Telephone : 01908 041 464 | Email :
Quick Jump

PPN 09/23: Updates to the Cyber Essentials Scheme


In today’s digital age, cybersecurity is more crucial than ever. Governments and organisations worldwide face the constant threat of cyberattacks, which can lead to data breaches, financial losses, and even compromise national security. Recognising the importance of protecting sensitive information, governments have introduced various cybersecurity measures and regulations to safeguard their systems and data. In the UK, one such initiative is the Cyber Essentials Scheme, designed to bolster cybersecurity across the public sector. Recently, Procurement Policy Note (PPN) 09/23 was issued, outlining important updates to the scheme and their implications for businesses.

PPN 09/23 introduces essential updates to the Cyber Essentials Scheme, a government-backed initiative aimed at helping businesses of all sizes protect themselves against common cyber threats. The scheme’s primary objectives are to enhance cybersecurity controls and reduce supply chain risks in the public sector. It’s important to note that since 2014, suppliers bidding for specific types of public contracts have been required to hold Cyber Essentials or Cyber Essentials Plus certification, or demonstrate equivalent cybersecurity controls. PPN 09/23 builds upon this foundation to further strengthen cybersecurity practices in government contracts.

The key requirements of PPN 09/23 include:

  • Scope and Dissemination: PPN 09/23 applies to Central Government Departments, Executive Agencies, Non-Departmental Public Bodies, and NHS bodies. In-scope organisations are tasked with ensuring that the policy is effectively implemented within their operations. This includes circulation of the PPN to relevant personnel, especially those involved in commercial, procurement, contract management, and cybersecurity roles.
  • Timing: In-scope organisations must implement the policies outlined in PPN 09/23 within three months of its publication date. This ensures a swift and proactive approach to strengthening cybersecurity controls.
  • Action: The heart of PPN 09/23 lies in its action-oriented requirements:
    • Organisations must apply effective and proportionate cybersecurity controls to mitigate supply chain risks.
    • Specific contracts, characterized by handling personal information, managing government employee data, processing data at the OFFICIAL level of the Government Security Classifications Policy, or dealing with government business, service delivery, and public finances, must adhere to the updated cybersecurity standards.
    • Suppliers for these contracts must possess either Cyber Essentials or Cyber Essentials Plus certification, renewed annually.
    • Suppliers without these certifications must demonstrate equivalent cybersecurity controls.
    • Evidence of certification is mandatory before data is entrusted to the supplier.
  • Limitations: PPN 09/23 emphasises that the Cyber Essentials Scheme has limitations. While it provides a solid foundation for cybersecurity hygiene, it doesn’t guarantee the quality or security of specific products or services. For contracts requiring specific assurance, additional relevant standards should be applied. Furthermore, the scheme may not fully address advanced, targeted cyber threats, and organisations facing such risks should develop a comprehensive security strategy.
  • Suppliers on G-Cloud Framework Agreements: The policy note highlights that suppliers on G-Cloud Commercial Agreements must comply with the Government’s Cloud Security Principles. Although suppliers are encouraged to mention their Cyber Essentials certifications, it’s not a mandatory requirement for the Commercial Agreement. In-scope organisations must ensure that suppliers effectively manage cyber risks before awarding contracts through G-Cloud.

PPN 09/23 was published on the 19th of September 2023 and applies exclusively to the United Kingdom

ppn 09/23

Does PPN 09/23 affect my business?

PPN 09/23 has significant impacts on businesses, particularly those seeking government contracts:

  • Mandatory Certification: Businesses bidding on specific government contracts will now be required to hold Cyber Essentials or Cyber Essentials Plus certification, unless they can demonstrate equivalent cybersecurity controls. This adds an additional layer of compliance and assessment for suppliers.
  • Cybersecurity Investment: To meet the certification requirements, businesses may need to invest in enhancing their cybersecurity measures. This could involve implementing new technologies, strengthening security policies, and improving employee training programs.
  • Competitive Advantage: Companies that already hold Cyber Essentials certification may have a competitive edge in government contract bidding. Certification demonstrates a commitment to cybersecurity and reduces perceived supply chain risks.
  • Documentation and Evidence: Suppliers must be prepared to provide evidence of certification or equivalent controls when bidding for government contracts. Proper documentation and compliance become essential aspects of the procurement process.

PPN 09/23 signifies a significant step towards enhancing cybersecurity in government contracts. While it introduces additional requirements and compliance measures for businesses, it also aims to strengthen overall cybersecurity practices, reduce supply chain risks, and protect sensitive government information. Businesses seeking government contracts should carefully review the policy note and take proactive steps to meet the new cybersecurity standards, ultimately contributing to a safer digital environment for all.

Do I need PPN 09/23 in my ISO Compliance Register?

You will need PPN 09/23 in your ISO Compliance Register if your business is involved in bidding for government contracts, especially those contracts with characteristics such as handling personal information, government employee data, sensitive data processing, or government-related service delivery. This includes a wide range of businesses, from technology service providers handling government data to suppliers managing government finances.

Legislation related to PPN 09/23

Legislation related to PPN 09/23 include:

  • Data Protection Act 2018
  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
  • Cyber Essentials

More information

Visit the PPN 09/23 article on the website.

Create an account in the ISO Compliance Register App and add this article (which is updated by PPN 09/23) to your Register.