Home Office and BEIS first departments under the microscope in pilots of new independent cyber audits

Written by Sam Trendall on 16 January 2023 in News

External supplier brought in to run the rule over government systems as rollout begins of ‘GovAssure’ programme

Credit: Konstantin Kolosov/Pixabay

The Home Office and the Department for Business, Energy and Industrial Strategy will be the first two departments to go through government’s new regime of independent audits of agencies’ cyber resilience.

The GovAssure process – completion of which will be a requirement for all Whitehall departments – was first trailed in the Government Cyber Security Strategy published in early 2022. The procedure will involve external experts assessing the cyber-resilience of agencies, flagging up potential risks, and recommending improvements.

As part of the ongoing pilot phase of the new security measures, BEIS and the Home Office will become the first two departments to undergo a GovAssure audit, freshly published commercial documents have revealed.

“Once [the audit is] complete, a department will receive a ‘get well’ report listing current vulnerabilities which will then allow it to spend its cyber budget more effectively and to mitigate specific risks quickly,” according to the text of a newly signed contract.

The Cabinet Office – home of the Government Security Group (GSG) – awarded the deal in question to C3IA. The Poole-based cyber consultancy will audit three systems at each department. The deal came into effect on 9 January and will last for an initial period of three months – plus a potential extension of a further three months. If the contract runs to its full potential term, it will be worth £104,166 to the supplier.

Related content

“Government Security Group are paying for a company to conduct the review on the departments behalf as this was a prerequisite for the departments participating in the pilots,” the contract said. 

The Cabinet Office security unit, meanwhile, hopes that the “the pilot phase… will allow us to test and hone the developed process and to gain insights from stakeholders on our approach”.

The contract cited the significance of allowing independent experts to examine systems – rather than relying on agencies’ own internal audit processes.

“GovAssure differs from other assurance processes as it will incorporate not only a self-assessment of the departmental cyber postures, but will also include a third-party assessment of the department to add rigour to the measurement against CAF (the Cyber Assessment Framework),” it said. 

As it rolls out across departments, the new regime is intended to provide the Government Security Group with “a cross-government view of departmental cybersecurity postures”, the document added.

Once the audits have been completed, C3IA will deliver its findings to GSG alongside “feedback on what went well and what didn’t during reviews”, as well as taking part in a ‘lessons-learned’ exercise with the team of security officials leading the GovAssure programme.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@publictechnology.net.

Share this page




Please login to post a comment or register for a free account.

Related Articles

‘Extremely concerned and disappointed’ – more councils caught up in Capita breach
24 May 2023

Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk 

Rochford District Council pins data breach on Capita’s ‘unsafe storage’
17 May 2023

Authority claims it is taking ‘swift and decisive action’ in response to incident it claims affected several councils

Cabinet Office invests in ‘honeypot’ cyber traps to help protect network
2 May 2023

Department invests in technology from specialist start-up

Capita admits possible compromise of customer data during cyberattack
20 April 2023

Attackers had unauthorised access for nine days, outsourcing firm announces

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...