FOI/202600500467 · FOI · unclear

Transport Scotland penetration testing and security testing data: FOI release

Published: 2026-03-03
Received: 2026-01-07
Responded: 2026-01-21
Directorate
Topic: Public sector, Transport
Exemptions: None detected

Information requested

For each of the last three completed financial years (or the closest available reporting period), please provide the following:

1. Total annual spend on penetration testing and/or security testing services (including external penetration testing, infrastructure testing, application testing, and cloud security testing).

2. Number of engagements or testing exercises conducted per year (for example: annual tests, quarterly tests, ad-hoc engagements).

3. Type of testing procured, where recorded (e.g. infrastructure, web application, internal, external, cloud).

4. Whether the services were:

Procured via a framework, or Procured through direct award / individual contracts (framework name not required, if this reduces effort).

Response

The answers to your questions are:

1. For the majority of our relevant systems, annual independent penetration testing is a requirement of the overall service contract by which those systems are supported, maintained and developed. This means that we are unable to dis aggregate the costs for penetration testing for those systems.

However, we do have one internally-developed system which was penetration tested in Financial Year 2025/26 at a cost of £11900.

2. For the systems that are we were unable to dis aggregate above, testing has taken place on an annual basis. Whilst for the internal system, penetration testing has only taken place once in the period you deemed as being of interest to you.

3.The only directly-procured testing was of web application / cloud, and that holds true for the other tests too, with one of those also being a test of infrastructure.

4. For the one directly-procured service, this was awarded under a single-supplier contract managed by the Scottish Government.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

Contact Please quote the FOI reference Central Correspondence Unit Email: contactus@gov.scot Phone: 0300 244 4000 The Scottish Government St Andrew's House Regent Road Edinburgh EH1 3DG

Attachments

No attachments found.

Similar releases

Compliance Metrics and quality assurance processes for FOI case management and documentation in 2025: FOI release 2026-05-15 · unclear · 2 files
Scottish Public Pensions Agency - Organisational structure for Business Transformation: FOI release 2026-05-14 · unclear · 0 files
Perth and Kinross broadband queries: FOI release 2026-05-14 · not held · 0 files
First Minister's Shetland Isles visit information: FOI release 2026-05-14 · unclear · 2 files
Health Board funding, NHS Resource Allocation Committee comparison, and additional allocations: FOI release 2026-05-14 · released · 2 files
Accountancy in Bankruptcy - Software based data destruction queries: FOI release 2026-05-14 · unclear · 0 files
Scottish Prison Service Policy for the Management of Transgender People in Custody Operational Guidance spend: FOI release 2026-05-14 · unclear · 0 files
Scottish Government documentation regarding the procurement of Oracle: FOI release 2026-05-14 · not held · 0 files