Now is the time to act. The Scottish public sector’s resilience to potential cyber attacks is being overhauled. The Scottish Public Sector Cyber Resilience Scheme, set up by the Scottish government, is enforcing a change to the way the public sector treats cyber threats. With this legislation potentially extending to general businesses in the future, the question is: are you ready?

In light of the EU’s General Data Protection Regulation (GDPR) and the Directive on security of network and information systems (NIS Directive), organisations would be well served by aligning themselves with what the government is doing and start developing a cyber resilience strategy based on the principles of global best practice in information security and business continuity management.

The three stages of progression

In order for a public-sector body to be fully compliant the Scottish government has set out three stages of progression to tackle this issue:

1. By the end of June 2018 (or end of October 2018 in the case of Cyber Essentials certification and independent assurance of critical controls) public bodies must have achieved the ‘initial baseline stage’ which involves having in place a common baseline of good cyber resilience practice in the short term.

2. Target: Public bodies are expected to be aligned with the new Security Policy Framework Technology Security Standard and other key existing standards and guidelines.

3. Advanced: These requirements will align with the NIS Directive legislation and guidance. Scottish public bodies in the health and water sectors will automatically be subject to these requirements under relevant legislation.

Alan Calder, the founder and executive chairman of IT Governance, the leading provider of governance, risk management, compliance (GRC) and cyber security compliance solutions, says that it is critical that Scottish organisations start their compliance journey as soon as possible.

He said: “Cyber crime is perhaps the single biggest threat to modern businesses, and attacks are continually on the rise. The Scottish government’s legislation is something that we as an industry welcome to encourage more organisations to incorporate effective cyber resilience into their practices.

“What’s fantastic to see is that the scheme aligns with leading examples of cyber security, such as the international information security standard, ISO 27001, and the UK’s Cyber Essentials Scheme, and that the Scottish government has acknowledged that effective business continuity management is a crucial part of a comprehensive cyber resilience programme.”

Scottish Cyber Resilience Scheme June 2018 deadlines

With two key deadlines already passed, Scottish public bodies will now have an eye on June 2018, the next deadline for cyber resilience foundations to be laid. Some of these foundations include:

  • Confirming that a Cyber Essentials pre-assessment has taken place
  • Having cyber resilience training and a cyber incident response plan in place
  • Become an active member of the of the NCSC’s CiSP (a joint industry and government initiative set up to reduce cyber threats)

A comprehensive guide with solutions to enable compliance with the entire Scottish Cyber Resilience Scheme framework can be downloaded from the IT Governance website: www.itgovernance.co.uk/scottish-public-sector-cyber-resilience-framework.

The Scottish government has identified a range of standards, guidelines and controls that can contribute to increased cyber resilience, including ISO 27001, Cyber Essentials and the Payment Card Industry Data Security Standard (PCI DSS).

IT Governance recently opened a new Edinburgh office to further support local organisations and the Scottish public sector in aligning their cyber resilience strategies with international best practice. IT Governance is a specialist in ISO 27001 implementation, Cyber Essentials certifications, the PCI DSS and the GDPR. Please visit our website www.itgovernance.co.uk for more information about our cyber resilience products and services, or email servicecentre@itgovernance.co.uk or call +44 (0)333 800 7000 to get in touch with our consultancy team.