How to create cyber risk profiles for different procurement types

We know that councils are different and have different needs and priorities so we have tried not to adopt a one-size-fits-all approach. Instead, these resources offer a series of four pillars which each council might wish to use as a basis for creating their own framework: assets, impact, contract scale and supplier risks.

Assets are comprised of data, networks, and systems, each of which are described in greater detail in the section How to identify the assets in your council that need to be protected. The other two components are impact, contract scale and supplier risks, which are described below.

Cyber risk evaluation network diagram


While there are numerous ways to evaluate impact, a commonly used model is the CIA Model (Confidentiality, Integrity, Availability). When the vulnerability of an asset is exploited in a cyber incident, the asset can be compromised in one of three key ways:

  • Confidentiality: Has the confidentiality of the asset been impacted? For example, has sensitive data been made available to someone that should not have access to that data? Has an unauthorised individual been able to access a system that they should not be able to access?
  • Integrity: Has the integrity of the asset been compromised? An example might be a system within your council that records council tax exemptions, for example, if a cyber incident changes a database that records council tax exemptions, it could record ineligible households as being exempt.
  • Availability: Do the right people have access to the asset at the right time? This is often one of the most impactful elements of a cyber incident. If a digital system is attacked, and is then unavailable for several months, this can create a large backlog.

Contract scale

Contract scale refers to a variety of factors relating to the contract, including but not limited to: length of contract, value of contract, complexity of contract, etc. It serves to give a scope of what the contract will entail and where potential risks could derive from over time.

Supplier risks

Risks associated with the supplier usually have to do with the location of the supplier, its supply chain, and any links or ties to or previous breaches from governments or organisations that might be hostile to the UK or local governments.

Sample risk profiles

It is essential that each council creates its own risk profiles based on its own risk appetite - the samples shared in this guide are only illustrative examples. When considering a service or procurement, it is critical to understand its associated cyber risk, so that you can apply an appropriate risk profile and subsequently implement the right controls to mitigate and manage that risk.

Using the cyber risk evaluation framework, you can create different cyber risk profiles. These are defined standard risk levels with associated and proportionate minimum cyber security requirements that the supplier is expected to meet. These would typically range from low to high or very low to very high. There is no explicit rule, but it is generally recommended to have three to five risk levels to ensure your levels are neither too broad nor too prescriptive.