Evidence requirements for NHS DSPT submissions: a practical guide for UK SMEs

Latest Comments

No comments to show.
A professional workspace showing a laptop, organised compliance documents, and a simple evidence checklist with subtle gold and purple accents.

Evidence requirements for NHS DSPT submissions: a practical guide for UK SMEs

If your business handles NHS data or supports an organisation that does, the NHS Data Security and Protection Toolkit can feel less like a form and more like a test of how well your security is documented. For many small and medium-sized businesses, the challenge is not only having the right controls in place. It is proving that those controls exist, are being used, and are being reviewed.

That matters because a weak evidence set can create delays, extra work, and awkward follow-up questions from customers. It can also make your business look less organised than it really is. The good news is that you do not need a large compliance team to prepare a solid submission. You need a sensible structure, clear ownership, and evidence that matches how your business actually operates.

What the NHS DSPT is asking you to prove

The difference between having controls and showing evidence

Many businesses assume that if a policy exists, the job is done. In practice, the submission is usually asking for more than a document. It is asking for proof that your security arrangements are real and current.

For example, it is not enough to say that staff receive security training. You may need to show when the training was delivered, who completed it, and how you know new starters are included. Likewise, it is not enough to say that laptops are protected. You may need to show the settings in place, the process for applying updates, and the record that those updates are being completed.

Why evidence matters for suppliers and SMEs

For suppliers, evidence is often part of maintaining trust. NHS organisations want confidence that their data is handled carefully and that your business can respond if something goes wrong. For SMEs, this is also a commercial issue. A clear evidence pack can reduce back-and-forth, shorten review cycles, and make future renewals easier.

Think of evidence as the story of your security controls, told in a way another organisation can understand quickly. If the story is clear, consistent, and current, you are in a much better position.

The main types of evidence you are likely to need

Policies, procedures, and records

These are the documents that show what your business says it does and what it has done. Examples include:

  • Information security policies
  • Acceptable use rules for staff
  • Incident response procedures
  • Backup and recovery procedures
  • Supplier management records
  • Training completion records

Policies should be current, approved, and easy to link to the control they support. Procedures should be practical enough that someone in the business could follow them. Records should show that the procedure has been used, not just written down.

Technical screenshots, reports, and system settings

Some evidence needs to come from your systems. This might include screenshots or exports showing:

  • Multi-factor authentication is turned on for key accounts
  • Devices are encrypted
  • Security updates are being applied
  • Backups are running successfully
  • Logging or alerting is enabled

Where possible, use reports rather than one-off screenshots. Reports are easier to repeat and usually show a more reliable picture. If you do use screenshots, make sure they are readable, dated, and clearly labelled.

Training, incident, and supplier records

These records help show that your controls are active in day-to-day business life. Useful examples include:

These items are often overlooked because they feel administrative. In reality, they are some of the strongest proof that your security arrangements are being managed rather than simply described.

How to build an evidence pack without creating extra work

Create a simple evidence map against each requirement

The easiest way to avoid confusion is to create a basic evidence map. This is simply a list that links each requirement to the evidence that supports it. You do not need a complicated system. A spreadsheet is often enough.

For each item, record:

  • The requirement or question
  • The evidence you will use
  • Who owns it
  • Where it is stored
  • When it was last checked

This helps you spot gaps early. It also stops different people from collecting overlapping or inconsistent material.

Use one owner per evidence area

Evidence collection becomes messy when everyone assumes someone else is handling it. Assign one owner to each area, such as access control, training, backups, or supplier checks. That person does not need to do everything themselves, but they should be responsible for making sure the evidence is complete and current.

For a small business, this can be the difference between a calm review and a last-minute scramble. Ownership creates accountability, which is especially useful when the submission deadline is close.

Keep naming, dates, and versions consistent

Inconsistent file names and outdated versions waste time. A reviewer should be able to tell at a glance what a document is, when it was updated, and whether it is the latest version.

A simple naming pattern such as control-area-document-name-version-date can help. Keep the same format across policies, screenshots, exports, and logs. If a document has been approved, make that clear. If a screenshot relates to a specific system or account, label it clearly.

Common evidence gaps that delay submissions

Out-of-date documents and missing approvals

One of the most common problems is a policy that looks complete but has not been reviewed for years. Another is a document that exists but has no clear approval. That raises questions about whether the business still stands behind it.

Before submission, check that key documents are:

  • Current
  • Approved by the right person
  • Aligned to the way the business now works
  • Stored in a place staff can actually find

Controls that exist but are not recorded

Many SMEs already do more than they realise. The issue is that the evidence is scattered across inboxes, shared drives, and system dashboards. If a control is not recorded, it is harder to prove and easier to forget.

Examples include:

  • Manual checks that are done but never logged
  • Backups that run successfully but are not reviewed
  • Access changes that happen through informal messages
  • Supplier reviews that are discussed but not documented

Where a control is important, make the record part of the process. That does not mean creating paperwork for its own sake. It means making sure the business can show what it did if asked.

Evidence that does not match the current process

Sometimes the evidence is real, but it no longer reflects how the business operates. A policy may describe one way of working while the team now uses another. A screenshot may show a setting that has since changed. A training record may cover last year but not the current team.

This is a common source of rework. The fix is simple: compare the evidence to the live process before you submit. If something has changed, update the evidence or replace it.

What good evidence looks like in practice

Examples for access control, patching, backups, and training

Good evidence is specific, current, and easy to understand. Here is what that often looks like in practice:

  • Access control: a list of named users with the right level of access, plus a recent review showing who checked it and when
  • Patching: a report showing update status across devices, along with a process for dealing with overdue updates
  • Backups: a backup report, plus evidence that restore tests have been carried out and the results recorded
  • Training: completion records for staff, including starters and anyone who joined part-way through the year

The key point is that the evidence should show the control is operating, not just that it was designed.

How to show that a process is working, not just written down

A written procedure tells the reader what should happen. Evidence should show what did happen. That can be done through records, logs, approvals, or reports.

For example, if your process says leavers lose access on their last day, show a recent leaver record with the access removal date. If your process says backups are checked daily, show a sample of backup review records. If your process says staff complete annual training, show the completion report and any follow-up for those who have not finished it.

This is often where SMEs gain confidence. Once the business starts collecting evidence as part of normal operations, the submission becomes much less stressful.

A simple preparation checklist for SMEs

What to gather in the first week

If you are starting from scratch, begin with the basics:

  • Current security policies and procedures
  • Training records for staff
  • Access review records
  • Backup and restore evidence
  • Patch or update reports
  • Incident log or incident summary
  • Supplier review records for important third parties

Do not try to perfect everything at once. The first goal is to see what you already have and where the gaps are.

What to review before submission

Before you submit, check the evidence set for three things:

  • Accuracy: does it reflect the current process?
  • Completeness: does it cover the full requirement?
  • Consistency: do the dates, names, and versions line up?

If you can answer yes to those three questions, you are in a far stronger position.

How to keep evidence ready for the next cycle

The best approach is to treat evidence as an ongoing business task rather than a once-a-year project. Set a simple review rhythm, such as monthly or quarterly, for the most important items. Keep a central folder or register so evidence is easy to find. Update records as part of normal work, not after the fact.

That approach saves time, reduces stress, and makes future submissions much easier to manage.

When to get help

Signs your evidence set is too thin or inconsistent

You may want outside support if:

  • You cannot easily link evidence to each requirement
  • Different teams hold different versions of the same document
  • Controls exist but are not being recorded consistently
  • You are relying on screenshots and memory rather than records
  • The submission is due soon and the evidence set still feels incomplete

These are not unusual problems. They are common in growing businesses, especially where security responsibilities have developed informally over time.

Where external support can save time and reduce rework

External support can help you organise the evidence, identify gaps, and turn a scattered set of documents into a clear submission pack. It can also help you decide what is worth documenting in more detail and what can stay simple.

For SMEs, the value is usually in saving time and avoiding repeated rework. A practical review can help you focus on the evidence that matters most, rather than collecting material that does not add much value.

If you want a structured, business-led approach to preparing evidence for NHS DSPT submissions, a consultant can help you build a process that is easier to maintain the next time around.

Speak to a consultant if you would like help turning your current controls into a clear, manageable evidence pack.

Frequently asked questions

What evidence is usually expected for an NHS DSPT submission?
You are usually expected to show that key security controls exist, are being used, and are being reviewed. That often includes policies, training records, access reviews, backup evidence, patching reports, incident records, and supplier checks.

How can a small business organise evidence without a dedicated compliance team?
Use a simple spreadsheet or register, assign one owner to each evidence area, and store documents in one central place. Keep naming, dates, and versions consistent so the pack is easy to update and review.

Do screenshots count as evidence?
Yes, but they are best used alongside reports and records. Screenshots can help show a setting or configuration, but they are stronger when they are dated, labelled, and linked to a wider process.

How often should evidence be reviewed?
Review the most important items regularly, such as monthly or quarterly, and refresh the full set before each submission cycle. That reduces the chance of discovering gaps at the last minute.

What is the biggest mistake SMEs make with DSPT evidence?
The most common mistake is collecting documents that look good on paper but do not match the current way the business works. Evidence should reflect live practice, not an old version of the process.

Tags:

Comments are closed