PPN 09/23 (PCR 2015)

Updates to the Cyber Essential Scheme

In: Manage > Manage and monitor

Overview

This PPN applies to central government departments, their executive agencies and non-departmental public bodies, and NHS bodies (collectively referred to as ‘in-scope organisations’).

This PPN sets out government guidance on ensuring effective cyber security controls are in place for certain types of contract considered to be at a higher risk of cyber security threats; or with certain characteristics that would require them to have a greater regard to cyber security concerns.

In particular, this PPN requires that suppliers bidding for these types of contract must demonstrate prior to the award of the contract that they hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place).

In-scope organisations should note that there may be cases where a higher level of security controls are required, and should specify these requirements accordingly.

Objective at this commercial stage

Cyber Essentials (or Cyber Essentials Plus) certification must be renewed annually by the supplier for the duration of the contract.

Key considerations at this commercial stage

In-scope organisations should:

  • ensure that Cyber Essentials certification is renewed annually by the supplier.

The PPN should be read alongside the relevant parts of the legal framework, including but not limited to, the following provisions of the Public Contracts Regulations 2015 (which may be particularly relevant to the consideration of this PPN):

  • Regulation 58: Selection criteria
  • Regulation 70: Conditions for performance of contracts
  • Regulation 107: Qualitative selection

Additional support and guidance

Make sure you:

  • read the PPN and any supporting implementation guidance
  • seek legal and commercial advice in the context of specific procurements
Read the PPN

This applies to