Cyber-Essentials-question-list-for-Third-Party-IT-Providers-2023If your organisation outsources its IT, a third-party provider will manage your network for you, however, the responsibility for your network security is still yours. You will need to instruct your IT provider to implement the Cyber Essentials controls to your network on your behalf. It is important that you carefully check that the requirements have been met as it will be your signature that verifies that the controls are in place.
Please note that some IT providers may have good technical knowledge, but they do not always have good understanding about cyber security. You will need to give clear and detailed instructions about what security controls you want them to implement.
Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks. It is highly recommended that you look for an IT provider that is Cyber Essentials certified. This demonstrates to you that the provider is serious about cyber security as well as being fully competent and supportive when it comes to implementing the controls to your network.
To become Cyber Essentials certified, you will need to first establish what parts of your organisation are included in the certification. This is called the scope of your assessment and you will need to understand the boundary of that scope. This will determine whether your whole organisation is included in the assessment.
You will then need to ensure that your organisation meets all the requirements under five technical control themes:
- secure configuration
- user access control
- malware protection
- security update management
Below is a link to a detailed list of questions that you can download and give to your third-party provider. Ask them to return the answers and the relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements.
Cyber Essentials question list for third party IT providers
You should also have a Service Level Agreement (SLA) and contract with any third-party IT supplier.