Welsh Government makes Cyber Essentials mandatory for some third-parties

The Welsh Government made it mandatory for third-party suppliers with a ‘moderate' or ‘high' level of risk when dealing with sensitive information to be Cyber Essentials certified from 1 April this year.

SCMagazineUK.com was alerted to the news by a LinkedIn post late last week, which indicated that the government was making it mandatory for new contracts, where the supplier had ‘moderate' to ‘high' levels of risk, to be Cyber Essentials accredited.

Of the five levels of risk identified (0 to 4), Cyber Essentials is a requirement from Level 1 upwards. Level 0 is ‘low risk' and means that no special arrangements are needed when minimal amounts of non-sensitive personal data are processed or where data is in the public domain already, while Level 1 relates to ‘moderate risk' – where sensitive information may need to be protected. Third-parties at this level would need to adhere to the UK Government's Cyber Essentials Plus for contracts with low values and small amounts of personal or sensitive data.

Level 2, or ‘sensitive information', requires Cyber Essentials, while Level 3 requires Cyber Essentials Plus. Level 4, otherwise known as ‘high risk' (large nationwide framework contracts), will require IOS27001 together with Cyber Essentials Plus as they are deemed “high value contracts or those with significant amounts of personal or sensitive data.”

Organisations are required to be compliant throughout the term of the contract. 

The Welsh government confirmed the news in an email to SC, and sent us a document, most likely intended for local authorities, which detailed what level of certification is required from third-parties.

“If you are procuring services from third party suppliers, awarding grants or entering into data sharing agreements with third parties who will have access to our information you will need to consider the sensitivity of that information,” it reads. “A Business Impact Assessment will indicate the sensitivity of the information involved and advice on Using Government Security Classifications can be found here. “

“For those contracts which involve handling information in the moderate or high risk categories, described below, it is mandatory that suppliers demonstrate that they meet the technical requirements prescribed by the Cyber Essentials Scheme (CES).”

“The CES defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threat coming from the internet.  Evidence of holding a Cyber Essentials (or equivalent) certificate is desirable before contract award, but essential at the point when data is to be passed to the supplier.”

A Welsh Government spokesperson said:  “From 1 April 2015, Cyber Essentials is required  for all relevant Welsh Government contracts involving the handling of personal or sensitive information.  This will also apply to National Procurement Service collaborative frameworks.”

Cyber Essentials is also mandatory for relevant UK government suppliers; the programme won the ‘Editor's Choice' award at theSC Awards Europe at the Grosvenor Hotel in Mayfair, London last week. 

The Welsh government is the executive arm of the developed government in Wales, and is accountable to the National Assembly for Wales, which represents local people and makes laws for the country. The National Assembly was created by the Government of Wales Act 1998.