Ask a HealthTech SaaS team why DSPT is hard, and you’ll usually hear the same answer: 

“The evidence requirements are unclear.” 

They’re right — to a point. 

DSPT doesn’t always spell out how to present evidence, but it’s very clear about what kind of evidence it values. 

This post explains what DSPT reviewers actually look for, how to avoid common evidence mistakes, and how to prepare documentation that reduces follow-ups instead of creating them. 

Evidence Is About Confidence, Not Volume 

More evidence doesn’t equal better evidence. 

Auditors aren’t impressed by: 

• Huge folders of screenshots 

• Long policy documents 

• Tool lists without explanation 

They want confidence that controls are: 

• In place 

• Understood 

• Reviewed 

• Maintained 

Clarity beats quantity every time. 

The Four Evidence Categories DSPT Cares About 

Almost all DSPT evidence falls into four buckets. 

1. Monitoring & Alerting 

Reviewers expect: 

• Visibility into system health 

• Security-relevant alerts 

• Proof that alerts are reviewed 

What works well: 

• A short description of what’s monitored 

• Example alerts 

• Evidence of review or response 

What doesn’t: 

• Dashboards with no explanation 

• Alerts no one owns 

2. Logging & Retention 

Logs are central to DSPT. 

Auditors look for: 

• What is logged 

• Where logs are stored 

• How long they’re retained 

• Who can access them 

Common mistake: logging everything, but retaining nothing clearly. 

Retention matters as much as collection. 

3. Access Control & Identity 

DSPT reviewers want to understand: 

• Who can access what 

• How access is granted 

• How access is reviewed 

Clear role definitions matter more than complex IAM setups. 

If you can’t explain access simply, auditors assume risk. 

4. Incident Response Evidence 

This doesn’t require major incidents. 

Even small events count: 

• Alert triggered 

• Action taken 

• Outcome recorded 

The goal is to show learning and control, not perfection. 

Why Screenshots Alone Are Weak Evidence 

Screenshots without context raise questions: 

• When was this taken? 

• Is it still accurate? 

• Who reviews this? 

Strong evidence pairs visuals with explanation: 

• What this control does 

• How often it’s reviewed 

• Who owns it 

Context is everything. 

The Hidden Evidence Requirement: Consistency 

One of the biggest DSPT red flags is inconsistency. 

Examples: 

• Monitoring described differently across documents 

• Logs mentioned but not referenced elsewhere 

• Access rules that change by environment 

Consistency builds trust. Inconsistency triggers follow-ups. 

Preparing Evidence Before You’re Asked 

The most effective approach is to maintain a simple evidence register: 

• Control 

• Tool or process 

• Evidence location 

• Review frequency 

• Owner 

This single document often answers 80% of auditor questions. 

Why DSPT Feels Harder Than ISO 

ISO audits are structured. DSPT reviews are contextual. 

That makes clarity even more important. NHS reviewers want to understand your platform — not generic best practice. 

Final Thought 

DSPT evidence isn’t about proving you’re perfect. 

It’s about proving you’re in control. 

When evidence is clear, current, and well-explained, DSPT becomes a conversation — not a confrontation. 

 

IG Cloud Ops: Senior Engineers On Demandhttps://igcloudops-landers.lovable.app/HealthTech_SaaS_teams?utm_campaign=2026W02-HealthTechSaaS&utm_medium=web&utm_source=blog