NHS DSPT Cloud Migration: The Technical Requirements Most Trusts Miss

NHS Digital Security and Protection Toolkit assessments require evidence-based compliance — organisations must demonstrate that specific technical controls are operational, not merely attest that policies are in place. For NHS Trusts and suppliers migrating workloads to AWS or Azure, the DSPT assertions relating to cloud environments require specific technical configurations that default cloud deployments do not include. The pattern that causes Trusts to fail their DSPT submission: the cloud migration was planned and delivered as an infrastructure project, with DSPT compliance treated as a documentation exercise to be completed afterwards.

Data Flow Documentation: DSPT Standard 1

DSPT Standard 1 requires organisations to have a clear understanding of all the personal data they hold, why they hold it, and how it flows within and outside of the organisation. For cloud migrations, this means documenting the data flows the cloud architecture creates — where data is stored, which services process it, which services have access, and what happens when data is transmitted to third-party services. The cloud architecture that satisfies this: data flow maps generated from infrastructure-as-code configuration, not hand-drawn diagrams. AWS Config or Azure Policy can generate service topology maps — but they require enabling and configuration, not just deployment.

Access Controls: DSPT Standard 3

DSPT Standard 3 requires that access to personal confidential data is limited to authorized staff. In AWS terms, this requires IAM policies implementing least privilege. The DSPT evidence requirement: logs demonstrating access controls are operational and unauthorized access attempts are detected and responded to. AWS CloudTrail with log integrity enabled and AWS Config rules that detect IAM policy violations satisfy this requirement. Without CloudTrail log file validation enabled, logs cannot demonstrate tamper-evidence — required for the evidence to be acceptable.

Backup and Business Continuity: DSPT Standard 9

DSPT Standard 9 requires that critical systems and data can be recovered in the event of a disaster or major incident. The evidence requirement: documented and tested backup and recovery procedures. "Tested" means a recovery was actually performed — not that a test was scheduled. For cloud environments: automated backup configuration for all datastores (RDS automated backups, S3 versioning, EBS snapshots), documented recovery procedures that have been executed in a non-production environment, and recovery time and recovery point objectives aligned with the Trust's business continuity requirements.

Vulnerability Management: DSPT Standard 8

DSPT Standard 8 requires that IT systems are protected from exploitation of known vulnerabilities. The evidence requirement: a vulnerability scanning schedule with results, and a process for remediating identified vulnerabilities within a defined timeframe. AWS Inspector or Azure Defender for Cloud provide continuous vulnerability scanning — but require enabling and integration with the organisation's remediation workflow. The DSPT evidence must demonstrate that vulnerabilities are tracked to remediation, not just that scanning occurs.

1. Enable AWS Config or Azure Policy at deployment — data flow documentation from infrastructure-as-code is more defensible than hand-drawn diagrams
2. Enable CloudTrail with log file validation enabled — tamper-evidence is required for access control log evidence
3. Configure AWS Backup or Azure Backup for all datastores and execute at least one restore test before DSPT submission
4. Enable AWS Inspector or Azure Defender and configure a remediation workflow that tracks vulnerabilities to closure
5. Build the RoPA to reflect specific AWS or Azure services, not just the cloud provider name
6. Review IAM policies against DSPT Standard 3 least privilege requirements — use IAM Access Analyzer to identify overly permissive policies