Question to the Ministry of Defence:

To ask the Secretary of State for Defence, with reference to page 50 of the Defence Equipment & Support Annual Report and Accounts 2022-23, what steps the DE&S Digital team have taken to deliver (a) internal information assurance and (b) the application of defence information assurance mechanisms across the supply chain.

The Defence Equipment and Support (DE&S) Digital team follows the ISO (International Organization for Standardization) 27001 international standard for information assurance. This measures the maturity of, and informs improvements to, the cyber security controls across business Information Technology systems. Through this process, DE&S is annually audited by an external body and remains certified following the most recent audit in late 2023. Observations from ISO27001 audits are included into mitigation plans which are then delivered through either an internal team of security professionals, or by industry partners on their behalf.

Security Assurance of MOD information across the supply chain is conducted as part of the Defence Cyber Protection Partnership (DCPP), a joint MOD and industry initiative to improve the protection of the defence supply chain from cyber threat. Through this process, DE&S contracts undergo a risk assessment and apply a cyber security control set proportionate to the sensitivity of the information held. DE&S Digital have an ongoing program of work to increase awareness and compliance to DCPP across the business, as well as participating in internal audits to check project compliance status so that improvements can be made where required.