Free PDF download
DSPT v8 ↔ CAF Reference Card
A one-page printable PDF mapping every DSPT v8 (2025/26) assertion area to the corresponding NCSC Cyber Assessment Framework (CAF) principle, with typical evidence examples for small Category 3 and Category 4 providers.
What's on the card
- 14 CAF principles across the four CAF objectives (A: Manage risk, B: Protect, C: Detect, D: Minimise impact)
- The DSPT v8 area each principle covers — translated into the language used in the toolkit, not the raw NCSC text
- Typical evidence examples — the kind of documents and records providers actually upload for Category 3 / 4 submissions
- Format: A4 landscape PDF. Print at 100% scale; designed for print-and-pin or filing with your compliance pack.
Who it's for
Compliance leads, registered managers, practice managers, and pharmacy superintendents who need a quick reference for what each part of DSPT v8 actually maps to in the CAF. Especially useful if you've read about "CAF alignment" but don't want to read the full NCSC framework documentation to figure out what's actually changed.
For the full background, read our Cyber Assessment Framework guide and DSPT v8 changes guide.
Get the PDF
Enter your email to download the reference card. We'll also let you know when DSPTReady's full toolkit is ready.
Already on the waitlist? and download directly.
Preview: what the mapping looks like
| CAF | Principle | DSPT v8 area |
|---|---|---|
| A.1 | Governance | Senior responsibility for data security |
| A.2 | Risk Management | Risk register + annual review |
| A.3 | Asset Management | Data flow + system inventory |
| A.4 | Supply Chain | IT supplier list + data processing agreements |
| B.1 | Service Protection Policies | Data security + acceptable use policies |
| B.2 | Identity & Access Control | User access + leaver process |
| + 8 more principles in the full PDF | ||
Sources behind the mapping
- DSPT 2025/26 v8 announcement — NHS England
- Cyber Assessment Framework — National Cyber Security Centre
- CAF principles and guidance — NCSC
Mapping based on the NCSC Cyber Assessment Framework and DSPT v8 published 18 September 2025. The reference card is a planning aid; always verify against the official DSPT v8 assertion spreadsheet for your category.