PPN Cyber Essentials (PPN 09)
The Cabinet Office PPN mandating Cyber Essentials for central government contracts handling personal data at OFFICIAL.
Definition
PPN Cyber Essentials (formally PPN 09, formerly PPN 03/23 and earlier PPN 09/14) is the Cabinet Office Procurement Policy Note mandating Cyber Essentials certification for central government contracts that handle personal data at OFFICIAL classification. Where the contract handles sensitive personal data or large volumes of personal data, Cyber Essentials Plus is mandated instead. The PPN applies as a pass-fail check at the Selection Questionnaire stage of in-scope procurement.
How it works in practice
PPN 09 distinguishes contracts handling personal data at OFFICIAL (requiring Cyber Essentials) from contracts handling sensitive personal data or operating at OFFICIAL-SENSITIVE (requiring Cyber Essentials Plus). The contracting authority assesses the contract risk profile and states the required CE / CE+ level in the tender documents. Suppliers must hold valid certification at the time of bid submission and maintain currency through the contract term. Letting certification lapse during a live contract is grounds for breach. CE+ adds significant compliance overhead compared with CE: external vulnerability scanning, authenticated configuration review, and longer certification timeline. SMEs without strong existing cyber capability often need 6-8 weeks of preparation and external advisor support for first-time CE+. The PPN sits alongside the NHS Data Security and Protection Toolkit (which substantially overlaps with CE / CE+ requirements for NHS contracts) and broader cyber security PPNs covering specific sectors. ISO 27001 is sometimes accepted in lieu of CE+ for organisations with mature information security management systems; check the specific tender. The Procurement Act 2023 supplier conduct regime tracks cyber-related contract breaches; sustained cyber failures contribute to the public conduct record.
Common questions
When is Cyber Essentials Plus required instead of Cyber Essentials?
When the contract handles sensitive personal data, large volumes of personal data, or operates at OFFICIAL-SENSITIVE classification. The contracting authority assesses risk profile and states the required CE / CE+ level in the tender. NHS contracts handling patient data typically require CE+; many local authority contracts handling personal data require CE.
Does ISO 27001 replace Cyber Essentials?
Sometimes. ISO 27001 is a comprehensive ISMS that exceeds CE / CE+ in scope and depth. Some buyers accept ISO 27001 in lieu of CE+ where the ISMS scope covers the contract context. Other buyers require CE / CE+ specifically regardless of ISO 27001. Check the specific tender; do not assume ISO 27001 substitutes without confirmation.
How quickly can I achieve Cyber Essentials Plus?
Typically 6-8 weeks end-to-end for an organisation in reasonable security shape: 2-3 weeks of preparation, 1-2 weeks for external technical assessment, 1-2 weeks for certification body review and issue. SMEs without existing cyber capability may need 3-4 months including remediation of issues surfaced by the technical assessment.