A Cyber Resilience Strategy for Scotland: Public Sector Action Plan 2017–2018
The importance of cyber resilience in Scotland’s public bodies has never been greater. Digital technologies bring enormous opportunities for Scottish public services, but they also bring new threats and vulnerabilities that need to be managed.
The Public Sector Action Plan has been developed, and will also be delivered, in partnership by the Scottish government and the NCRLB (National Cyber Resilience Leaders’ Board). It sets out the key actions that the Scottish government, public bodies and key partners in the wider public sector, including local authorities, universities and colleges, will have to take to promote an aligned approach to work on cyber resilience.
Although there are already strong foundations in place, the plan’s aim is to ensure that Scotland’s public bodies work towards becoming exemplars in respect of cyber resilience and are well on their way to achieving this by the end of 2018.
Stages of progression
There are three stages of progression: initial baseline, target and advanced.
- The initial baseline stage should have been achieved by the end of June 2018 “or the end of October 2018 in the case of Cyber Essentials certification and independent assurance of critical controls”.
- The target stage is for public bodies to work towards a new Security Policy Framework Technology Security Standard, on a risk-based and proportionate basis.
- The advanced stage will align with the NIS Regulations legislation and guidance. “Scottish public bodies in the health and water sectors will automatically be subject to these requirements under relevant legislation.”
Scottish Public-Sector Action Plan 2017-2018: Summary and compliance guidance
Our free green paper will help your organisation understand and comply with the action plan. It outlines:
- The deadlines for public bodies;
- Your compliance obligations; and
- The Scottish Public Sector Cyber Resilience Framework.
Key actions and deadlines for Scottish public bodies
- Provided written assurance at board level, by the end of March 2018, to the Scottish government in line with key monitoring and evaluation measures that have been introduced;
- Implemented minimum cyber risk governance arrangements by the end of June 2018;
- Ensured membership of the NCSC’s (National Cyber Security Centre) CiSP (Cyber Security Information Sharing Partnership) to promote cyber threat intelligence sharing, by the end of June 2018;
- Instituted initial arrangements for cyber resilience staff training and awareness by the end of June 2018;
- Adopted effective cyber incident response plans by the end of June 2018;
- Implemented the Scottish Procurement Policy Note and grant funding guidance as part of the Scottish Public Sector Cyber Resilience Framework by June 2018;
- Started reporting against a new Cyber Resilience Framework from the end of June 2018;
- Provided informal, working-level responses to enquiries regarding progress from the Scottish government Cyber Resilience Unit, including one-off written assurance at board level on specific actions; and
- Adopted independent assurance of critical cyber security controls by the end of October 2018 through Cyber Essentials certification.
Read more regarding the full Cyber Resilience Strategy for Scotland >>
Monitoring and evaluation
For Scottish public-sector cyber catalysts, a bespoke monitoring and evaluation framework has been developed to provide assurance to Scottish ministers, the public and the Scottish Parliament with regard to progress towards best practice in cyber resilience in their organisations.
Cyber Essentials certification is a key requirement for public-sector organisations
The plan sets out 11 key actions that the Scottish government and its partners ought to have taken during 2017–18 to help address these issues and ensure confidence in standards of cyber resilience in Scotland’s public bodies. Two of these actions relate specifically to achieving Cyber Essentials certification.
Read more Get started
- Key action 4: The Scottish government is supporting Scottish public bodies to ensure they have appropriate independent assurance that critical technical controls are in place to protect against the most common cyber threats by the end of October 2018.
- End of March 2018: Undergone the Cyber Essentials “pre-assessment” funded (to defined limits) by the Scottish government.
- End of April 2018: Taken a board/senior management-level decision on whether to pursue Cyber Essentials or Cyber Essentials Plus certification.
- End of October 2018: Achieved Cyber Essentials or Cyber Essentials Plus certification.
- Key action 11: The Scottish government is putting in place an effective monitoring and evaluation framework to help assess progress against this action plan and, once developed, the Scottish public-sector Cyber Resilience Strategy.
- End of October 2018: Provided one-off written confirmation that Cyber Essentials or Cyber Essentials Plus certification (or, exceptionally, alternative independent assurance) has been achieved.
Speak to an expert
If you have any questions or concerns regarding cyber resilience, get in touch with our local experts who will be happy to help.