We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber Security Procurement Support Tool: guidance for buyers

Published 15 January 2020
Directorate
Safer Communities Directorate
Part of
Law and order, Public sector
ISBN
9781839602177

Guidance for buyers on embedding use of Cyber Security Procurement Support Tool into the procurement process.

View supporting documents Supporting documents

Introduction

1. To assist all Scottish public sector organisations to implement the Supplier Cyber Security Guidance Note (“the Guidance Note”) in a consistent way, the Scottish Government Cyber Resilience Unit has worked with Procurement Centres of Expertise and key public sector partners to develop a decision-making support tool – the Cyber Security Procurement Support Tool (CSPST) – for optional use.

2. CSPST supports public sector organisations to (i) undertake information/cyber assurance assessments, (ii) identify appropriate, proportionate cyber security requirements, and (iii) seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.

3. This advice note covers the following key issues:

i. An overview of the key features of the CSPST tool.
ii. Information on how the CSPST tool supports consistent implementation of NCSC Principle 5.
iii. Advice on how organisations can work to embed the use of CSPST in procurement processes.
iv. Advice on the Cyber Implementation Plan (CIP) process that forms a key part of the CSPST tool’s “fit” with procurement processes.

4. The following supporting documentation is available here:

(i) Example Tender and Contract Wording:

  • Section A sets out some example wording that can be used in contract notices and invitations to tender.
  • Section B sets out some example wording that can be used in contractual terms and conditions. It includes links to Scottish Government standard terms and conditions that are made available to the wider public sector, which have been adjusted to facilitate use of CSPST and reflect best practice in respect of cyber security generally.

(ii) Cyber Implementation Plan – Template and Example, which provides a Cyber Implementation Plan template for use in the CIP process.

It is important to understand that CSPST is intended as a decision-making support tool. It is not intended to replace a contracting authority’s obligation to fully consider and manage all relevant cyber risks to a contract.

If in doubt, please ensure that you consult a cyber security expert.

Contact

Email: CyberResilience@gov.scot

Back to top