Skip Navigation

Buying cyber security services: guidance for health and care organisations

Guidance on using the Cyber Security Services 2 framework to buy cyber security services from certified suppliers, to help you to protect your systems and data from cyber attack, and respond to security incidents.

The Cyber Security Services 2 framework is a way for buyers across central government and the wider public sector to buy National Cyber Security Centre (NCSC) certified cyber security services. It is EU compliant and regulated. As cyber attacks become more frequent and sophisticated, it is increasingly important for health and care organisations to make sure their systems are safe and secure, so that vital services are protected. If you need certified suppliers to help with this, you should use the Cyber Security 2 framework.

Certified cyber consultancy (Lot 1)

Suppliers can provide a variety of consultancy services.

Risk assessment (lot 1.1)

Suppliers can help you to identify, analyse and evaluate the cyber security risks associated with the technology systems you need to manage, to support your IT management decisions.

Risk assessment (lot 1.1) suppliers

Risk management (lot 1.2)

Suppliers can help you manage the cyber security risks associated with the technology systems used in your organisation, by determining practical and effective control measures.

Risk management (lot 1.2) suppliers

Security architecture (lot 1.3)

Suppliers can help your organisation to design and build technology architecture securely, so that identified cyber security risks are properly managed. Suppliers can design whole systems and services themselves, or contribute specialist expertise to your design teams.

Security architecture (lot 1.3) suppliers

Audit and review (lot 1.4)

Suppliers can give health and care organisations independent assurance about the effectiveness of their cyber security arrangements, by conducting checks, audits and reviews.

Audit and review (lot 1.4) suppliers

Penetration testing (CHECK) (lot 2)

A CHECK service provider can test for vulnerabilities in your existing security systems by analysing the systems or networks you rely on to carry out your business securely and effectively. They do this by conducting a number of tests designed to identify weaknesses caused by publicly known vulnerabilities and common configuration faults.

Penetration testing (CHECK) (lot 2) suppliers

Cyber Incident Response (CIR) (lot 3)

If you need to respond to a significant cyber incident, you might need suppliers to determine the extent of the incident and help your organisation manage the immediate impacts. They can also give you recommendations to fix the vulnerability that has allowed your system to be compromised, to restore normal service and to increase security across the network.

Cyber Incident Response (CIR) (lot 3) suppliers

Tailored Evaluation (CTAS) (lot 4)

The NCSC Tailored Assurance Service (CTAS) provides assurance on the IT security aspects of a system, product or service. Tailored evaluations can give you answers to specific assurance questions posed by accreditors on behalf of risk owners, so that risk owners can make better informed risk management decisions.

Tailored Evaluation (CTAS) (lot 4) suppliers

Help on finding and choosing suppliers

Go to the Cyber Security Services 2 pages to read more about the services offered and contact details for suppliers.

Download our icon guidance on engaging security suppliers [64.97KB] to help you when you're choosing a supplier.

Have a question? Call us on 0300 303 5678 or contact enquiries@nhsdigital.nhs.uk.

Tell us what you think of the new website beta.

We use cookies to provide you with a better service. Carry on browsing if you're happy with this, or find out how to manage cookies. Find out more