only. It does not cover paper records or information shared verbally. |
| Is designed specifically for adult social care providers in England. All of the questions relate to social care settings and requirements. | Is designed for all businesses and not tailored for social care. |
| Is a free toolkit, backed up by a free national, regional and local support programme to complete and implement the DSPT, led by care sector experts. | Access to Cyber Essentials varies from £320 + VAT for organisations with up to 9 employees, to £600 + VAT for organisations with over 250 employees. Cyber Essentials Plus is priced according to size and complexity of the organisation’s network. |
| As of July 2024, it does not include an optional independent audit | Cyber Essentials Plus requires an additional independent technical audit of the organisations’ IT systems. This is an additional cost. |
| Is a requirement in all NHS service delivery contracts and is frequently included in local authority contracts. | Is not a requirement in local NHS contracts, is frequently required in local authority contracts, and is a requirement in delivery of services directly to national government departments. |
| Is recognised in the CQC's Single Assessment Framework as a key source of evidence. | Is not referenced in CQC’s Single Assessment Framework. |
| Is recognised as a ‘success measure’ on safe practice in the Government’s guidance - Digital working in adult social care: What Good Looks Like. | Is not referenced in What Good Looks Like. |
| Does not include cyber liability insurance but can be used as evidence in an insurance claim. | Includes cyber liability insurance up to £25,000 if the organisation achieves Cyber Essentials certification for the whole organisation, and turnover is under £2m. The insurance does not cover money stolen by electronic means or cyber fraud. |
| Is based on the National Data Guardian’s 10 data security standards. These are the same standards within the DSPT for NHS organisations. As a result, having the DSPT in place can enable access to shared patient information systems. | Is based on the UK Government’s minimum baseline standard for cyber security. It does not enable access to NHS patient information systems. |
| Is an annual self-assessment. If not completed on time, the DSPT certificate is no longer valid and cannot be used. | Is an annual self-assessment. If not completed on time, the Cyber Essentials certificate is no longer valid and cannot be used. |
| Is funded by NHS England and the Department of Health and Social Care. The support programme (Better Security, Better Care) is delivered by a small national team within Digital Care Hub and local partners who are primarily trade associations representing care providers. | Is managed by the Government’s National Cyber Security Centre and delivered by IASME - a cyber security certification company. |