Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Culture, Media and Sport, what security measures are in place to ensure that suppliers compliant with the Cyber Essentials scheme utilise third party services who are also compliant with that scheme.

The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme does not require organisations certified under the scheme to use third parties which are also compliant with the scheme, though this is something the Government would recommend where appropriate.

The Government itself requires its suppliers to hold a Cyber Essentials certificate where contracts involve the handling of sensitive data, such as personal and financial information, or the provision of certain ICT products and services. The recently published National Cyber Security Strategy set out a success measure that all Government suppliers will meet appropriate cyber security standards by 2021.

In addition, the Government is working with industry to ensure businesses encourage the firms in their supply chains to adopt Cyber Essentials where necessary and appropriate; for example, organisations could work with their supply chains and discuss the best way to add resilience to the end-to-end delivery of a product or service, which could include a third party adopting Cyber Essentials.