Cyber Security Procurement Support Tool: guidance for buyers

Guidance for buyers on embedding use of Cyber Security Procurement Support Tool into the procurement process.


1. To assist all Scottish public sector organisations to implement the Supplier Cyber Security Guidance Note (“the Guidance Note”) in a consistent way, the Scottish Government Cyber Resilience Unit has worked with Procurement Centres of Expertise and key public sector partners to develop a decision-making support tool – the Cyber Security Procurement Support Tool (CSPST) – for optional use.

2. CSPST supports public sector organisations to (i) undertake information/cyber assurance assessments, (ii) identify appropriate, proportionate cyber security requirements, and (iii) seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.

3. This advice note covers the following key issues:

i. An overview of the key features of the CSPST tool.
ii. Information on how the CSPST tool supports consistent implementation of NCSC Principle 5.
iii. Advice on how organisations can work to embed the use of CSPST in procurement processes.
iv. Advice on the Cyber Implementation Plan (CIP) process that forms a key part of the CSPST tool’s “fit” with procurement processes.

4. The following supporting documentation is available here:

(i) Example Tender and Contract Wording:

  • Section A sets out some example wording that can be used in contract notices and invitations to tender.
  • Section B sets out some example wording that can be used in contractual terms and conditions. It includes links to Scottish Government standard terms and conditions that are made available to the wider public sector, which have been adjusted to facilitate use of CSPST and reflect best practice in respect of cyber security generally.

(ii) Cyber Implementation Plan – Template and Example, which provides a Cyber Implementation Plan template for use in the CIP process.

It is important to understand that CSPST is intended as a decision-making support tool. It is not intended to replace a contracting authority’s obligation to fully consider and manage all relevant cyber risks to a contract.

If in doubt, please ensure that you consult a cyber security expert.



Back to top