Visit our devolution and LGR hub for the latest information, support and resources
This guide explores how you and your council can translate cyber security requirements into concrete contract obligations, in addition to establishing an agreed process for monitoring and reporting.
The contract phase is about confirming suppliers’ cyber resilience arrangements, and ensuring that necessary provisions are captured within the contract to keep your council safe. This guide offers information about the activities specifically related to the contract phase.
This guidance is based on National Cyber Security Centre (NCSC) principles. It is not formal guidance and should not be applied as such. Rather, it should be used to have conversations about how the issues raised can be dealt with locally. It does not constitute legal advice and should not be relied upon in that capacity. Independent legal advice should always be sought.
In this section:
How to identify valid evidence provided by the chosen supplier
It is important that you ask for, and validate, evidence to ensure that suppliers are compliant with your cyber security requirements.
How to determine the cyber security provisions that need to be captured in the contract
Key upfront requirements should contractually require suppliers to produce sufficient plans to reduce the likelihood of a cyber incident, and for cyber resilience to reduce the impact of a cyber incident.
How to determine the ongoing cyber security provisions that need to be captured in the contract
Key ongoing cyber security requirements, arrangements, terms and conditions should contractually require suppliers to continuously monitor their cyber security and cyber resilience arrangements.
How to determine the exit cyber security provisions that need to be captured in the contract
The exit plan and conditions should document how a contract will be closed regardless of the reason.