Crown Commercial Services
The Cyber Essentials scheme is mandatory for organisations handling personal information and providing certain ICT products and services to central government contracts. It is listed as a requirement to gain entry to many central government frameworks and has been mandated by the Crown Commercial Service since 2014.
MOD contracts and DEF STAN 05-138
Depending on the Risk level of a contract, the MOD can mandate certification to the Cyber Essentials scheme for the supplier.
MOD contracts are assigned one of five risk levels, which is determined on a per contract basis. These risk levels are: Not applicable, Very Low, Low, Moderate and High.
Only contracts with no MOD Identifiable Information can be classed as "Not applicable". Contracts that involve handling "Secret" or "Top Secret" information are expected to be classed as Moderate or High.
Not applicable – No certification requirements, but Cyber Essentials recommended as good practice
Very Low – Maintain Cyber Essentials certification
Low –Maintain Cyber Essentials Plus and 16 additional controls
Moderate – Cyber Essentials Plus, with the same requirements as Low, but with 16 additional controls
High – Cyber Essentials Plus, with the same requirements as Moderate and Low, but with 12 additional controls
Full details of all of the controls can be found in DEF Stan 05-138 here.