Cyber Security Procurement Support Tool: guidance for buyers

Guidance for buyers on embedding use of Cyber Security Procurement Support Tool into the procurement process.


1. Scottish public sector organisations is defined broadly to include all those implementing the Public Sector Action Plan on Cyber Resilience: central government, NDPBs, Non Ministerial departments, health boards, local authorities and universities and colleges. The tool is NOT available to third sector or charity buyers.

2. At

3. CSPST is not suitable for procurement processes to establish complex multi-supplier framework agreements, where the range of cyber risks could be very wide. Further information on this can be found at page 10 of this note.

4. Buyers can place a requirement on bidders who do not currently meet the minimum requirements to complete a Cyber Implementation Plan, which sets out how the supplier will work towards meeting minimum requirements over a certain timeframe. These plans will form part of binding contractual commitments.

5. As CSPST is a contract-specific tool, it is considered more appropriate to use CSPST at call-off stage, as noted above.

6. As noted in paragraph 8, above, the simple pass/fail approach that CSPST supports can be used in combination with a more sophisticated scored approach.



Back to top