Becoming a GovAssure Independent Assurance Reviewer

This page is for companies who want to find out how to become an Independent
Assurance Reviewer for GovAssure.

As part of the fourth stage of GovAssure, most Government Organisations will be
required to undergo an Independent Assurance Review of their critical systems
against the National Cyber Security Centre’s (NCSC) Cyber Assessment
Framework.

Working with Crown Commercial Services Colleagues and the NCSC, we have
created a route on Cyber Security Service 3 Dynamic Purchasing System (DPS),
displayed under the ‘Consultancy and Advice’ service, for government organisations
to procure third-party reviews from companies for GovAssure.

Overview and supplier obligations

Before the assessment begins, the supplier will hold a planning meeting with the
Government Organisation and Government Security Group to outline review
timelines and logistics. In this meeting the Government Organisation will present
their completed GovAssure Scoping Document. The supplier will then work with the
Government Organisation throughout the review period. The supplier will then author
a final technical report, with a final version agreed by the Government Organisation
and Government Security Group.

The supplier will have secure access to the evidence and information presented by
the Government Organisation in their self-assessment of the Cyber Assessment
Framework. The Government Organisation will decide the most appropriate way of
sharing information with suppliers. The Government Organisation’s data and
information must not sit on the supplier’s network or devices.

Some further obligations:

• The supplier should be willing to work virtually and in-person when required.
• The final deliverable will be a final technical report for the Government Organisation providing an independent assessment of whether the Government Organisation meets the relevant Government profile under the National Cyber Security Centre’s Cyber Assessment Framework.
• The supplier will only use the report template and WebCAF provided by Government Security Group when completing the independent assurance review and authoring the final technical report.
• All members from the supplier’s team working on the Government Organisation’s GovAssure review will hold Security Check (SC) clearance.
• For each GovAssure Independent Assurance Review that the Government Organisation bids for, there must be a named authority for the supplier. The named authority is responsible for signing-off the outputs of the review on behalf of the supplier carrying out the audit.
• This individual (named authority) should either be a Head Consultant for Risk Management or Audit and Review.
• The named authority does not necessarily need to perform parts of the assessment, but should have oversight throughout the review.
• In signing off any of the outputs from the review they are taking responsibility on behalf of their organisation that the audit has been conducted to satisfactory standards (both company and Cabinet Office) and they will act as a point of escalation if any issues or questions subsequently arise.
• The named authority for the supplier will have experience of working within HM Government (this includes the wider public sector).
• The Government Organisation will require customer references/ contract examples from the supplier.
• In the interests of transparency, the supplier and Government Organisation must declare any potential conflicts of interest when it comes to providing assurance on a specific government system
  • e.g. they may have been involved in the design of the system or CHECK pen testing previously, or involved in architectural design reviews.
  • This won’t necessarily preclude that company from bidding for the work, but failure to declare any interests could preclude them from bidding for future GovAssure work.
• Suppliers will be required to complete a conflict of interest form as part of their submission.

Requirements for companies to conduct a GovAssure Review

For GovAssure, companies are required to:

• Have prior experience of working with the UK Government in cyber security (including working in the wider public sector)
• Have had the Head Consultant or named authority attend and complete the GovAssure assurance reviewer training session.
• Hold SC clearance. This is a requirement due to the sensitive Government information that companies will have access to.

Upcoming GovAssure assurance reviewer training sessions

Please contact cybergovassure@cabinetoffice.gov.uk for information on GovAssure reviewer training sessions.

NCSC assured GovAssure Service

To be eligible for GovAssure work through the NCSC assured route, companies must already be active participants in two NCSC schemes as laid out below:

• Assured Consultancy Risk Management

Or

• Assured Consultancy and Review

And

• Assured Consultancy Security Architecture

Or

• CHECK Penetration Testing

Companies may wish to go into partnerships with other companies to come under
the NCSC assured route on the marketplace. This should be made clear to the buyer
and the Head Consultant or Named authority must be clearly stated.

Non-NCSC GovAssure Service

To ensure capacity, companies who meet the following criteria will also be able to conduct GovAssure reviews.

One of:

• ISO27001 Lead auditor
• ISACA – Certified Information Security Auditor (CISA)

One of:

• CREST Certified Penetration Tester
• CREST Certified Infrastructure Tester
• CREST Certified Web Applications Tester
• CERT Certified Simulated Attack Specialist
• CREST Certified Simulated Attack Manager
• CREST Certified Intrusion Analyst
• Cyber Scheme Team Leader (CSTL)
• TigerScheme CHECK Team Leader (CTL or SST)

Companies are allowed to partner with other companies who have these
requirements. They must agree to Crown Commercial Service’s commercial
guidance on sub-contracting. The risk owner must be clearly stated (e.g. head
consultant from the contracting company).

Why have we set this approach?

Firstly, we view that the requirements asked for blend the necessary technical cyber
expertise with the essential skills of conducting assurance reviews. Furthermore,
alongside NCSC assured companies, we have opened the scheme to current non-NCSC assured companies to increase engagement with industry all across the
country and to encourage Small Medium Enterprise companies to partake in the
scheme. By doing this want to grow and develop the cyber industry across the entire
UK.

Approach for year two of GovAssure

For the first year of GovAssure, working with Crown Commercial Services’ we have
created two routes for Government Organisations, as outlined above, to acquire
the services of an Independent Assurance Reviewer company for
Stage 4 of GovAssure – Independent Assurance Review.

In previous communications we have advertised that the second year approach would
be NCSC GovAssure approved companies only. We want to continue building market
maturity for CAF assurance reviewers so for year two of GovAssure we will continue
to accept both NCSC GovAssure Assured companies, and Non-NCSC GovAssure companies.
The requirements under both of these routes will remain the same.

How does a company get on the GovAssure service via CCS?

Companies can apply to join the Cyber Security Services 3 DPS by accessing the Supplier Registration System here, scrolling down to Cyber and clicking ‘access as a
supplier’.

The bid pack contains information on how to complete your application and within
the DPSQ you can select ‘GovAssure’ as a service.

If you are already registered on the DPS, please login to your dashboard and click
‘Update DPSQ’ or ‘Respond’ underneath the relevant questionnaire. This will allow
you to edit your responses and select ‘GovAssure’ as a service.

Crown Commercial Services

Please visit CCS’ Cyber Security Services 3 website for further information on the
commercial agreement.

If you have any questions relating to how your company can get onto the framework,
please contact cyberdps@crowncommercial.gov.uk.