← Frameworks / NHS DSPT / Control Mappings

NHS Data Security and Protection Toolkit

Mandatory annual self-assessment for all organisations that have access to NHS patient data and systems. 40 requirements across 10 National Data Guardian standards covering leadership, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountable suppliers. Aligned with the National Data Guardian's 10 data security standards and NCSC Cyber Essentials. Applies to all NHS trusts, CCGs, GP practices, social care providers, and third-party suppliers processing NHS data.

Controls: 135
Total Mappings: 238
Publisher: NHS England / NHS Digital Version: 2024/25
NHS DSPT → SP 800-53 SP 800-53 → NHS DSPT Coverage Analysis
AC (12) AT (5) CA (6) CM (10) CP (12) IA (7) IR (9) MP (5) PL (6) PM (12) PS (6) PT (8) RA (7) SA (3) SC (11) SI (7) SR (9)

AC Access Control

Control Name NHS DSPT References
AC-01 Access Control Policies and Procedures
NDG-1.1NDG-4.1
AC-02 Account Management
NDG-4.1NDG-4.2
AC-03 Access Enforcement
NDG-1.1NDG-4.1
AC-04 Information Flow Enforcement
NDG-9.2NDG-9.5
AC-05 Separation Of Duties
NDG-4.1NDG-4.4
AC-06 Least Privilege
NDG-1.1NDG-4.1NDG-4.4
AC-07 Unsuccessful Login Attempts
NDG-4.3
AC-16 Automated Labeling
NDG-4.4
AC-17 Remote Access
NDG-9.7
AC-19 Access Control For Portable And Mobile Devices
NDG-9.7
AC-20 Use Of External Information Systems
NDG-9.7
AC-24 Access Control Decisions
NDG-4.1NDG-4.4

AT Awareness and Training

Control Name NHS DSPT References
AT-01 Security Awareness And Training Policy And Procedures
NDG-1.3NDG-2.1NDG-3.1NDG-3.2
AT-02 Security Awareness
NDG-1.3NDG-2.1NDG-2.2NDG-2.3NDG-3.1
AT-03 Security Training
NDG-1.3NDG-2.2NDG-2.3NDG-3.1NDG-3.2
AT-04 Security Training Records
NDG-2.1NDG-2.2NDG-3.1
AT-06 Training Feedback
NDG-2.2NDG-3.1NDG-6.4

CA Security Assessment and Authorization

Control Name NHS DSPT References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
NDG-5.1
CA-02 Security Assessments
NDG-5.1NDG-7.3
CA-03 Information System Connections
NDG-10.2NDG-10.3
CA-05 Plan Of Action And Milestones
NDG-5.1NDG-6.4
CA-07 Continuous Monitoring
NDG-5.1NDG-7.3NDG-9.9
CA-08 Penetration Testing
NDG-9.8

CM Configuration Management

Control Name NHS DSPT References
CM-02 Baseline Configuration
NDG-8.3
CM-03 Configuration Change Control
NDG-8.2
CM-04 Monitoring Configuration Changes
NDG-8.2
CM-05 Access Restrictions For Change
NDG-4.4
CM-06 Configuration Settings
NDG-9.9
CM-07 Least Functionality
NDG-4.4
CM-08 Information System Component Inventory
NDG-5.3NDG-8.1NDG-8.3NDG-9.7
CM-09 Configuration Management Plan
NDG-8.3
CM-12 Information Location
NDG-5.3NDG-8.3
CM-13 Data Action Mapping
NDG-5.3NDG-5.4

CP Contingency Planning

Control Name NHS DSPT References
CP-01 Contingency Planning Policy And Procedures
NDG-7.1
CP-02 Contingency Plan
NDG-7.1NDG-7.2NDG-7.4
CP-03 Contingency Training
NDG-7.1
CP-04 Contingency Plan Testing And Exercises
NDG-7.1NDG-7.3
CP-06 Alternate Storage Site
NDG-7.1NDG-7.2
CP-07 Alternate Processing Site
NDG-7.1NDG-7.2
CP-08 Telecommunications Services
NDG-7.1NDG-7.2
CP-09 Information System Backup
NDG-7.2NDG-7.3
CP-10 Information System Recovery And Reconstitution
NDG-7.2
CP-11 Alternate Communications Protocols
NDG-7.4
CP-12 Safe Mode
NDG-7.4
CP-13 Alternative Security Mechanisms
NDG-7.4

IA Identification and Authentication

Control Name NHS DSPT References
IA-01 Identification And Authentication Policy And Procedures
NDG-4.1
IA-02 User Identification And Authentication
NDG-4.1NDG-4.3
IA-04 Identifier Management
NDG-4.1NDG-4.2
IA-05 Authenticator Management
NDG-4.1NDG-4.2NDG-4.3
IA-08 Identification and Authentication (Non-Organizational Users)
NDG-4.3
IA-11 Re-authentication
NDG-4.3
IA-12 Identity Proofing
NDG-4.3

IR Incident Response

Control Name NHS DSPT References
IR-01 Incident Response Policy And Procedures
NDG-6.1
IR-02 Incident Response Training
NDG-6.1
IR-03 Incident Response Testing And Exercises
NDG-6.1
IR-04 Incident Handling
NDG-6.1NDG-6.3NDG-6.4
IR-05 Incident Monitoring
NDG-6.1NDG-6.3
IR-06 Incident Reporting
NDG-6.1NDG-6.2NDG-6.3NDG-6.4
IR-07 Incident Response Assistance
NDG-6.1
IR-08 Incident Response Plan
NDG-6.1
IR-09 Information Spillage Response
NDG-6.2

MP Media Protection

Control Name NHS DSPT References
MP-01 Media Protection Policy And Procedures
NDG-1.1
MP-02 Media Access
NDG-1.1
MP-04 Media Storage
NDG-1.1
MP-05 Media Transport
NDG-1.1
MP-07 Media Use
NDG-9.7

PL Planning

Control Name NHS DSPT References
PL-01 Security Planning Policy And Procedures
NDG-9.1
PL-02 System Security Plan
NDG-5.1NDG-9.1
PL-04 Rules Of Behavior
NDG-1.3NDG-2.1
PL-09 Central Management
NDG-9.1
PL-10 Baseline Selection
NDG-9.1
PL-11 Baseline Tailoring
NDG-9.1

PM Program Management

Control Name NHS DSPT References
PM-01 Information Security Program Plan
NDG-9.1
PM-02 Information Security Program Leadership Role
NDG-1.2
PM-05 System Inventory
NDG-5.3NDG-8.1NDG-8.3
PM-06 Measures of Performance
NDG-5.1NDG-6.4
PM-08 Critical Infrastructure Plan
NDG-7.1
PM-09 Risk Management Strategy
NDG-5.2NDG-9.1
PM-11 Mission and Business Process Definition
NDG-7.1
PM-13 Security and Privacy Workforce
NDG-2.1NDG-3.1NDG-3.2
PM-14 Testing, Training, and Monitoring
NDG-2.2NDG-3.2NDG-5.1NDG-9.8
PM-16 Threat Awareness Program
NDG-6.3NDG-9.8
PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
NDG-5.2NDG-5.4
PM-29 Risk Management Program Leadership Roles
NDG-1.2

PS Personnel Security

Control Name NHS DSPT References
PS-01 Personnel Security Policy And Procedures
NDG-2.3
PS-04 Personnel Termination
NDG-4.2
PS-05 Personnel Transfer
NDG-4.2
PS-06 Access Agreements
NDG-2.3
PS-07 Third-Party Personnel Security
NDG-4.2
PS-09 Position Descriptions
NDG-1.2

PT Personally Identifiable Information Processing and Transparency

Control Name NHS DSPT References
PT-01 Policy and Procedures
NDG-1.1NDG-1.3NDG-10.2NDG-5.2NDG-5.4NDG-6.2
PT-02 Authority to Process Personally Identifiable Information
NDG-1.1NDG-10.2NDG-5.2
PT-03 Personally Identifiable Information Processing Purposes
NDG-1.1NDG-5.4
PT-04 Consent
NDG-1.3
PT-05 Privacy Notice
NDG-1.3
PT-06 System of Records Notice
NDG-1.3
PT-07 Specific Categories of Personally Identifiable Information
NDG-5.4
PT-08 Computer Matching Requirements
NDG-6.2

RA Risk Assessment

Control Name NHS DSPT References
RA-01 Risk Assessment Policy And Procedures
NDG-9.1
RA-02 Security Categorization
NDG-5.3
RA-03 Risk Assessment
NDG-5.2
RA-05 Vulnerability Scanning
NDG-8.1NDG-8.2NDG-9.8NDG-9.9
RA-08 Privacy Impact Assessments
NDG-5.2
RA-09 Criticality Analysis
NDG-5.3NDG-8.3
RA-10 Threat Hunting
NDG-9.8

SA System and Services Acquisition

Control Name NHS DSPT References
SA-04 Acquisitions
NDG-10.1NDG-10.2NDG-10.3
SA-09 External Information System Services
NDG-10.1NDG-10.2NDG-10.3
SA-22 Unsupported System Components
NDG-8.1

SC System and Communications Protection

Control Name NHS DSPT References
SC-07 Boundary Protection
NDG-9.2NDG-9.4NDG-9.5
SC-08 Transmission Integrity
NDG-1.1NDG-9.2NDG-9.4NDG-9.6
SC-12 Cryptographic Key Establishment And Management
NDG-9.6
SC-13 Use Of Cryptography
NDG-1.1NDG-9.6
SC-17 Public Key Infrastructure Certificates
NDG-9.6
SC-18 Mobile Code
NDG-9.3NDG-9.5
SC-24 Fail in Known State
NDG-7.4
SC-28 Protection of Information at Rest
NDG-1.1NDG-9.6NDG-9.7
SC-32 System Partitioning
NDG-9.2
SC-39 Process Isolation
NDG-9.2
SC-44 Detonation Chambers
NDG-9.3

SI System and Information Integrity

Control Name NHS DSPT References
SI-02 Flaw Remediation
NDG-8.1NDG-8.2NDG-9.9
SI-03 Malicious Code Protection
NDG-9.3NDG-9.4
SI-04 Information System Monitoring Tools And Techniques
NDG-9.3NDG-9.5NDG-9.9
SI-05 Security Alerts And Advisories
NDG-6.3NDG-8.2
SI-08 Spam Protection
NDG-9.3NDG-9.4
SI-12 Information Output Handling And Retention
NDG-5.4
SI-17 Fail-safe Procedures
NDG-7.4

SR Supply Chain Risk Management

Control Name NHS DSPT References
SR-01 Policy and Procedures
NDG-10.1NDG-10.3NDG-10.4
SR-02 Supply Chain Risk Management Plan
NDG-10.1NDG-10.4
SR-03 Supply Chain Controls and Processes
NDG-10.1NDG-10.3NDG-10.4
SR-04 Provenance
NDG-10.1NDG-10.4
SR-05 Acquisition Strategies, Tools, and Methods
NDG-10.1NDG-10.4
SR-06 Supplier Assessments and Reviews
NDG-10.1NDG-10.4
SR-09 Tamper Resistance and Detection
NDG-10.4
SR-10 Inspection of Systems or Components
NDG-10.4
SR-11 Component Authenticity
NDG-10.4