ISO 27001 for UK Healthtech: NHS DSPT, DTAC, and the Procurement Gates You Will Actually Face

Selling into the NHS is unlike selling into any other UK market. The procurement framework is layered, the security questions are sector-specific, and the assessor at the other end of the form is not a generic procurement officer. They are a Caldicott Guardian, a clinical safety officer, or a DPO who knows exactly what an Information Governance failure costs in patient harm and regulatory exposure. ISO 27001 is not the only thing they will ask for. But without it, the conversation rarely starts. This guide explains the four assurance frameworks every UK healthtech selling into the NHS will encounter, where ISO 27001 fits in the stack, and what to do if you have a tender deadline this week and a buyer who has already asked for your DSPT submission.

UK NHS procurement gates cluster around four assurance instruments. First, the Data Security and Protection Toolkit (DSPT), which is mandatory for any organisation that processes NHS patient data. It is self-assessed annually against the National Data Guardian's ten data security standards and submitted via the DSPT portal with evidence. Without a current DSPT submission marked "Standards Met," you will not pass NHS supplier vetting. Second, the Digital Technology Assessment Criteria (DTAC), the assessment framework for digital health products published by NHS England and NHSX, covering clinical safety (DCB0129/DCB0160), data protection, technical security, interoperability, and usability. DTAC is required for any digital product procured by NHS organisations. Third, ISO/IEC 27001:2022, which is not legally required for NHS procurement but is functionally required. Holding ISO 27001 typically removes 30 to 40 percent of the questions on a DSPT submission and provides the underlying evidence base for the technical security section of DTAC. Fourth, Cyber Essentials Plus, mandatory for any supplier handling NHS data above a certain risk threshold.

In practical terms, a UK healthtech selling into the NHS needs all four. The order matters. Cyber Essentials Plus first, because it is the cheapest, fastest, and unblocks the procurement vetting process. ISO 27001 second, because it provides the management system and evidence base that everything else depends on. DSPT third, leveraging the ISO 27001 evidence to accelerate the self-assessment. DTAC fourth, scoped to the specific product being procured. Doing them out of order is the most common mistake we see. Companies submit DSPT first, score "Standards Not Met," then spend three months remediating control gaps that ISO 27001 would have surfaced and fixed in a single workstream.

Based on engagements with healthtech clients selling into NHS Trusts, ICBs, and NHS Digital itself, the questions that matter most are not the ones founders expect. Buyers prioritise, in order: clinical safety (have you appointed a clinical safety officer and do you have a DCB0129 hazard log), data residency (where is the data stored and is it within the UK), sub-processor risk (which third parties have access to patient data and are they DSPT-compliant in their own right), incident response (what is your notification commitment to the NHS Trust as data controller), and interoperability (does your product support FHIR, OpenEHR, or IHE profiles). ISO 27001 alone does not answer all of these, but it provides the management system spine on which the answers can be evidenced.

NHS tender windows are short. Pre-Qualification Questionnaires typically run on a 21-day to 35-day cycle and Invitation to Tender responses on a 28-day to 42-day cycle. If you receive a PQQ today and you do not yet hold ISO 27001, Cyber Essentials Plus, and a current DSPT submission, you have two options. Option A is to decline this tender and build properly for the next one. Option B is to initiate the programme and submit a forward-looking response. If the tender is significant and the Trust has flexibility, the credible path is to initiate ISO 27001 and Cyber Essentials Plus immediately, secure a contracted timeline, and respond to the tender with the named implementation partner and target audit dates. NHS procurement teams will accept this in roughly 60 percent of cases for tenders where the technical fit is strong and the certification timeline is within 90 days.

For a UK healthtech without any current certifications, a defensible 90-day programme looks like this: Days 1 to 14 for Cyber Essentials Plus initial assessment and remediation, Days 1 to 60 for ISO 27001:2022 implementation and Stage 2 audit in parallel, Days 30 to 75 for DSPT preparation and submission leveraging ISO 27001 evidence, and Days 60 to 90 for Cyber Essentials Plus certification audit and DTAC pack assembly. Total cost for a sub-50-employee healthtech is typically 18,000 to 32,000 pounds across all four workstreams. Compared to the value of a single NHS Trust contract, typically 80,000 to 450,000 pounds in year-one ARR for a digital health product, the arithmetic is uncontroversial.

If your product touches clinical decision-making, AI-driven diagnostics, or patient-facing workflows that could cause clinical harm, the four frameworks above are necessary but not sufficient. You will also need DCB0129 and DCB0160 clinical safety case management, MHRA registration if your product meets the medical device definition, and potentially ISO 13485 for medical device quality management. This is a genuinely longer programme. Healthtechs that try to compress it lose deals at the clinical safety officer review, not at procurement.