Comment by hluska

Comment by hluska 4 days ago

8 replies

View on Hacker News

I’m reading the original tender and there is zero mention of ISO 9000. In fact, the tendering authority even specifically stated this opportunity was a good fit for SMEs.

Where does all this talk of standards come from?

marcus_holmes 4 days ago

In the tender there's one line:

> IV.1.8) Information about the Government Procurement Agreement (GPA) The procurement is covered by the Government Procurement Agreement: Yes

Googling the UK Government Procurement Agreement got me to:

> https://www.gov.uk/government/collections/government-standar...

which was when I realised this was a rabbit hole and while I am positive that somewhere deep in that rabbit hole would be a requirement for all procurement suppliers to meet ISO9000 or similar, I was going to have to spend hours finding it. Hours I don't have.

You can cheerfully dismiss this opinion if you like, I don't have the data to provide you evidence.

But I also think this proves my point; if you have to spend hours just finding out what the requirements are, you probably don't meet them.

Reply View 2 replies
  • duckmysick 4 days ago

    It's there in the The Model Services Contract, under Core Terms:

    > Quality Plans

    > 6.1 The Supplier shall develop, within [insert number] Working Days of the Effective Date, quality plans that ensure that all aspects of the Services are the subject of quality management systems and are consistent with BS EN ISO 9001 or any equivalent standard which is generally recognised as having replaced it ("Quality Plans").

    The Short Form Contract also have optional ISO 27001 or Cyber Essentials (which is, uh, an adventure on its own). But there's also an option for no certification required. It depends on the contract.

    But yes, you're right. Dealing with requirements takes time and experience and you likely need a dedicated person (or team) to deal with it.

    Reply View 1 reply
Aeolun 4 days ago

If this was a good fit for SME, and the price paid for the whole thing was 4M pounds, why didn’t any SME win the tender? Seriously, that’s the whole yearly turnover for most SME shops I ever worked at. And all of them could do a better job than this.

Reply View 1 reply
  • hkt 4 days ago

    That's possibly why: small businesses reliant on contracts that are, to them, disproportionately huge.. well, they die at the end of the contract. HMRC killed off an OpenStack based AWS competitor by replacing them, about ten years ago. Anchor clients can be a real hazard if an SME can't live without them. Sometimes it just isn't worth it.

    Reply View 0 replies
lwhi 4 days ago

For government tenders, I do know that agencies need certification. Maybe not ISO2001 (which is a security standard that many corporate procurement processes require the supplier to have obtained when purchasing software), but Cyber Essentials / Cyber Essentials Plus is common.

Reply View 2 replies
  • rcxdude 4 days ago

    Cyber Essentials is a lot more of a PITA than 9001, it's very prescriptive in ways that cause all kinds of headaches without helping security.

    Reply View 1 reply
    • henryaj 4 days ago

      I absolutely hated doing Cyber Essentials (Plus). Huge waste of time

      Reply View 0 replies