How to set minimum cyber security controls based on the procurement’s cyber risk

It is not possible to protect against 100 percent of cyber threats, but minimum cyber security controls can provide a baseline for protection.

There is a lot more that suppliers could do to protect themselves beyond these controls, however it is recommended that you work with your IT security colleagues to determine what cyber security protections are desirable versus vital, and make a set of these ‘minimum cyber security controls’ per procurement.

These identified minimum cyber security controls correlate to the level of risk associated with each procurement, so depending upon the risk profile of the procurement, the minimum controls will likely change, with a lower bar for lower risk profiles and a higher bar for higher risk profiles. Again, your council’s cyber risk appetite would come into play here, but generally speaking you would increase the security controls with increasing risk profiles.

Common industry standards for cyber security

You can use supply chain cyber security industry standards to set the cyber security controls which you will hold your suppliers to.

It is very important to realise that certification does not necessarily equate to security, which is why it is so important that certification requirements do not become a box ticking exercise.

Just because a supplier has these certifications, this does not mean they fully adhere to the related standards and frameworks, however it may give an indication about what your council can expect in terms of assurance.

You can speak with your IT team to find out more about the standards that are already being used in the council.  Also there is additional government guidance and cyber security model information from the Defence Cyber Protection Partnership.

In the Tender guide - focused on constructing and running an effective tendering process - there is more guidance on how to use these different standards in your tender specifications.