What’s in the HM Government Cyber Security Standard (due March 2014)?

Prevent cyber-crime and make the UK a safer place to do business, as advised by Whitehall!

The UK Government is developing an industry-led kite mark-style standard for cyber security. The focus is on essential steps that all businesses should be taking to protect themselves from low-level threats. In a speech outlining the Government’s cyber security progress, Cabinet Office Minister Francis Maude said that all central government departments will be expected to adopt this standard for their own procurement from 2014.

So what’s in this new UK “kite-mark style” standard for cyber security?

Sorry to be a tease, but as of the 8th of January, the people who have a clue about what the new HM Government Cyber Security Standard will contain in precise detail are not telling. And at this point, if you are planning to skip the rest of this homily, don’t. There are some very good reasons for getting busy in 2014 on the slippery topic of cyber security and how to go about it. In particular, you need to evaluate your stance on ISO27001:2013, the new and much more flexible version of the ISO27001 standard that is the most widely adopted, internationally-accepted standard for information security. Because if your organisation hasn’t already gained ISO27001 certification, it is missing out on opportunities to work with the organisations that have!

We have IT security already. Why do we need a ‘cyber security standard’?

To quote Malcolm Marshall, UK and global leader of the Information Protection and Business Resilience team at consultants KPMG:

“As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge, and greater pressure for ‘voluntary’ compliance. The US NIST cyber security framework and the UK government’s ‘kitemark’ are just two examples.”

Malcolm believes governments will put more emphasis on business compliance with regulations over the next year. I think that he’s right.

Isn’t Cyber Security just another Government ‘hoop to jump through’?

Well, of course, if you do serious business with Governments, and the US and UK central departments in particular, you had better know about this – and if you want to win/maintain procurement contracts, you would be pretty silly to ignore these standards. Admittedly, not every business has a need to do so. There are plenty of internet businesses for example that operate globally and care very little what particular jurisdictions require.

Whatever you think of governments, though , and this commentator is as sceptical as the next IT literate Nerd, one of their more acceptable roles is to enact Law that protect citizens from thieves who don’t play by the rules.

However, even if your business life has nothing to do with government contracts, you still need to know about the reasons for these standards (i.e. the threats posed), even if the motivation is largely voluntary (as yet).

The UK Government’s Cyber Crime initiative is a worthy attempt to ‘govern’ sensibly, by investing in agencies that can help to fight back against increasingly sophisticated gangs of robbers and recommend best practice.

Backed by industry, it is stated that the “kitemark-style standard” [Source: BIS press release] will be launched early next year (March 2014), as part of the £860 million cross-government National Cyber Security Programme.

IT Governance will be discussing how best to tackle the growing threat. Our aim is to assist the government’s mission by working with our clients in industry to comment on and help develop an official “cyber security standard” which will help stimulate the adoption of good cyber practices.

ISO27001:2013 – just too big and expensive for the smaller enterprise?

It has been claimed by some lobbyists that ISO27001 in particular too unwieldy, complicated and expensive to satisfy the requirements of cyber security in the private sector. Can small companies with fewer than 20 employees achieve ISO27001 certification for an affordable amount of money? – An international Standard that could help them to win business?

You are cordially invited to attend our one day event to held jointly with UKAS-accredited Certification Body, NQA, to find the answers for yourself.


Costing just £35+VAT per delegate this event will help you to determine your cyber security readiness and protect your organisation from the hacking threat – regardless of which of the standards or recommendations you implement.

Learn about the cyber security standards adopted globally, and why ISO27001 is the world leader. Plus what you can gain through adoption of management system standards that can help to position your enterprise.

One of our ISO27001 Consultancy clients, Andy Shettle, set up an SME business that relies more on his skills and the internet than a large staff, – and yet he chose to certify to ISO27001. He also did this for under £5,000.

To quote the entrepreneur:

“The requirement from our clients is to be secure and by planning and implementing an ISO27001-compliant information security management system (ISMS) we are able to offer complete confidence. With cloud deployments increasing, prospective clients of Workforce Metrics are seeking further assurances around IG and ISO27001 is an internationally recognised standard, so it was vital that we had it.” (Andy Shettle, Managing Director, Workforce Metrics).

(To find out how he gained UKAS-accredited ISO27001 certification, you could do worse than read the IT Governance case study: Workforce Metrics achieves ISO27001 certification in only three months for under £5k!

It’s FREE, and ready for you to download now!)

So what has changed over last year that means we need Cyber Security?

A lot.

The trends that Andy Shettle has identified are also on the IT Governance radar and I suggest that we all need to factor a standards-based approach in our current and future planning.

Want to find out how to implement an international ‘cyber security standard’ called ISO27001, and be the real winner among your competitors, regardless of which technology you chose to adopt (or are forced to accept, because the waters around you have grown) in 2014?

Our one day event – held at NQA in Houghton Regis, Central Bedfordshire – will help you to understand how to use ISO 27001:2013 to fully account for cyber security and information security issues.

Best advice: book as fast as you can!

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ICMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!


Share now…

Share on Twitter Share on Facebook Share on LinkedIn