Procurement Alert: Cyber Essentials – are your suppliers compliant?
Published 20 October 2014
A new PPN policy guidance note from Central Government requires contracting authorities to include Cyber Essentials requirements in their procurement of any new contracts where those contracts involve the supplier:
- handling personal data of individuals (employees or citizens); and/or
- handling information at the OFFICIAL level of the Government Protective Marking scheme.
What is Cyber Essentials?
The Cyber Essentials scheme details a set of e-security technical standards which are designed to provide basic protection from the most prevalent forms of internet threats. Details as to how organisations can be compliant, and certified can be found here.
How do I include Cyber Essentials in my procurement?
Cyber Essentials will most likely be used as a PQQ test as it provides a single snapshot of the security standards reached by a supplier's systems and is not an ongoing requirement for them to comply with those standards.
Suppliers will be required to demonstrate that they have (or will have, if awarded the contract) a Cyber Essentials accreditation. As an alternative to formal accreditation under the Cyber Essentials scheme, suppliers will be permitted to demonstrate that they can meet the Cyber Essentials technical requirements, as verified by a third party.
Contracting authorities should also consider including a provision in the contract, for example, to renew the Cyber Essentials accreditation every 12 months, or to comply with the Cyber Essentials standards on an ongoing basis throughout the term of the contract.
How do people get accredited?
To gain a Cyber Essentials accreditation suppliers will be required to complete a questionnaire about their existing systems which is then verified by an external accreditation body, at an expected cost of around £200.
There is a Cyber Essentials Plus accreditation also available which involved external testing of the supplier's systems and is expected to be required where the e-security risks in relation to a particular contract are assessed as high. The costs of attaining this accreditation are estimated to be higher, between £1,000 to £3,000.