Social Security Scotland cyber security: FOI release

Information requested

Request for information 1: Has Social Security Scotland ever held a CE+ accreditation?

Request for information 2: Does Social Security Scotland hold a valid CE+ accreditation for the financial year 2022/2024?

Request for information 3: Has Social Security Scotland ever unsuccessfully attempted to attain a CE+ accreditation and if so, why was it unsuccessful?

Request for information 4: When was the last time that Social Security Scotland carried out a full disaster recovery test including a test of being able to restore fully, core systems from backups?

Response

Request for information 1:
Social Security Scotland has previously held a Cyber Essentials Plus accreditation.

Request for information 2:
We have interpreted your request to relate to the financial year 2023/2024. Social Security Scotland does not currently hold a Cyber Essentials Plus accreditation (see response to question 3).

Request for information 3:
An engagement was undertaken with a Cyber Essentials accessor. Social Security Scotland routinely perform a range of assurance activity in relation to cyber security, however given the expansion and complexity of our entirely cloud-based environment it was agreed that Cyber Essentials Plus was not a suitable assurance approach.

Request for information 4:
Recovery tests are regularly completed on individual core systems and a full recovery exercise is scheduled within 2023/24.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.