UK Public Procurement Policy Note 09/14

Now that’s a catchy headline to get your attention! What does it mean, and why blog about it on Cyber Matters?

In short, the policy note published by the Cabinet Office today (Sept 26 2014) says that from October 1st, the Cyber Essentials Scheme is mandatory:

Government is widely encouraging its adoption and is making it mandatory for Central Government contracts advertised after 1 October 2014 which feature characteristics involving handling of personal information and provision of certain ICT products and services.

The really interesting bit for me (yes I know I’m weird) is Annex A, Clause 11:

Suppliers conforming to the ISO27001 standard where the Cyber Essentials requirements, at either basic or Plus levels as appropriate, (see paragraph 1 above) have been included in the scope, and verified as such, would be regarded as holding an equivalent standard to Cyber Essentials. Therefore suppliers in this situation are exempt, provided that the certification body (likely to be a consultancy) carrying out this verification is approved to issue a Cyber Essentials certificate by one of the accreditation bodies.

cyber essentials

This is a recognition that the Information Security Management System required by ISO27001 needs a much more significant investment in cyber security than Cyber Essentials.   This is good news for businesses that have already made that investment. However is it a little odd on a few fronts?

  1. As observed in the blog “The Cyber Essential Experience” as a company with ISO27001 we were able to improve our business further by adopting Cyber Essentials
  2. Cyber Essentials Plus has an element of testing – partly to validate claims. ISO27001 does not. So Cyber Essentials Plus does offer something slightly different.
  3. The rationale for Cyber Essentials was that ISO27001, or any other standard for that matter, did not meet the government’s needs. Whereas now it seems ISO27001 is a viable substitute.


As an early adopter of Cyber Essentials, there is a further disappointment which will water down the effect of the mandate. Suppliers to the MoD (Annex A, Clause 11) have an exemption pending something different. This raises a concern that the supply chain to wider HMG may have two different things to confirm too – we can only hope the MoD recognise ISO 27001 “trumps” their scheme in the same way as the clause discussed above does.

Secondly, the MoD are not alone with an exemption, the major procurement frameworks of G-Cloud, Digital Services Framework, Public Sector Network, ID Assurance Framework and Assisted Digital also have exemptions (Annex A Clause 9). I would like to hope the exemptions are part of a transition, and in due course these will be made consistent with one overall approach.


Have you adopted Cyber Essentials? Is your business secure enough to supply to government?