Indispensable baseline security requirements for the procurement of secure ICT products and services

This short paper can be of use to suppliers and procurement officers when planning, offering and purchasing ICT products, systems and services. It is meant as a practical, technologically neutral document with clear, simple and sector-agnostic minimum necessary indispensable requirements for secure ICT products and services.


The procurement of key ICT products or outsourced managed services may result in intentional or unintentional security risks and incidents. However, due to the evolution of technology in ICT and the lack of expertise to decide which standards are relevant and appropriate for the particular ICT needs, it is not always the case that ICT procurements are standards-based.

Therefore, it is important to help procurers overcome these difficulties through common and sufficiently generic minimum indispensable requirements that will cover the whole lifecycle of the procured product or service and will eventually contribute to an appropriate (and desired) minimum level of security and resilience. In this context, ENISA set up an Expert Group composed of experts nominated from Member States to identify existing best practices and requirements and to use them to identify a set of indispensable baseline security requirements.

This collaborative approach will be extended in 2017 through the involvement of ECSO and other relevant organizations to further enrich an acceptable list of indispensable baseline security requirements for the procurement of secure ICT products and services

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies