Back to the Knowledge hub

PSSS ISO Requirements: Are You Already Qualified?

When suppliers think about what it takes to get onto a new framework, the instinct is usually to assume there’s a mountain of new work ahead. With PSSS, that might not be true for you.

If you already hold certain certifications, you could be considerably further along than you think, without having done anything differently.

 

Why certifications matter more for PSSS

GCA has signalled a clear intent for PSSS to give buyers access to suppliers who’ve already met a higher minimum standard. That’s one of the ways it’s expected to differ from more open, lighter-touch routes like G-Cloud. GCA is expected to require five certifications for PSSS, though it hasn’t yet confirmed whether they’ll apply at the application stage or the call-off stage, since it hasn’t published the ITT.

That’s genuinely good news if you’re already certified. It’s a real point of differentiation between suppliers who’ve invested in formal accreditation and those who haven’t. It’s also exactly the kind of thing that could strengthen your application with comparatively little extra effort.

What’s likely to be asked for

GCA hasn’t yet confirmed whether these apply at application or call-off stage, but PSSS looks set to require five certifications (or equivalents):

  • ISO/IEC 27001 (information security management), the most directly relevant to any supplier handling data as part of a software offering
  • Cyber Essentials or Cyber Essentials Plus, increasingly a baseline expectation across UK public sector procurement generally
  • ISO 9001 (quality management), a strong signal of process maturity
  • ISO/IEC 20000 (IT service management), common among managed service providers and suppliers delivering ongoing support
  • ISO 14001 (environmental management), less universally held, but public sector buyers are weighing sustainability more heavily, so it’s worth having if you can

If you already hold any of these, treat that as a genuine asset in your PSSS preparation, not just background paperwork.

A quick self-check

Before you assume you’ve got work to do, it’s worth checking where you actually stand:

  • Do you hold ISO/IEC 27001, or an equivalent information security certification?
  • Do you hold Cyber Essentials or Cyber Essentials Plus?
  • Do you hold ISO 9001, or a comparable quality management standard?
  • Do you hold ISO/IEC 20000, particularly relevant if you deliver ongoing support or managed services?
  • Do you hold ISO 14001, or another recognised environmental management standard?
  • If you hold any of the above, are they current, renewals lapse more often than people expect?

If you answered yes to most of these, you’re likely in a stronger position for PSSS than you assumed. You’ll probably get more value putting your prep time elsewhere, into service definitions, pricing, or case studies, rather than starting a certification process from scratch.

What if you’re not there yet?

If you don’t hold these certifications, this is exactly why it’s worth starting now rather than waiting for the ITT. Certification, particularly ISO/IEC 27001 or ISO/IEC 20000, isn’t something you can turn around in a few weeks. The assessment process alone typically takes several months, and that’s before you factor in getting your organisation ready for it.

Suppliers who start that process now will have it in hand by the time PSSS opens. Suppliers who wait for confirmation risk running out of runway entirely.

If you’d like help figuring out where you stand, or what to prioritise before the ITT, we’re happy to talk it through.

Book a chat with us

CTA banner with the headline

Related resources

You may also be interested in