Scope
Reference
6190559
Description
An Assured Audit Service Provider from the National Cyber Security Centre (NCSC) Cyber Resilience Audit Scheme is to complete an on-site Network and Information Security (NIS) Compliance Audit of the essential service and supporting network and information systems. The objective of the NIS Audit Services is to assist the NIS Competent Authority (CA) in assessing the OES level of compliance with regulation 10 of the Network and Information Systems Regulations 2018.
The Compliance Audit will use the (NCSC) Cyber Assessment Framework (CAF) which determines the minimum standard expected from the OES. Assessment will be made against each Contributing Outcome and associated Indicators of Good Practice (IGP) and “Not Good” practice as outlined in the CAF.
The scope of the NIS Compliance Audit is to be against the OES essential service, as defined by the OES. This will encompass all critical network and information systems and processes necessary for the continued delivery of the essential service.
Total value (estimated)
- £450,000 excluding VAT
- £540,000 including VAT
Above the relevant threshold
Contract dates (estimated)
- 30 April 2026 to 29 April 2030
- Possible extension to 29 April 2031
- 5 years
Description of possible extension:
The inclusion of a 12-month extension option is primarily to provide flexibility in the event that follow-up audit schedules are adjusted or delayed. Audit timelines can shift due to factors such as resource availability, changes in regulatory requirements, or unforeseen operational constraints. By allowing for an extension, we ensure continuity of service without the need for a new procurement process, maintain compliance with NIS obligations, and avoid any gaps that could impact audit readiness or certification status.
Main procurement category
Services
CPV classifications
- 72000000 - IT services: consulting, software development, Internet and support
- 72200000 - Software programming and consultancy services
- 72220000 - Systems and technical consultancy services
- 72223000 - Information technology requirements review services
- 72224000 - Project management consultancy services
- 72227000 - Software integration consultancy services
- 72800000 - Computer audit and testing services
- 72810000 - Computer audit services
Lot 1. Lot 1: BHSCT, NIAS
Description
Belfast Health and Social Care Trust (BHSCT) and Northern Ireland Ambulance Service (NIAS)
Lot value (estimated)
- £150,000 excluding VAT
- £180,000 including VAT
Same for all lots
CPV classifications and contract dates are shown in the Scope section, because they are the same for all lots.
Lot 2. Lot 2: SEHSCT, SHSCT, WHSCT, NHSCT
Description
Southern Health and Social Care Trust (SHSCT), South Eastern Health and Social Care Trust (SEHSCT), Northern Health and Social Care Trust (NHSCT), and Western Health and Social Care Trust (WHSCT)
Lot value (estimated)
- £300,000 excluding VAT
- £360,000 including VAT
Same for all lots
CPV classifications and contract dates are shown in the Scope section, because they are the same for all lots.
Submission
Enquiry deadline
13 March 2026, 3:00pm
Tender submission deadline
26 March 2026, 3:00pm
Submission address and any special instructions
Tenders may be submitted electronically
Yes
Languages that may be used for submission
English
Award decision date (estimated)
30 April 2026
Award criteria
| Name | Type | Weighting |
|---|---|---|
| Price | Price | 30% |
| AC02 - Project Plan | Quality | 25% |
| AC03 - Associated Risks | Quality | 25% |
| AC01 - Methodology | Quality | 10% |
| Social Value | Quality | 10% |
Other information
Payment terms
One invoice per Trust to be submitted upon the completion of Final Audit Report
Conflicts assessment prepared/revised
Yes
Procedure
Procedure type
Open procedure
Contracting authority
Business Services Organisation (BSO) Procurement and Logistics Service (PaLS).
- Public Procurement Organisation Number: PWNJ-1991-NGDW
77 Boucher Crescent
Belfast
BT12 6HU
United Kingdom
Email: ict.sourcing@hscni.net
Region: UKN06 - Belfast
Organisation type: Public authority - central government
Devolved regulations that apply: Northern Ireland