Scottish public-sector bodies and their key partners are required to take certain measures to improve cyber security and promote cyber resilience by the end of 2018, according to the Scottish Public Sector Cyber Resilience Framework.
If you are a Scottish public body or your organisation deals with the Scottish public sector, and/or you’re looking to align your cyber resilience strategy with government best practice, you need to be aware of these deadlines:
End of March 2018
Undergo Cyber Essentials pre-assessment.
End of April 2018
End of June 2018
- Have minimum cyber risk governance arrangements in place.
- Become an active member of the NCSC’s CiSP (only public bodies that manage their own networks; those that do not should confirm they do not).
- Confirm a Cyber Essentials pre-assessment has taken place, that the report has been shared with senior management and that a decision has been made about whether to pursue Cyber Essentials or Cyber Essentials Plus certification. Reasons for the decision to pursue Cyber Essentials rather than Cyber Essentials Plus must be provided.
- Implement the NCSC’s ACD programme, or provide reasons if it is inappropriate to use it.
- Have appropriate cyber resilience training in place.
- Have appropriate cyber incident response plans in place.
End of October 2018
Adopt independent assurance of critical cyber security controls through Cyber Essentials certification.
Our free green paper Scottish Public-Sector Action Plan 2017–18: Summary and compliance guidance will help your organisation understand and comply with the plan.
The green paper includes the key actions that the Scottish government, public bodies and key partners must take. It also includes compliance obligations, including the General Data Protection Regulation (GDPR) and the NIS Directive, and the Scottish Public-Sector Cyber Resilience Framework.