Action Note: 014

Previously issued: September 2023

Updated: February 2025

Issue

1. Cyber Essentials is a government backed scheme to help businesses of any size protect themselves against a range of the most common cyber attacks and to demonstrate their commitment to cyber security. To ensure appropriate cyber security controls are in place and reduce cyber security risks in supply chains, since 2014 the government has required suppliers bidding for certain types of public contracts to hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place).

2. This Procurement Policy Note (PPN) sets out the actions in-scope organisations should take to identify and mitigate cyber threats for certain types of contracts, along with resources to support implementation.

Dissemination and scope

3. This PPN applies to all central government departments, their executive agencies and non-departmental public bodies, and NHS bodies. Such bodies are referred to as ‘in-scope organisations’.

4. This PPN replaces PPN 09/14 and PPN 09/23.

5. Please circulate this PPN within your organisation, particularly to those with a commercial, procurement and/or contract management role. This PPN should also be of interest to those working in cyber security, government digital and data profession.

6. Other public sector bodies may wish to apply the approach set out in this PPN.

7. This PPN has been updated to reflect new terminology introduced by the Procurement Act 2023 and the Procurement Regulations 2024. The Procurement Act 2023 and the Procurement Regulations 2024 applies to procurements commenced on or after 24 February 2025. For more detail on the meaning of ‘commenced’ please refer to the Procurement Act 2023 Guidance on Transitional and Savings Arrangements.

8. The Procurement Act 2023 does not apply to procurements commenced before 24 February 2025 or to contracts awarded prior to this date (including via frameworks, dynamic purchasing systems or qualification systems established under the previous legislation). For procurements commenced and contracts awarded before this date, please refer to PPN 09/23.

9. This update does not constitute a change in policy or a new call for action but in-scope organisations should continue to apply any ongoing obligations set out in the provisions of this PPN. In-scope organisations do not need to repeat actions which were required upon this PPN’s initial publication.

Timing

10. In-scope organisations should note the provisions of this PPN from 24 February 2025.

Action

11. In-scope organisations must ensure that effective and proportionate cyber security controls are applied to contracts to mitigate supply chain risks.

12. There are key characteristics associated with contracts considered to be at a higher risk of cyber security threats. In-scope organisations must ensure that all suppliers demonstrate that they meet certain technical requirements for contracts or services that include the following characteristics:

• where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier;
• where personal information of government employees, ministers and special advisors is handled by a supplier (such as payroll, travel booking or expenses information);
• where ICT systems and services are supplied which are designed to store, or process data at the OFFICIAL level of the Government Security Classifications Policy,^{[footnote 1]} and/or
• where contracts deal with information related to the day-to-day business of Government, service delivery and public finances.^{[footnote 2]} criminal justice and enforcement activities, many aspects of defence, security and resilience and commercial interests, including information provided in confidence, intellectual property and the contract itself.

13. Examples of contracts likely to meet these characteristics are set out in Annex A, however this is not an exhaustive list.

14. The quickest and most effective means of mitigating risks associated with such contracts, is for the technical requirements to include either Cyber Essentials or Cyber Essentials Plus certification.^{[footnote 3]} Where Cyber Essentials certification is required, it must be renewed annually by the supplier for the duration of the contract.

15. Where a supplier does not hold Cyber Essentials or Cyber Essentials Plus they must be able to demonstrate equivalent controls are in place through other means.

16. Suppliers and in-scope organisations should note that evidence of holding a Cyber Essentials certificate (or equivalent) is essential at the point when data is to be passed to the supplier.

Limitations

17. In-scope organisations should note that the Cyber Essentials Scheme does not assure specific products or services being supplied. Where specific assurance of products or services is required, further relevant standards should be applied.

18. In some cases, the potential cyber risks associated with a contract, and the control measures required to mitigate them, may exceed the parameters of the Cyber Essentials Scheme. In these instances, security teams or experts should be consulted to ensure proportionate additional measures are put in place. Examples of the types of contracts relevant here are provided at Annex A.

19. The Cyber Essentials Scheme does not negate risk and it is not designed to address more advanced, targeted attacks. Such risks will require significantly more sophisticated additional measures to tackle them. In-scope organisations facing these types of threats should develop a strategic approach as part of a wider organisational security strategy.

20. The Cyber Essentials Scheme should not be applied to all contracts as a matter of course. In-scope organisations must not take a blanket approach. Not all contracts will require suppliers to be certified under a Cyber Essentials Scheme, or to demonstrate equivalent controls.

21. Security controls must be relevant and proportionate to the goods, services or works being procured. In-scope organisations should take care to only require Cyber Essentials certification (or equivalent) where it is relevant to the subject matter of the contract, proportionate and necessary to manage cyber security risks. It is important not to over- burden suppliers or deter Small and Medium-Sized Enterprises (SMEs) and Voluntary, Community and Social Enterprises (VCSEs) from bidding for public contracts.

22. Cyber Essentials is self assessment, with organisations completing a questionnaire. The questionnaire is then verified by an independent certification body to assess whether the appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance.

23. In-scope organisations should ensure decisions relating to appropriate cyber security controls are recorded in the audit trail, including circumstances where cyber security risks are assessed as very low, not relevant, or where no measures are required.

24. A more comprehensive update on the application of the Cyber Essentials scheme will be published in line with National Cyber Security Centre’s redevelopment of the CE scheme.

Suppliers on G-Cloud Framework Agreements

25. In-scope organisations accessing Cloud services through the Crown Commercial Service (CCS) G-Cloud Commercial Agreements should note that suppliers on these Agreements are required to demonstrate they comply with the Government’s Cloud Security Principles.

26. Suppliers are encouraged to state if they have Cyber Essentials or Cyber Essentials Plus certification as part of their service offer, but it is not a requirement of the commercial agreement for suppliers to hold this certification.

27. When awarding call-off contracts via G-Cloud, in-scope organisations should assure themselves that the supplier(s) are managing relevant cyber risks effectively before making a contract award.

Background

28. The Cyber Essentials Scheme provides a sound foundation of basic hygiene measures that all types of organisations can implement, and build upon, and can significantly reduce an organisation’s vulnerability. It was developed by government and industry to fulfil two functions:

• to provide a clear statement of the fundamental controls all organisations should implement in order to increase their cyber security, aiming to mitigate the risks from many common internet based threats, within the context of the government’s 10 Steps to Cyber Security; and
• to offer a mechanism for organisations to demonstrate to customers, investors, insurers, and others, that they have taken these essential precautions.

29. The full requirements of the Cyber Essentials Scheme.

Contact

30. Enquiries about this PPN should be directed to the Helpdesk (telephone 0345 410 2222; email info@crowncommercial.gov.uk).

31. Frequently asked questions (FAQs) are set out in Annex C.

32. Further information is available on the following websites:

• NCSC Cyber Essentials website
• Cyber Essentials Scheme Partner: IASME
• Cyber Essentials readiness toolkit
• Details of certification bodies
• Cyber Essentials Advice and Guidance
• Cloud security principles
• NCSC Supply Chain Risk Assessment Guidance
• National Protective Security Authority Supply Chain Guidance
• The Digital, Data and Technology Playbook

Annex A - Examples

1. The following are contract examples^{[footnote 4]} which would be considered to meet the characteristics for the inclusion of Cyber Essentials requirements:

• Curriculum vitae (CV) writing services to support individuals back into the labour market. Data held by the supplier will include citizens’ personal information; such as name, address, telephone number, date of birth, email address and National Insurance number.
• Car hire services for members of staff. Data held by the supplier will include personal information of civil servants including name, work address, work email, home address and driving licence number.
• Contact centre services for advice, guidance and signposting for individuals. Data held by the supplier will include citizens’ personal information; such as name, address, telephone number, date of birth, email address and National Insurance number.

2. Other types of contracts where Cyber Essentials, Cyber Essentials Plus, or equivalent controls, may be relevant, include:

• where data is held or accessed outside of the UK/EC;
• where data is subject to the EU-US Data Privacy Framework;
• where data is regularly held in a separate disaster recovery location;
• escrow and disaster recovery suppliers with access to customer data.

3. Additional control measures are likely to be required when letting contracts in the following categories:

• Professional services suppliers, where the data being handled is classified as higher than “Official”- this may include commercial, financial, legal, HR and business services.
• ICT- IT Managed, Outsourced and ICT Services Providers (running systems that store data).

4. Examples where the Scheme would not be relevant in contracts includes:

• Communications and marketing planning services for a specific departmental product or service, which would not require access to personal data. In such instances, the supplier would have access to some OFFICIAL level communications and personal information of civil servants as points of contact that are necessary to administer the delivery of the service; but this may not meet the required security thresholds for the application of Cyber Essentials controls.
• Driving instructor services for 10 individuals with very limited access to personal data involved and delivered by a sole trader whose use of IT is limited and incidental to the service being delivered.
• Contract to deliver ICT support services which includes an element of Legacy IT provision. Effective cyber security controls would need to be implemented for all aspects of the service delivery, however legacy systems cannot meet the requirements of Cyber Essentials. In such cases overarching Cyber Essentials requirements could be required for relevant areas, and effective alternative controls for those unable to be assured by Cyber Essentials controls.

Annex B – Key Features of Cyber Essentials and Cyber Essential Plus

Full details on the requirements of Cyber Essentials and Cyber Essentials Plus.

The key features are summarised below:

Cyber Essentials

• Cyber Essentials assesses how an organisation has implemented five technical controls which protect from the vast majority of common (internet based) cyber attacks.
• This is important because vulnerability to basic attacks can mark out an organisation as a target for more in-depth unwanted attention from cyber criminals and others.
• Cyber Essentials is a self assessment option, with organisations completing a questionnaire. The questionnaire is then verified by an independent certification body to assess whether the appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance
• Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.
• When certified, organisations can demonstrate that they are meeting the minimum baseline of technical cyber security standards/controls that are prescribed by government and industry.

Cyber Essentials Plus

• Cyber Essentials Plus assesses the same technical controls as Cyber Essentials, but also comprises remote and on-site vulnerability testing.
• This checks whether the controls the supplier has put in place actually provides a defence against basic hacking and phishing attacks, using commodity tools that are widely available online.
• It is a more rigorous assessment and should be used when there is a higher risk of cyber security threats.

Annex C – Frequently Asked Questions (FAQs)

Full details on the requirements of Cyber Essentials and Cyber Essentials Plus.

Q1 Why should Cyber Essentials / Cyber Essentials Plus be used in the Government’s supply chain?

• To manage cyber security risk in government’s supply chain; and
• to allow government’s suppliers to use a recognisable scheme to demonstrate to other potential customers that they take cyber security seriously.

Q2 Which technical areas does Cyber Essentials cover?

• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Security update management

Full details on the requirements of Cyber Essentials and Cyber Essentials Plus.

Q3 When should I notify suppliers of any applicable Cyber Essentials requirements?

Ideally this should be discussed with potential suppliers at an early stage in the procurement (e.g., as part of preliminary market engagement when you are shaping your overall project requirements). Any applicable Cyber Essentials requirements must be specified in the tender notice for any competitive tendering procedure, and consideration should be given to highlighting any Cyber Essentials requirements in notices preceding the tender notice (if applicable) to provide suppliers with the longest possible time to seek certification.

Q4 How do suppliers undertake the certification process?

This service is provided by government approved certification bodies which are currently accredited by Information Assurance for Small and Medium Enterprises (IASME).

Further details.

Q5 At which point in the procurement is the supplier required to demonstrate Cyber Essentials certification?

Evidence of holding a Cyber Essentials certificate (whether basic level or Plus level), or equivalent, is required before contract award.

Under exceptional circumstances, in-scope organisations may wish to make a risk- based decision and allow a contract to commence if Cyber Essentials certification of a supplier is not current i.e. it has expired and is in the process of being renewed. However, the supplier must be able to demonstrate that they hold the appropriate certification, or equivalent, at the point when data is to be passed to the supplier.

Q6 How much will it cost a supplier to become Cyber Essentials certified?

The cost for smaller companies to be Cyber Essentials certified is currently expected to range between £300 and £500+ VAT at basic level. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network. Please contact IASME with any questions and for further advice and guidance. It is possible that costs may change in the future. Up-to-date information on costs

Q7 How often will Cyber Essentials certification need to be renewed?

Suppliers must recertify every 12 months in order to maintain a valid certificate. Failure to do so renders the supplier uncertified. As Cyber Essentials provides assurance of compliance only at the time of testing; certified organisations failing to regularly patch their ICT or control secure configuration may become non-compliant in substantially less than one year. The requirement to certify at more regular intervals should be risk based and determined on a case-by-case basis, subject to the requirements of the contract.

Q8 What does the scope of Cyber Essentials cover?

By default, Cyber Essentials applies to the legal entity providing the goods/services rather than any wider corporate entity of which the supplier may be a part. However, suppliers can restrict the scope of certification to only part of the legal entity.

In-scope organisations should be aware that a supplier may share a client’s information with a third party such as a cloud service provider. Cyber Essentials does not ensure that the security of the third party is in scope of certification. In-scope organisations are therefore advised to check the scope of a Cyber Essentials certificate and consider whether the risks of information sharing justify requiring Cyber Essentials certification with any third party.

Q9 How does Cyber Essentials fit in with/complement existing security requirements?

There is an existing set of information assurance and cyber security requirements that the government has in place for suppliers. In some circumstances, Cyber Essentials will be used in areas not covered by these requirements or it will be used alongside these requirements, or used as part of them.

• The Model Services Contract (MSC) is a standard contract used across government to ensure consistency of terms and conditions for complex services contracts, particularly those with ICT and Business Process Outsourcing providers exceeding £20 million in value. The MSC addresses security management in the ‘Security Management’ schedule. This schedule requires that the supplier and relevant subcontractors have Cyber Essentials or Cyber Essentials Plus certifications (or equivalent), alongside other ongoing security requirements.
• The Security Policy Framework (SPF) describes the mandatory security outcomes that all government organisations and third parties handling government information must achieve. These outcomes describe the necessary measures for information and technology, personnel and physical security. The Cyber Essentials Scheme covers some of the technical security measures.
• The ISO27001 standard is widely used but companies that attain this standard will not automatically conform to Cyber Essentials. This is because it is not usual for all of the five technical controls in Cyber Essentials to be included in the scope for ISO27001 implementation. It is also unlikely that any of these controls will be tested for ISO27001. Therefore most businesses with ISO27001 will have to adopt Cyber Essentials in addition to ISO27001 or demonstrate equivalent controls are in place.

Q10 Are there alternatives to demonstrating compliance with Cyber Essentials technical requirements other than through gaining the certificate?

Yes. To comply with section 56 (Technical Specifications) of the Procurement Act 2023 for public contracts, in-scope organisations must accept equivalents and suppliers need only demonstrate to the satisfaction of the in-scope organisations that they meet Cyber Essentials requirements. Normally, this should be verified by a technically competent and independent third party.

To demonstrate that Cyber Essentials Plus requirements have been met, it is required in all cases that verification is provided by a technically competent and independent third party.

The quickest and most effective means of ensuring risks associated with contracts displaying these characteristics is through the application of Cyber Essentials to the organisation.