Cyber Essentials as a procurement gate
Mandatory for many central government contracts and an increasing share of local government, NHS and education tenders. Without it, you cannot bid.
Cyber security as a public sector procurement gate
Selling to the UK public sector has always involved scrutiny. Cyber security is now part of that scrutiny in a way it was not five years ago. For most central government contracts that involve handling sensitive information, Cyber Essentials is mandatory. Without it, a supplier cannot bid.
Three policy and procurement developments shape what is required:
- Procurement Policy Note 09/23 set out the Cabinet Office expectations around cyber security in public procurement, including supply chain assurance.
- The Government Cyber Security Strategy 2022 to 2030 sets out a framework that increasingly cascades into supplier requirements.
- Individual departments, agencies and local bodies set their own requirements on top, often referencing Cyber Essentials Plus, the NCSC Cyber Assessment Framework or sector-specific schemes.
Forensic Control works with public sector suppliers to qualify quickly, deliver compliantly, and keep pace with how requirements change. We are an IASME Certification Body for Cyber Essentials and Cyber Essentials Plus, and a G-Cloud 14 supplier for penetration testing through the Crown Commercial Service framework. We have supported central government suppliers since 2017 and understand how procurement actually works.
Common challenges for public sector suppliers
Public sector procurement creates a distinctive set of cyber security challenges, particularly for firms moving from private to public sector work for the first time.
PPN 09/23 and procurement notices
Cabinet Office Procurement Policy Note 09/23 tightened cyber requirements. Suppliers need to understand what is expected of them.
Supply chain assurance
Public bodies increasingly look down the supply chain. Your subcontractors security can affect your eligibility, not just your own.
Sensitive information handling
Government and public bodies share OFFICIAL and sometimes OFFICIAL-SENSITIVE information with suppliers. That information has specific handling requirements.
Subcontractor management
Many public sector contracts require certification not only of the prime supplier but also of the subcontractors actually doing the work.
Incident notification
Public sector contracts typically have specific incident notification clauses with tight timelines. Suppliers need to know what to report and to whom.
Cyber Essentials as the entry point for public sector tenders
For public sector suppliers, Cyber Essentials is often the difference between being able to bid and being ruled out at the qualification stage. It is the UK government-backed certification, recognised across the public sector, and it puts the fundamental controls in place that PPN 09/23 expects suppliers to demonstrate.
Forensic Control is an authorised IASME Certification Body, not a reseller. We have been delivering Cyber Essentials since 2017, and we work with public sector suppliers to qualify on time:
- Cyber Essentials (Basic). Sufficient for many lower-value contracts and frameworks. Self-assessment with expert review.
- Cyber Essentials Plus. Required for higher-value contracts and contracts involving more sensitive information. Independent technical audit with vulnerability scanning included at no extra cost.
- Cyber Essentials Duo. Basic and Plus combined at a single price point. Often the right choice when you are not yet sure which level a future tender will require.
Most suppliers can be certified within weeks once scope is agreed. We work to your tender timeline, not the other way round.
Your public sector procurement readiness path
A typical engagement, from first tender identification through certified and ready to bid. We work to your procurement timeline.
1
Tender identification
We review the cyber security requirements in your target tenders to confirm whether Cyber Essentials, Cyber Essentials Plus or both are required, and whether subcontractor certification is needed.
2
Readiness review
A short pre-assessment engagement to identify gaps before formal certification. Most public sector suppliers find this saves time on the formal assessment.
3
Cyber Essentials certification
Self-assessment review for CE, or independent technical audit including vulnerability scanning for CE Plus. We work to your tender deadline.
4
Evidence pack for tender response
We provide certification documentation formatted for inclusion in your tender response, including scope statements, technical summaries and renewal dates.
5
G-Cloud 14 penetration testing where required
Where contracts require independent penetration testing, this can be procured through the G-Cloud 14 framework with Forensic Control as the supplier, without running a full competitive tender.
6
Annual renewal and assurance
Twelve months of vulnerability scanning included with CE Plus, plus annual recertification to maintain your tender qualification.
"For our small business with big contractual responsibilities, we are reassured by Forensic Control's professional services that provide us with Cyber Essential certification to ensure that our cyber compliance is to a high standard."
Paula Middleton
Centre for Political and Diplomatic Studies
Frequently asked questions
Practical answers to the questions public sector suppliers ask us most often.
Is Cyber Essentials mandatory for public sector contracts?
What is PPN 09/23 and how does it affect suppliers?
Do I need Cyber Essentials or Cyber Essentials Plus for a public sector tender?
How quickly can we get Cyber Essentials in time for a tender deadline?
What about our subcontractors? Do they need certification too?
Are there cyber security requirements beyond Cyber Essentials for public sector work?
Are you a G-Cloud supplier?
How does Cyber Essentials evidence flow through into our tender response?
Speak to a specialist about public sector cyber requirements
Whether you are preparing for a specific tender, building a wider public sector pipeline, or responding to a contract incident notification, we can help. Book a short call to talk through where you are and what you need.
