Letters from the neighbourhood

The tender grew a requirement. Here is the two-week version.

Dear reader,

Here is how it usually starts. You have bid on this tender before, or one very like it. Then this year’s version has grown a new line, tucked into the compliance schedule between the insurance clause and the referee list: “Vendor shall hold a valid Cyber Essentials certification issued by the Cyber Security Agency of Singapore, or provide a dated plan to obtain one.” The closing date is fifteen working days away. You have not started. This letter is for that Tuesday afternoon.

What the clause actually means

Strip the procurement language and the clause is asking one plain question: can you show, in writing, that you look after computers, data and passwords properly? Cyber Essentials is CSA’s baseline mark for exactly that, built for SMEs, covering five areas: assets, secure and protect, update, backup, and respond. It is not asking you to become a security company. It is asking you to prove the basics, in a format an assessor can check.

The second half of the clause, the “or provide a dated plan” part, is the part buyers rarely explain and bidders rarely use. Most government and enterprise procurement schedules, including the templates published through GeBIZ, accept a credible readiness timeline in place of the finished mark at bid stage, provided the certification lands before or shortly after award. A dated plan, signed by a named consultant, is a legitimate answer to this line. Silence is not.

The two-week plan, week by week

Our own readiness work is six days, spread over two to four weeks in the ordinary case, because evidence needs time to accumulate: a backup has to actually run once, a policy has to actually be read by staff before anyone can assess it. Two weeks is tighter than ordinary. Here is what a two-week version looks like when the date will not move.

Days 1 to 2 (this week): scope and gap assessment. We walk the business, not a template. What assets exist, what is already in place, and precisely where the gaps sit against the standard, graded like a mock exam so nothing stays vague.

Days 3 to 5 (this week): policies and quick fixes. Written policies your staff will actually read, plus fixes that can be done immediately: anti-malware switched on properly, admin access tightened, a password policy that is enforced rather than posted on a wall.

Days 6 to 8 (next week): the harder technical remediation. Patching schedules, backup configuration, and the one-page incident response plan. This is usually where two weeks gets tight, because it may depend on your IT vendor’s calendar, not just ours.

Days 9 to 10 (next week): evidence pack and dry run. Every control evidenced, every document filed, then a rehearsal of the assessment itself, so the real one holds no surprises.

What compresses, and what does not. Paperwork compresses well: policies, the response plan, the evidence pack, all move fast once the facts are gathered. What does not compress is anything that needs to be observed over time, chiefly backup testing (a restore has to be attempted and to work) and any staff habit that needs more than a week to bed in. In a genuine two-week case we say on day one which of those two we are compressing, and how, rather than quietly hoping the assessor does not ask.

What to send the buyer meanwhile

A dated plan is worth more at bid stage than most bidders realise, and it costs nothing to prepare. Once the gap assessment is scoped, we give you a one-page readiness plan to attach to the tender submission: the standard named, the consultant named, a start date, an expected completion date, and the CSA scheme reference. That single page answers the clause honestly, and reads to a procurement evaluator as considerably more credible than a bidder who says nothing and hopes the line gets skimmed.

The honest edge cases

Sometimes the date is not makeable, and the useful thing we can do is say so before you spend anything. Legacy systems that need vendor cooperation to patch, key staff unavailable for the whole window, or a closing date genuinely under two weeks with no flexibility from the buyer: a rushed mark helps nobody, not you, not the assessor, not the client who eventually relies on it. In those cases we say plainly whether two weeks is real, what a realistic date looks like instead, and whether the dated-plan route keeps you in the running while the actual work happens properly.

The mark, once issued, is valid for two years, so work done under time pressure now still has to hold up under normal scrutiny later. Worth remembering when anyone offers to “fast-track” a certification: readiness and certification are two different things, and only a certification body does the certifying. Our S$6,000 fee covers our six days of readiness work; eligible SMEs can have up to 70% of that co-funded under CSA’s CISOaaS programme. The certification audit is billed separately by the certification body.

We’ll take it from here. If you have a clause in front of you right now, read more about Cyber Essentials readiness or send us the paragraph and we will tell you, honestly, whether the date is makeable.

← Back to Letters from the neighbourhood

Bring us the tender. We'll bring the plan.

A 30-minute chat with a consultant, not a salesperson. You leave with a plan on one page, whether or not you hire us.