London Borough of Waltham Forest

face to face cyber security training for all staff at London Borough of Waltham Forest

9 Incomplete applications

7 SME, 2 large

14 Completed applications

13 SME, 1 large

Important dates

Friday 21 February 2020
Deadline for asking questions
Friday 28 February 2020 at 11:59pm GMT
Closing date for applications
Friday 6 March 2020 at 11:59pm GMT


Summary of the work
Classroom based cyber security training is required for all Council IT System users to ensure wider awareness of risks of a breach.

questions to

happy to receive supporting documents/proposals via email, but please also complete the response online
Latest start date
Monday 20 April 2020
Expected contract length
maximum 24 months, but expected to be less.
Organisation the work is for
London Borough of Waltham Forest
Budget range

About the work

Why the work is being done
London Borough of Waltham Forest is looking for a specialist training provider, to deliver face to face cyber security training to the whole organisation, which uniquely different to standard classroom courses. The successful provider will:
• Be capable of targeting audience – all councillors (60), all staff (circa 2800 employees) at all levels, irrespective of business area/ specialism or skills.
• Have professional training expertise to communicate and translate Cyber Security awareness, in a non-technical, interactive, real-world format, to mixed ability IT literate staff group.
• Focus on culture change through face to face engagement
• Raise awareness and understanding of Cyber Security and human error
• Deliver the course outcomes - that all staff understand cyber threats, will be vigilant and confident to report all suspicious activity.
The provider would have an experience working within local authority setting, with awareness of systems and processes used by council staff.
Problem to be solved
The Knowledge on information security best practice, for example ISO27001 and Cyber Essentials.
Trainers must have CISSP: Certified Information Systems Security Professional or equivalent certification.
Suppliers interested in bidding for this project should upload a up to 2 pages A4 document, outlining their suitability for this project, responding to 3 quality questions listed below.
Suppliers must provide examples of three recent similar contracts, with contact details for reference.
Evaluation Criteria with weightings -quality:
1. Please describe, using examples, how you will deliver interactive and varied format of course and content, taking into consideration the range of business units and systems in a council (15%)
2. Please outline the course content and your understanding of Effective Knowledge and communication (10%)
3. Methodology - describe how you will achieve the objectives of the training; delivering up to 12 weekly sessions, over 6 – 8 months. (15%)
Who the users are and what they need to do
user are staff who use internal and external IT systems, including email
we need to ensure people are aware of the risks in opening emails from unknown sources and that they are fully aware of the risks of IT system use.
We need to ensure we have no further breaches of cyber security so that our systems and reputation is not put at risk.
Early market engagement
one supplier was engaged to form the requirements no furtehr engagement has taken place
Any work that’s already been done
Online cyber security training
Existing team
approximately 2700 users of IT systems, many of whom are not particularly IT literate. even expert IT users will be compelled to take the course
Current phase

Work setup

Address where the work will take place
London Borough of Waltham forest town hall campus
meeting/conference rooms will be made available.
Working arrangements
On site - sessions expected to be 90 - 120 minute so up to 3 sessions a day
courses ideally to be completed within 3 months, must be completed within 12 months
Security clearance
none required

Additional information

Additional terms and conditions
CCS Framework terms and conditions apply, subject to internal legal approval.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • provide up to date technical expertise in Cyber Security
  • have the ability to provide clear and understandable training to non-IT experts
  • work onsite to provide training in cyber security
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • technical expertise
  • training expertise
  • Value for Money
  • Approach and methodology
  • How their proposal meets the council needs
  • Estimated timeframes for the work
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • cultural fit
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Can work with clients with low technical expertise
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Reference
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Will all three sessions be on the same day?
There will be many more sessions than 3. The idea is that there will be up to 3 sessions a day, but there are 2700 people to train. We would like suppliers to suggest how they will do this training and the maximum number of staff per session.
2. What is a standard working day?
9:00 – 17:00 Monday to Friday
3. Are the sessions expected to be two hours?
This will be dependent on the supplier’s proposal, but they are expected to be between 90 minutes and 2 hours
4. In terms of submitting pricing for this submission, are you expecting to see a total fixed for the entire duration of training? or per session? or per day? or per week?
Total fixed price for all sessions
5. Are materials required for attendees?
we would expect some handouts such as copies of slides
6. Are trainer expense and accommodation to be included in the price?’
7. Are you able to share the reasons that you have decided to undertake F2F training rather than something like an audited online training system?
We already have an online training system for Cyber Security called Dojo. The face to face training is designed as a big push this year to highlight cyber across the council.
8. The tender notice advises "Suppliers interested in bidding for this project should upload a up to 2 pages A4 document, outlining their suitability for this project, responding to 3 quality questions listed below"
However there is no functionality to upload a document only respond to the resource availability date and 3 Main Questions (capped at 100 words).
How should we submit the A4 document to yourself?
And with reference to providing pricing also, the same question please.
There are limitations with the Digital Marketplace and we acknowledge that it may not be possible to respond within 100 words. This may break CCS rules, but you can send me your responses and just make a note in your online response that you have done so.
Any questions received via email will be copied and answered here.
9. How many users will require face to face training? Does it include staff and contractors?
2800 approximately
10. Will you provide the training room and equipment (projectors, microphone etc) to go through training with the Council staff?
A room will be provided, but there is a shortage of Audio Visual equipment so we cannot guarantee projectors or microphones. Most room have Large Screens that can be used.
11. Do you have a specific time frame or deadline for the training to be completed by?
The target is for all staff to be trained by end of summer although this is negotiable and assumes a start by the end of April
12. Will you provide a resource to coordinate and ensure all the users register and attend the training session?
Yes. the person will be appointed once the procurement is completed.
13. Do you have any specific topic areas or messages in mind to cover during the training? Example: ISO 27001 compliant security policies, Cyber Threats, Risk assessment, Data Privacy Notice, Data breach reporting process etc.
Messages related to the impact to users, residents and council of not being Cyber aware across the key subject areas from 10 steps of cyber security as published by NCSC. The message needs to be hard hitting and fun using real world examples to ensure that people remember what to do when they spot a potential cyber related problem and why this is important. Please note, this is not an exercise to repeat best practice from leading accreditation for information security.
14. What is the decision making process for this opportunity?
We will review the responses, presentation, demo and score the opportunity using a panel of stakeholders from the authority. The winning tender will demonstrate that they have understood the requirement, the culture in Waltham forest and can deliver training that will engage all staff and Cllrs across the Council.
15. What information do you need from us to provide you the assurance and comfort that we will be able to deliver the training services successfully?
Please provide a case study which you feel demonstrates your capability for delivering training.
16. 16. Within 'Problems to be solved' it advises: "The Knowledge on information security best practice, for example ISO27001 and Cyber Essentials." Is this confirmation of related accreditation's, qualifications, working knowledge and experience?
Qualification provide assurance that the potential vendor has the background and understanding of cyber security best practice. Ideally, trainers would have this or similar background working knowledge. Accreditation is preferred but not essential
17. Refer to previous question - is this a problem to be solved in terms of an overview to be included in the training covering CE+ and ISO27001 and Cyber Security standards, best practices and general overview?
Training content should not include/focus/cover or include an overview of CE or IS027001. The information should be used to guide and inform the training agenda with a view to enable trainees to act and recognise cyber threats.
18. Has a budget been set for this face-to-face training and if so, what is the maximum amount approved?
A budget has been set, but we do not wish to influence suppliers by advertising the figures. We leave it to the market to find the right levels.
19. Will there be internet available / WiFi connection for the trainer in the room(s) where the training will be delivered?
The town hall campus does have public WiFi that can be used by the trainers
20. Are you requesting to see both:

1 x Case study and/or 3 x summarised contract examples or would you accept 3 x contract examples with summary and details of how, what, where etc?
As long as we have examples which demonstrate capability, there is flexibility here as long as its clear that the docs demonstrate capability.
21. Is the panel requesting to see the course in a demo format or a high level overview of the course? And in which format would you prefer to see this in?
The panel want to see an example demo of the course which shows the potential and flavour of the content. This will need to be 10 – 15 min max.
22. Should the commercial pricing offer be contained within the 2 page A4 response document i.e. within word/pdf or do you wish to see this as a separate document? For example Excel.
Please provide pricing in a suitable format which shows line items for the course. You can send the response as a separate attachment if you wish.