If the contract will involve, support or rely on the digital processing of information, organisations should ensure that appropriate consideration is given to potential cyber risks and their management.
Legislative requirements, including the Data Protection Regulation (DPR), require all public sector organisations to ensure appropriate technical protections are in place when suppliers process personal data on their behalf. The Security of Network and Information Systems (NIS) Directive requires Operators of Essential Services in the devolved health and water sectors to have appropriate supply chain cyber security requirements in place.
It is recommended that public sector organisations have regard to the Guidance Note on Supplier Cyber Security, which embeds best practice advice from the National Cyber Security Centre and promotes a more consistent approach to the cyber security requirements placed on suppliers to the Scottish public sector.
To assist all Scottish public sector organisations to implement the Guidance Note in a consistent way, the Scottish Government has developed a decision-making support tool – the Cyber Security Procurement Tool (CSPST).
CSPST supports public sector organisations to:
- undertake information/cyber assurance assessments
- identify appropriate, proportionate cyber security requirements
- seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.