Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Culture, Media and Sport, pursuant to the Answer of 27 February 2017 to Question 63984, how the Cyber Essentials scheme offers protection to organisations compliant with the scheme in the event that third party organisations that provide (a) email, (b) cloud storage and (c) other similar services to compliant organisations are themselves not compliant with that scheme.

The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme enables organisations themselves to determine which technologies are in scope of their Cyber Essentials assessment: this would not normally include any third party organisations.

The Government recognises the importance of third party risk management and will continue to consider how the Cyber Essentials standard can be improved to better account for cloud based services. In addition, the Government is working with industry to ensure businesses encourage the firms in their supply chains to adopt Cyber Essentials where necessary and appropriate.