Buying cyber security services: guidance for health and care organisations
Guidance on using the Cyber Security Services 2 framework to buy cyber security services from certified suppliers, to help you to protect your systems and data from cyber attack, and respond to security incidents.
The Cyber Security Services 2 framework is a way for buyers across central government and the wider public sector to buy National Cyber Security Centre (NCSC) certified cyber security services. It is EU compliant and regulated. As cyber attacks become more frequent and sophisticated, it is increasingly important for health and care organisations to make sure their systems are safe and secure, so that vital services are protected. If you need certified suppliers to help with this, you should use the Cyber Security 2 framework.
Certified cyber consultancy (Lot 1)
Suppliers can provide a variety of consultancy services.
Risk assessment (lot 1.1)
Suppliers can help you to identify, analyse and evaluate the cyber security risks associated with the technology systems you need to manage, to support your IT management decisions.
Risk management (lot 1.2)
Suppliers can help you manage the cyber security risks associated with the technology systems used in your organisation, by determining practical and effective control measures.
Security architecture (lot 1.3)
Suppliers can help your organisation to design and build technology architecture securely, so that identified cyber security risks are properly managed. Suppliers can design whole systems and services themselves, or contribute specialist expertise to your design teams.
Audit and review (lot 1.4)
Suppliers can give health and care organisations independent assurance about the effectiveness of their cyber security arrangements, by conducting checks, audits and reviews.
Penetration testing (CHECK) (lot 2)
A CHECK service provider can test for vulnerabilities in your existing security systems by analysing the systems or networks you rely on to carry out your business securely and effectively. They do this by conducting a number of tests designed to identify weaknesses caused by publicly known vulnerabilities and common configuration faults.
Cyber Incident Response (CIR) (lot 3)
If you need to respond to a significant cyber incident, you might need suppliers to determine the extent of the incident and help your organisation manage the immediate impacts. They can also give you recommendations to fix the vulnerability that has allowed your system to be compromised, to restore normal service and to increase security across the network.
Tailored Evaluation (CTAS) (lot 4)
The NCSC Tailored Assurance Service (CTAS) provides assurance on the IT security aspects of a system, product or service. Tailored evaluations can give you answers to specific assurance questions posed by accreditors on behalf of risk owners, so that risk owners can make better informed risk management decisions.
Help on finding and choosing suppliers
Go to the Cyber Security Services 2 pages to read more about the services offered and contact details for suppliers.
Download our guidance on engaging security suppliers [64.97KB] to help you when you're choosing a supplier.