Home Office

Cyber Security Governance Risk and Compliance (GRC) Implementation Partner

Incomplete applications

Incomplete applications
1 SME, 2 large

Completed applications

Completed applications
6 SME, 10 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 8 December 2017
Deadline for asking questions Friday 15 December 2017 at 11:59pm GMT
Closing date for applications Friday 22 December 2017 at 11:59pm GMT


Opportunity attribute name Opportunity attribute value
Summary of the work A Cyber Security Governance Risk and Compliance (GRC) Implementation Partner is required to establish a GRC team, defining governance, roles and processes to provide a clear view of the Home Office cyber risk posture
Latest start date Thursday 15 February 2018
Expected contract length Up to 24 months. First Statement of Work for 12 months.
Location London
Organisation the work is for Home Office
Budget range £2.5m - £4m

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Home Office is growing its digital presence and becoming more data driven. A review of the cyber security for Home Office systems and data identified a number of actions required to securely enable this transformation, these include:
• Improving Home Office cyber security assurance processes by ensuring a risk-based approach, with the right level of technical rigour.
• Upgrading the security controls around core Home Office infrastructure.
• Building a central Cyber Security Operations Centre (CSOC) capability to monitor Home Office.
• Testing incident response processes, including simulating the impact of a major cyber incident on the department.
Problem to be solved Building on existing resources, establish a new central cyber security governance team, specifically:
1. Provide an interim BAU team for up to 12 months.
2. Establish Team processes and reporting cycle, integrate with wider Home Office governance and embed in BAU.
3. Produce/provide baseline Home Office Cyber Security Policies and Standards.
4. Determine and pilot a methodology to measure business risk appetite and reporting.
5. Determine and pilot a ‘Secure by Design’ process.
6. Support ServiceNow GRC module integration by defining requirements / workflow and conducting acceptance testing.
7. Support enduring Team recruitment and embed the team, including knowledge transfer
Who the users are and what they need to do The GRC team will report to the Head of Cyber Security, and will work across all Business Units within the Home Office, working with Asset owners to allow them to determine and measure the exact nature of their cyber risk and tolerances, that security resources are prioritised in accordance with our risk appetite and deliver return on investment, and with technical teams to ensure new systems are designed and maintained to a set of approved HO wide Security policies and standards.
Early market engagement
Any work that’s already been done A Discovery phase has delivered a GRC Strategy setting out the approach and activities to establish a GRC team and a Target Operating Model defining the team’s high level processes, organisation and governance. A set of draft Cyber Security Policies have been started, aligned to Cabinet Office objectives, and an initial list of required Cyber Security Standards has been created. Activities to define the Cyber demand model and KPIs, are planned to complete before this work commences. A limited number of existing cyber security resources (security architects, accreditors, policy managers) will need to be incorporated into the new structure.
Existing team The GRC Implementation Partner will build upon the limited resources described above and will work with a range of internal and external stakeholders, within a complex ecosystem of suppliers. To illustrate, the GRC Implementation Partner will need to collaborate with the overarching programme delivery partner(s), and with multiple other service providers within the cyber and infrastructure programmes.
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The team will be delivering output and outcomes primarily with a team located in Croydon and Central London. It is envisaged that travel to other Departmental locations in the UK may be required.
Working arrangements The supplier’s team will be required to be located on site for five days-per-week, whether alongside the programme team in Croydon or London, or at other Departmental locations around the UK.

It is envisaged that the GRC Implementation team will consist of 8-10 Consultants, including an overall Delivery Manager, and a TDA. The interim GRC BAU team will number 3x FTE consisting of Policy Consultants and Risk Analysts.

Day rates will be inclusive of travel and subsistence within M25. Travel and subsistence outside of M25 will be reimbursed in line with the Departmental policy, after approval from the HO-service manager.
Security clearance Individuals in the supplier’s team will require SC clearance, or be willing to undergo SC clearance checks. SC clearance needs to have been achieved before work can commence.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The payment approach is Fixed Price, but specific elements will be capped T&M, to be explained further in the pricing schedule

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Outline experience of designing and delivering Governance Risk and Compliance function within cyber security programmes in the last 3 years
  • Outline experience in implementing Governance Risk and Compliance function methodologies, tools and resources
  • Outline experience of implementing a suite of Governance Risk and Compliance policies and standards within cyber security programmes in the last 3 years
  • Outline experience in running successful communications campaigns around cyber security awareness in the last 3 years
  • Outline experience of setting up a BAU team including conducting organisational design and training needs analysis, supporting recruitment, training newly appointed staff and knowledge transfer to the enduring team
  • Outline experience of mobilising an experienced GRC Operating model implementation and transformation team within the timescales and to managing its performance over the entire contract duration
  • Outline experience of collaborating and working alongside external delivery partners to enable the delivery of the wider Cyber Security Programme
Nice-to-have skills and experience
  • Outline experience of collaboration and functioning within complex ecosystems of suppliers and internal stakeholders, and ensuring that the end customer needs are represented and met
  • Proven thought leadership in implementing cyber risk assessment methodologies in complex governmental organisations.
  • Relevant professional qualifications, memberships and contributions to cyber security knowledge, corporately or by proposed team members

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • Approach and methodology in planning and managing the delivery of the various work packages.
  • Solution design methodology and governance
  • Proposed team structure including CVs and relevant experience of named team members
  • Mobilisation plan, including capacity to be flexible with requirements and ability to quickly draw on/source other skills sets as required.
  • Supplier Exit Strategy, including knowledge transfer to HO BAU teams.
  • Risks identified with approach suggested and the solution to manage those risks.
  • Ensuring consistency of staff within the GRC implementation team
  • Value added activities which further improve delivery confidence
Cultural fit criteria
  • Approach to functioning effectively and collaboratively in a complex multi-supplier environment.
  • Approach to proactive issue management, problem resolution and improving ways of working
  • Approach to leading by example to keep data secure.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme
  • Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the wider HO team.
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Would you be able to comment on how this Implementation Partner requirement ties in with the three individual Cyber Roles published last week? This requirement is independent of the three cyber roles published earlier. All of these requirements are initiated within the Cyber Programme.
2. Please can you confirm if this is deemed inside or outside IR35 We will be contracting for outcome/deliverables (and not for individual specialist(s)) and therefore IR35 does not apply.
3. Can you confirm that the requirement includes both the Implementation Team of 8 - 10 consultants, as well as an interim BAU Team of 3 Consultants, that will transition to 3 FTE? The Implementation and interim BAU teams constitute separate teams, and will run concurrently. The requirement is that at the end of the contract term or earlier, the interim BAU team will hand over to permanent civil service staff.