Government plans to create new cyber security standard based on ISO27000-series

Out-Law News | 28 Nov 2013 | 12:25 pm | 2 min. read

A new cyber security standard is to be created in the UK, the Government has announced.

The Government had intended to endorse one existing standard that "best meets the requirements for effective cyber risk management", it said previously, but after analysing information provided by industry the Department for Business, Innovation and Skills (BIS) has now said that there is no single standard that "fully met [its] requirements".

The Department for Business, Innovation and Skills (BIS) has published a summary of the responses it received from businesses to its call for evidence earlier this year on creating a new organisational cyber security standard. It said that "the greatest volume of support" from business groups that responded was for the ISO27000-series of standards to be adopted as the Government's preferred standard. However, BIS rejected a straight adoption of those standards due to flaws it identified with that framework.

"The ISO27000-series of standards have perceived weaknesses in that implementation costs are high and that due to their complexity SMEs sometimes experience difficulties with implementation," BIS said in its report. "The fact that in the previous version businesses were free to define their own scope for which area of their business should be covered by the standard can also make auditing ineffective and inconsistent."

However, BIS said that a new "implementation profile" will be developed based on "key ISO27000-series standards" (6-page / 115KB PDF) and that this will "become the Government’s preferred standard".

"We will aim for this new profile to be launched in early 2014," BIS said. "This will do more than fill the accessible cyber hygiene gap that industry has identified in the standards landscape; it will be a significant improvement to the standards currently available in the UK. We view the use of an organisational standard for cyber security as the next stage on from the 10 Steps to Cyber Security guidance - enabling businesses, and their clients and partners, to have greater confidence in their own cyber risk management, independently tested where necessary." 

The Department said that businesses including major defence and security industry players BAE Systems, BT and Lockheed Martin, had agreed to adopt the new standard. The standard also has the "public support" of Ernst & Young, GlaxoSmithKline and the British Bankers’ Association, among others, it added. The Government will use the standard in its own procurement where it is "relevant and proportionate", it said.

BIS also said that it would look to create a new "assurance framework" around the new cyber security standard to be formed. This will allow businesses to distinguish themselves from others on the basis of meeting the standard.

"In parallel to developing the cyber hygiene profile, we plan to work with industry to develop an assurance framework to support the profile," it said. "Once businesses have ‘passed’ their audit they would be able to state publicly that they were properly managing their basic cyber risk and they had achieved the Government’s preferred standard. Businesses that conform to the standard will be able to use some form of ‘badge’ when promoting themselves, stating they have achieved a certain level of cyber security."

BIS' announcement came a couple of days after it published a report into cyber security standards (105-page / 4.49MB PDF) following research accountancy firm PwC conducted into the issue.

The report identified more than 1,000 separate cyber security standards that are in operation across the world. It said that organisations mitigate cyber risks "differently depending on the size of the organisation and its sector".

According to the study 52% of organisations at least partially implement a standard relevant to cyber security, but only 25% of companies implement it fully. Of those businesses, just a quarter seek external certification of their compliance with those standards. Businesses cited cost as the main reason why they do not adopt a standard.

"Organisations stated predominantly commercial and business reasons for their lack of adoption of cyber security standards and the investment in external certification," the report said. "This suggests a perceived lack of clarity surrounding the business case for cyber security standards."