Cyber Essentials – a guide to working with a third party IT Provider

Cyber Essentials Third Party IT Provider

If your organisation outsources its IT, a third-party provider will manage your network for you, however, the responsibility for your network security is still yours. You will need to instruct your IT provider to implement the Cyber Essentials controls to your network on your behalf. It is important that you carefully check that the requirements have been met as it will be your signature that verifies that the controls are in place.

Please note that some IT providers may have good technical knowledge, but they do not always have good understanding about cyber security. You will need to give clear and detailed instructions about what security controls you want them to implement.

Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks. It is highly recommended that you look for an IT provider that is Cyber Essentials certified. This demonstrates to you that the provider is serious about cyber security as well as being fully competent and supportive when it comes to implementing the controls to your network.

To help you manage the responsibility of your cyber security, we have created a resource for you to use. A comprehensive list of questions is available for you to download or print off and give to your third-party provider. Ask your provider to return the answers and relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements. You can find out more information here.

You should also have a Service Level Agreement (SLA) and contract with any third-party IT supplier.

Please note, this blog may contain guidance and information that is outdated.

On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements.