We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Transport Scotland penetration testing and security testing data: FOI release

Published
3 March 2026
Topic
Public sector, Transport
FOI reference
FOI/202600500467
Date received
7 January 2026
Date responded
21 January 2026

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

For each of the last three completed financial years (or the closest available reporting period), please provide the following:

1. Total annual spend on penetration testing and/or security testing services (including external penetration testing, infrastructure testing, application testing, and cloud security testing).

2. Number of engagements or testing exercises conducted per year (for example: annual tests, quarterly tests, ad-hoc engagements).

3. Type of testing procured, where recorded (e.g. infrastructure, web application, internal, external, cloud).

4. Whether the services were:

  • Procured via a framework, or
  • Procured through direct award / individual contracts 
  • (framework name not required, if this reduces effort).

Response

The answers to your questions are:

1. For the majority of our relevant systems, annual independent penetration testing is a requirement of the overall service contract by which those systems are supported, maintained and developed. This means that we are unable to dis aggregate the costs for penetration testing for those systems.

However, we do have one internally-developed system which was penetration tested in Financial Year 2025/26 at a cost of £11900.

2. For the systems that are we were unable to dis aggregate above, testing has taken place on an annual basis. Whilst for the internal system, penetration testing has only taken place once in the period you deemed as being of interest to you.

3.The only directly-procured testing was of web application / cloud, and that holds true for the other tests too, with one of those also being a test of infrastructure.

4. For the one directly-procured service, this was awarded under a single-supplier contract managed by the Scottish Government.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Correspondence Unit
Email: contactus@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Back to top