Out-Law News 2 min. read
02 May 2013, 3:28 pm
Businesses have until 14 October to submit their views on what the new standard should look like, but the Cabinet Office has now laid out guidance that sets out what the standard should be able to deliver (14-page / 176KB PDF) to help inform those submissions.
As part of its Cyber Security Strategy published in November 2011, the Government promised to develop industry-led cyber security standards for companies. It plans to endorse one standard that "best meets the requirements for effective cyber risk management". It has now said that the standard can either be new or existing, or even comprise a number of different "components of multiple existing standards".
Earlier this year it launched a call for evidence on the matter and said that the standard should be able to provide protection to all organisations against "low-end methods of compromise". These include "phishing and social engineering, malware and viruses". However, the Cabinet Office's new guidance has now stated that the department will consider solutions that can only protect businesses of a certain size.
"The submission should demonstrate the standard provides protection from low-end methods of compromise," the Cabinet Office guidance said. "The submission should further demonstrate the standard is applicable to organisations of all sizes. If the standard is not applicable to all organisations, the submission should clearly state the range of organisations the standard is applicable to. This should also include information on why the standard is suited to that particular range."
Businesses should "provide some rationale" on why the standards they propose would only apply to some organisations, it added.
The Cabinet Office previously outlined the "outcomes" that the new standard should be able to deliver, including that senior managers within companies can be held to account for failing to meet their cyber security responsibilities.
The department's guidance has now explained that businesses must show that the governance around use of its standard is able to ensure the appropriate "responsibilities are assigned", and that those who fail to meet their responsibilities can be held to account.
Businesses must also prove that there can be "confidence that the controls in place mitigate the risks posed from low-end methods of compromise". They can demonstrate this by showing there is a mechanism in place for "identifying the risks arising from low-end methods of compromise" and "monitoring and reporting the effectiveness of the controls intended to mitigate the risks", according to the Cabinet Office's guidance.
The organisational standard must also deliver a "binding code of ethics" that firms will have to commit to in order to boost the "trust in their commitment to cyber security". The standard should require senior managers to demonstrate their commitment to the ethics and for there to be a system for monitoring compliance with the code and for "acting upon breaches", the guidance said.
The Cabinet Office previously said that the new standard has either to be "internationally aligned" or there be a "clear path" towards it being recognised, aligned or adopted globally. It has now said that businesses will have to provide evidence of how their proposed solutions meet this objective, or at the very least show that there are "no significant barriers to the organisational standard becoming recognised or aligned internationally".
In addition, submissions should "indicate if the standard is currently being considered by relevant international communities or standards bodies".
The Cabinet Office has also set out criteria requiring businesses to demonstrate how their standard will be validated and how firms' compliance can be independently audited and associated audit costs controlled.
Businesses should also detail how widespread the standard is in use within the UK or their projections about how widely it could be adopted, as well as show that "future iterations" of the standard is open to wide stakeholder scrutiny and influence, it said.
