Standards Exceeded: our own DSPT, four years running

McCormickCo Security has published a Standards Exceeded assessment under the NHS Data Security and Protection Toolkit every year since 2022.

The DSPT measures organisations against the National Data Guardian's ten data security standards, covering how personal and patient data is protected, how access is controlled, how systems are kept secure, and how an organisation would respond if something went wrong. "Standards Exceeded" is its highest tier: not simply meeting the baseline, but demonstrably going beyond it. We have held that rating four years running.

Why a security consultancy publishes its own

Any organisation with access to NHS patient data and systems is required to complete the DSPT. As an NHS business partner, that includes us, and we think it should.

A great deal of our work is helping NHS organisations and their suppliers get DSPT-ready: building the evidence base, mapping controls to the standards and the Cyber Assessment Framework, and preparing for audit fieldwork. It would be a strange kind of advice to give if we could not show the same discipline in our own organisation.

Experience that goes back to the beginning

Our involvement in NHS information governance did not start with the DSPT. It goes back more than twenty years, to the original Information Governance Toolkit that preceded it. We have followed the framework through every iteration, which means we understand not just the current requirements but the thinking behind them and the direction they are heading.

We also provide DSPT audit and assurance services, working to the NHS DSPT independent assessment guides and the published audit outcomes. That allows us to assess an organisation the way an auditor will, before the auditor does, so there are no surprises when the formal assessment comes around.

And we build our own tools to support this work. DSPT View, our purpose-built platform, is one example: independent, designed specifically for the NHS, and created to make evidence-gathering and assurance against the standards genuinely manageable rather than a once-a-year scramble.

What this means if you work with us

When we help you prepare your submission, you are working with a partner that has been through the process from the inside, repeatedly. We know what the evidence needs to look like, where assessments tend to fall down, and how to turn "we have a control" into "here is the proof it works", because we have had to do exactly that for ourselves.

DSPT readiness is not a form-filling exercise. Done properly, it is a genuine measure of how well an organisation protects the data it holds. Achieving Standards Exceeded once shows capability. Holding it for four years shows it is built into how we operate.

Working towards your own DSPT submission?

Whether you are completing the toolkit for the first time, moving from Standards Met towards Exceeded, preparing for independent audit, or looking for an audit-style assessment before the real one, we can help you build an evidence base that stands up to scrutiny.

Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.

‍

‍