Developing an enduring security framework for a multi-million-pound procurement

Information security standards can often struggle to keep pace with rapid advances in technology and the evolving nature of the security threat. So when our client needed to draw up the master service agreement to underpin a seven-year deal for the provision of new global network and telephony services, the company faced a challenge – how to incorporate a security schedule that would remain relevant and effective for the full term of the contract?

From our work developing the new cyber security standard, PAS 555, we knew that the standard offered exactly the right solution. PAS 555 is the first outcomes-based standard for cyber security. Because it sets out what the security requirements are, rather than defining the methods that should be used to achieve them, it remains relevant even as methods evolve.

Working closely with the client, we drew up an outcomes-based security schedule defining the security requirements for any contractors involved in delivering the new network. To brief tendering vendors on the approach and to elaborate on the client’s security requirements, we also ran a series of workshops. These lay the foundation for the collaborative (rather than transactional) relationships that the client wants to encourage with all its suppliers.

By adopting an outcomes-based approach, we freed our client up to focus on obtaining assurance on security rather than dictating security details. Our approach also helped shift the emphasis onto suppliers’ expertise, encouraging them to propose good practice where this could strengthen security or offer cost benefits. Most importantly, the security schedule, which comprises a simple five-page document, written in clear, non-technical language, will remain relevant throughout the contract’s seven-year duration.

If you would like help securing your information assets, find out more about our cyber security services or contact a cyber security expert now.