Cyber Security: Expectations of Suppliers
NHS Supply Chain depends on its suppliers to deliver healthcare products, services and food for NHS trusts and healthcare organisations across the country.
Cyber-attacks can damage, disrupt or destroy our ability to operate, leading to significant reputational damage, financial loss, and most importantly, a potential inability to deliver patient care.
Cyber Essentials Plus
As part of our approach to managing cyber security risks in the supply chain, NHS Supply Chain is implementing the UK Government’s National Cyber Security Centre guidance (Procurement Policy Note 014).
We are asking that all suppliers who are in-scope of PPN 014 demonstrate compliance with Cyber Essentials Plus – or are able to demonstrate that they meet this criteria.
See our Useful Links section for further information on Cyber Essentials Plus compliance guidance from the National Cyber Security Centre.
PPN 014 applies to all central government departments, their executive agencies and non-departmental public bodies, and NHS bodies. Such bodies are referred to as ‘in-scope organisations.’
In-Scope Requirements
A supplier will need to demonstrate Cyber Essentials Plus compliance if:
- NHS Supply Chain personal data is handled or processed, which includes that of our employees, customers or other suppliers.
- IT or digital products and services are supplied.
Cyber Essentials Plus is a government backed scheme to help businesses of any size demonstrate their commitment to cyber security. Organisations must ensure that effective and proportionate cyber security controls are applied to contracts to mitigate supply chain risks.
The five core controls cover security update management, user access controls, secure configuration, malware protection and firewalls. The Cyber Essentials Plus certificate requires annual renewal and an external audit.
See our Useful Links section for the IASME website, where current certificates can be verified through this cyber security certification company (NHS Supply Chain has the capability to utilise the IASME ‘Supplier Check’ tool to review compliance).
Data Security and Protection Toolkit (DSPT)
The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. It is also an annual assessment.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
In-Scope Requirements
A supplier will need to demonstrate DSPT compliance if:
- Personal information of patients, such as home addresses, is handled.
As data security standards evolve, the requirements of the DSPT are reviewed and updated to ensure they are aligned with current best practice. Organisations with access to NHS patient data must therefore review and submit their annual assessment each year, before the deadline.
The DSPT also provides organisations with a means of reporting security incidents and data breaches.
See our Useful Links section for the Data Security and Protection Toolkit.
Frequently Asked Questions (FAQs)
PPN 014 details that an organisation can demonstrate its commitment to cyber security and that equivalent cyber security controls are in place through ‘alternative means.’
To support suppliers in this, we will be asking suppliers to complete and Information Security Third Party Questionnaire (ISTPQ) which will be used to assess which suppliers are in scope of PPN 014 and DSPT.
For new suppliers, this will be required at the Supplier Questionnaire stage of procurement.
For existing suppliers, this will begin to be shared from the 8 September 2025.
Responses will be reviewed and approved by the NHS Supply Chain Cyber Security Team.
The ISTPQ will not be required where a supplier holds a valid Cyber Essentials Plus certificate.
We are currently developing a process with NHS England for notifying them of any ‘insecure’ products or services which may increase the risk of cyber attacks within NHS trusts.
Where suppliers are ‘in scope’ but do not have certification, a risk-based decision will need to be made, dependant on, amongst other things, the products and services being provided.
Emails exchanged with NHS Supply Chain employees are not classed as handling personally identifiable information.
See our Useful Links section for a guide from the Information Commissioner’s Office setting out what is classed as personal information.
Cyber Essentials Plus includes an external audit for additional assurance. Cyber Essentials will be sufficient if details / evidence are shared to provide the assurance in place of an external audit.
The Cyber Assessment Framework is not a formal certification. It works hand in hand with Cyber Essentials rather than instead of it.
As a UK based organisation, NHS Supply Chain follows UK Government guidance. For suppliers based overseas, the requirement remains the same – suppliers should demonstrate Cyber Essentials Plus compliance.
ISO 27001
Procurement Policy Note 014 does not cover ISO 27001, nor can ISO 27001 be offered as an alternative to Cyber Essentials Plus. This is largely because Cyber Essentials is based on baseline security controls being in place, whereas ISO 27001 takes a more risk-based approach.
Next steps
If you have any further questions on these requirements, please contact us:
Cyber Security Team
Links section
-
Cyber Essentials Compliance
The National Cyber Security Centre's guidance on how you must protect your organisation, whatever its size, against the most common cyber threats.
-
IASME Website
IASME work with a network of cyber security experts to help organisations of all sizes improve and demonstrate their cyber security.
-
Data Security and Protection Toolkit (NHS England)
An online self-assessment tool that allows organisations to measure their performance against national security standards.
-
Information Commissioner's Office Guidance
This link provides more information about what should be classed as personally identifiable information.