Minimum standard on cybersecurity set for UK government departments

Out-Law News | 27 Jun 2018 | 9:18 am | 1 min. read

UK government departments must record which "security related responsibilities" lie with them and which with their suppliers when outsourcing services, according to new cybersecurity standards that have been mandated.

The new 'minimum cybersecurity standard' (7-page / 382KB PDF) was published by the Cabinet Office earlier this week.

The new standards address a number of areas, including specifying measures departments must put in place to protect their business technology, end user devices, email and digital services from exploitation of known vulnerabilities.

The standards also set expectations on governance, including an obligation that departments establish "clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services".

The standards also require the departments to identify and catalogue sensitive information they hold and the key operational services they provide, and also set out obligations on controls over access to that information and those services.

According to the standards, departments must also have measures in place to detect cyber attacks and have cyber incident response plans in place should a security incident occur. In addition, the departments are also expected to be able to continue delivering essential services where there is "any failure, forced shutdown, or compromise of any system or service". 

Departments will be responsible for ensuring suppliers also meet the new standards.

"Departments shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain," according to the new standard. "This includes ensuring that the standards defined … are met by the suppliers of third party services."

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind, said: "The question of cybersecurity standards commonly arises when dealing with data breaches. When regulators assert at the enforcement stage that the organisation concerned has not met the appropriate standard, it is often difficult to benchmark the organisation against a common minimum standard. Whilst the government’s new minimum standard applies to UK government departments, over time it will be interesting to observe the extent to which it influences regulators in other spheres."