diff --git a/app/controllers/organisation_relationships_controller.rb b/app/controllers/organisation_relationships_controller.rb
index 1f83a3edc..1bba91f19 100644
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@@ -4,6 +4,7 @@ class OrganisationRelationshipsController < ApplicationController
 
 
   before_action :authenticate_user!
+  before_action :authenticate_scope!
 
   def housing_providers
     housing_providers = organisation.housing_providers
@@ -27,4 +28,10 @@ private
   def search_term
     params["search"]
   end
+
+  def authenticate_scope!
+    if current_user.organisation != organisation
+      render_not_found
+    end
+  end
 end
diff --git a/spec/requests/organisations_controller_spec.rb b/spec/requests/organisations_controller_spec.rb
index 6bc335921..efbd42afe 100644
--- a/spec/requests/organisations_controller_spec.rb
+++ b/spec/requests/organisations_controller_spec.rb
@@ -284,6 +284,54 @@ RSpec.describe OrganisationsController, type: :request do
         end
       end
 
+      context "when accessing the housing providers tab" do
+        context "with an organisation that the user belongs to" do
+          let!(:housing_provider) { FactoryBot.create(:organisation) }
+          let!(:other_org_housing_provider) { FactoryBot.create(:organisation, name: "Foobar LTD") }
+          let!(:other_organisation) { FactoryBot.create(:organisation, name: "Foobar LTD") }
+          let!(:organisation_relationship) { FactoryBot.create(:organisation_relationship, child_organisation: organisation, parent_organisation: housing_provider, relationship_type: OrganisationRelationship.relationship_types[:owning]) }
+          let!(:other_organisation_relationship) { FactoryBot.create(:organisation_relationship, child_organisation: other_organisation, parent_organisation: other_org_housing_provider, relationship_type: OrganisationRelationship.relationship_types[:owning]) }
+
+          before do
+            get "/organisations/#{organisation.id}/housing-providers", headers:, params: {}
+          end
+
+          it "shows the tab navigation" do
+            expected_html = "<nav class=\"app-primary-navigation\""
+            expect(response.body).to include(expected_html)
+          end
+
+          it "shows an add housing provider button" do
+            expect(page).to have_link("Add a housing provider")
+          end
+
+          it "shows a table of housing providers" do
+            expected_html = "<table class=\"govuk-table\""
+            expect(response.body).to include(expected_html)
+            expect(response.body).to include(housing_provider.name)
+          end
+
+          it "shows only housing providers for the current user's organisation" do
+            expect(page).to have_content(housing_provider.name)
+            expect(page).not_to have_content(other_org_housing_provider.name)
+          end
+
+          it "shows the pagination count" do
+            expect(page).to have_content("1 total housing providers")
+          end
+        end
+
+        context "with an organisation that are not in scope for the user, i.e. that they do not belong to" do
+          before do
+            get "/organisations/#{unauthorised_organisation.id}/housing-providers", headers:, params: {}
+          end
+
+          it "returns not found 404 from users page" do
+            expect(response).to have_http_status(:not_found)
+          end
+        end
+      end
+
       describe "#edit" do
         context "with an organisation that the user belongs to" do
           before do
@@ -478,6 +526,54 @@ RSpec.describe OrganisationsController, type: :request do
         end
       end
 
+      context "when accessing the housing providers tab" do
+        context "with an organisation that the user belongs to" do
+          let!(:housing_provider) { FactoryBot.create(:organisation) }
+          let!(:other_org_housing_provider) { FactoryBot.create(:organisation, name: "Foobar LTD") }
+          let!(:other_organisation) { FactoryBot.create(:organisation, name: "Foobar LTD") }
+          let!(:organisation_relationship) { FactoryBot.create(:organisation_relationship, child_organisation: organisation, parent_organisation: housing_provider, relationship_type: OrganisationRelationship.relationship_types[:owning]) }
+          let!(:other_organisation_relationship) { FactoryBot.create(:organisation_relationship, child_organisation: other_organisation, parent_organisation: other_org_housing_provider, relationship_type: OrganisationRelationship.relationship_types[:owning]) }
+
+          before do
+            get "/organisations/#{organisation.id}/housing-providers", headers:, params: {}
+          end
+
+          it "shows the tab navigation" do
+            expected_html = "<nav class=\"app-primary-navigation\""
+            expect(response.body).to include(expected_html)
+          end
+
+          it "doesn't show an add housing provider button" do
+            expect(page).not_to have_link("Add a housing provider")
+          end
+
+          it "shows a table of housing providers" do
+            expected_html = "<table class=\"govuk-table\""
+            expect(response.body).to include(expected_html)
+            expect(response.body).to include(housing_provider.name)
+          end
+
+          it "shows only housing providers for the current user's organisation" do
+            expect(page).to have_content(housing_provider.name)
+            expect(page).not_to have_content(other_org_housing_provider.name)
+          end
+
+          it "shows the pagination count" do
+            expect(page).to have_content("1 total housing providers")
+          end
+        end
+
+        context "with an organisation that are not in scope for the user, i.e. that they do not belong to" do
+          before do
+            get "/organisations/#{unauthorised_organisation.id}/housing-providers", headers:, params: {}
+          end
+
+          it "returns not found 404 from users page" do
+            expect(response).to have_http_status(:not_found)
+          end
+        end
+      end
+
       describe "#edit" do
         before do
           get "/organisations/#{organisation.id}/edit", headers:, params: {}
@@ -617,7 +713,7 @@ RSpec.describe OrganisationsController, type: :request do
 
             it "has search results in the title" do
               get "/organisations/#{organisation.id}/lettings-logs?search=#{log_to_search.id}", headers: headers, params: {}
-              expect(page).to have_title("#{organisation.name} (1 log matching ‘#{log_to_search.id}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
+              expect(page).to have_title("#{organisation.name} (1 logs matching ‘#{log_to_search.id}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
             end
 
             it "shows lettings logs matching the id" do
@@ -761,7 +857,7 @@ RSpec.describe OrganisationsController, type: :request do
 
             it "has search results in the title" do
               get "/organisations/#{organisation.id}/sales-logs?search=#{log_to_search.id}", headers: headers, params: {}
-              expect(page).to have_title("#{organisation.name} (1 log matching ‘#{log_to_search.id}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
+              expect(page).to have_title("#{organisation.name} (1 logs matching ‘#{log_to_search.id}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
             end
 
             it "shows sales logs matching the id" do
@@ -1025,11 +1121,11 @@ RSpec.describe OrganisationsController, type: :request do
             end
 
             it "updates the table caption" do
-              expect(page).to have_content("1 organisation found matching ‘#{search_param}’")
+              expect(page).to have_content("1 organisations found matching ‘#{search_param}’")
             end
 
             it "has search in the title" do
-              expect(page).to have_title("Organisations (1 organisation matching ‘#{search_param}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
+              expect(page).to have_title("Organisations (1 organisations matching ‘#{search_param}’) - Submit social housing lettings and sales data (CORE) - GOV.UK")
             end
 
             context "when the search term matches more than 1 result" do