The Scottish Prison Service is procuring a framework agreement for IT Health Check and Cyber Essentials services. The framework is expected to appoint up to three suppliers and will run for 36 months, with a possible 12-month renewal.
This is a focused cyber security requirement, rather than a broad IT services framework. Suppliers can review the Find a Tender notice before preparing a response. Thornton & Lowe supports technology and cyber suppliers through IT tender support.
Scope of services
SPS requires suppliers to deliver on-site IT Health Check services, including internal and external penetration testing, vulnerability scanning and security assessments across its networks, systems and data centres. The scope also includes clear reporting and remediation guidance.
The framework may be used for related ad hoc IT security work. Suppliers appointed to the framework will be responsible for carrying out annual IT Health Checks to maintain PSN(P) accreditation and Cyber Essentials Plus accreditation.
Why this is a specialist opportunity
This is a no-lot framework with a small supplier panel. That means bidders need to show relevant cyber security capability very clearly. Generic managed IT service content is unlikely to be enough unless it is backed by strong evidence of penetration testing, ITHC, security assessment, remediation reporting and accreditation support.
Because SPS operates in a public order and safety environment, bidders should also think carefully about assurance, confidentiality, staff competence, secure reporting, risk management and continuity. Our article on bid reviews may be useful for testing whether technical answers are sufficiently buyer-focused.
Key dates and evaluation
- Tender submission deadline: 22 July 2026 at 12:00pm
- Tender validity: Until 21 September 2026
- Procurement route: PCS-Tender, project code 32109
- Award criteria: 60% technical and 40% price
- Selection criteria: Technical and professional ability requirements are set out in the procurement documents
Bid preparation priorities
Strong bidders should prepare evidence of comparable ITHC work, Cyber Essentials Plus support, penetration testing methodology, vulnerability assessment, secure reporting, remediation planning, data protection, staff certifications, quality assurance and delivery in sensitive or high-security environments.
If you're bidding for this framework, Thornton & Lowe can help you turn technical cyber expertise into a clear, compliant and evidence-led framework response.
