Cyber security: guidance for public sector suppliers

The security of supply chains is increasingly important as we often see cyber incidents affect public sector bodies indirectly through their suppliers. This guidance note promotes the adoption of a consistent approach to supplier cyber security across the Scottish public sector.


Annex A – Certification And Accreditation

1. Key Point 4 of this guidance note encourages the appropriate, proportionate use of certification and accreditation to evidence compliance with minimum cyber security requirements. This annex provides further information on the expected costs and benefits of adopting this approach.

Certification And Accreditation

2. The following certification/accreditation schemes may be appropriate to demonstrate compliance with minimum cyber security requirements, depending on the specific risk profile of a contract.

Cyber Essentials (Self Assessment)

Cyber Essentials is a simple but effective UK Government-backed scheme that helps organisations, whatever their size, to protect against a range of the most common cyber attacks.

At the entry level, Cyber Essentials offers a “self-assessment” option, which involves answering questions about your critical cyber security arrangements and submitting these to a certification body, which will verify that the answers provided meet the requirements of the scheme.

Note that where small or medium firms do not have their own on-premise IT networks, they may be unable to achieve Cyber Essentials. In these circumstances, those organisations’ own supplier cyber security arrangements are an important area of focus.

Further information can be found at the Cyber Essentials website.

Cyber Essentials Plus

Cyber Essentials Plus still has the same protections as Cyber Essentials. However, this time the verification of an organisation’s cyber security is carried out independently by a Certification Body.

Further information can be found at the Cyber Essentials website.

IASME (Information Assurance for SMEs) Governance Standard (Audited):

IASME provides both a Level 1 and Level 2 Cyber Assurance Scheme, which considers the following controls:

  • Risk Assessment & Risk Management
  • Operational / People / Change Management
  • Monitoring & Backups
  • Data Protection (GDPR)
  • Incident Management & Business Continuity

Level 1 is a self-certification, and Level 2 involves an independent audit. “Cyber Essentials” certification is a requirement of going for either level of IASME Cyber Assurance. The IASME Cyber Assurance Scheme was created to offer SMEs an affordable and achievable alternative to the international standard, ISO 27001. The IASME Governance standard maps closely to several widely recognised cyber security and assurance standards and guides. This means it can be used to demonstrate compliance to many of these standards, however it must be annually renewed.

Further information can be found at the IASME website.

ISO 27001

This is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. It includes details for documentation, management responsibility, internal audits, continual improvement and corrective and preventive action. The ISO standard requires co-operation by all parts of an organisation and is independently audited and accredited.

Further information can be found at the BSI website.

Contact

Email: cyberresilience@gov.scot

Back to top