To improve cyber risk governance among public-sector departments and their suppliers, the UK government has issued a series of minimum cyber security standards that will be incorporated into the Government Functional Standard for Security.
The first standard to be incorporated, the Minimum Cyber Security Standard (MCSS), comprises ten sections across five broad categories: Identify, Protect, Detect, Respond and Recover. It also sets expectations for governance, obligating government departments to create “clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services”.
The standards also require government departments to identify and catalogue sensitive information they hold, and set out obligations for identifying and managing cyber security risks, supply chain security management, as well as implementing access controls and TLS encryption.
Although the UK government has made strides in introducing cyber security measures in the past decade with its 10 Steps to Cyber Security and the Cyber Essentials framework, this is the first technical standard for cyber security developed by the government in collaboration with the National Cyber Security Centre (NCSC). Subsequently, the new standards are more outcomes-based, meaning government departments will be required to adopt a more mature approach to cyber risk management.
The MCSS presents a minimum set of measures, but encourages departments to “look to exceed them wherever possible”, adding that “over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures that Departments will be expected to use and where available for use by suppliers”.
Departments will be responsible for ensuring suppliers also meet the new standards.
How to comply with the new Minimum Cyber Security Standard
If your organisation is looking to comply with the UK government’s new MCSS, we recommend certifying to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
The Standard’s framework fulfils the majority of requirements stipulated by the MCSS, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.
Get started today
Our gap analysis service is ideal for those who want help getting started with ISO 27001, as it provides detailed advice on the areas that need most focus.
One of our experts will conduct an in-person review of your information security posture and assess whether you are ready to begin an ISO 27001 implementation project. They will provide you with:
- A proposed scope of your ISMS;
- An overview of your internal resource requirements; and
- A potential timeline to achieve certification readiness.