This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Scottish Public Sector Cyber Resilience Framework

Find IT Governance in Lot 3 of the new Scottish Government Dynamic Purchasing System

The Scottish Public Sector Cyber Resilience Framework is aimed at improving cyber security and promoting cyber resilience in public sector organisations.

The impact of recent large-scale cyber attacks (such as WannaCry) and the General Data Protection Regulation (GDPR) and NIS Directive  require decisive action to ensure continuity of service delivery. Non-compliance with these two key pieces of legislation may hold significant ramifications from May 2018.

All public sector bodies in Scotland are required to take urgent measures to develop cyber resilience and to become "exemplars" in online security. One of the first requirements was to get a Cyber Essentials pre-assessment by March 2018.

Jump to find out what you need to do >>

Download Now >>

Find out about Cyber Essentials now

What is cyber resilience?

Cyber resilience” means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks (or accidental events) that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures.” -

Get started with a Cyber Resilience programme now >>

Public Sector Action Plan on Cyber Resilience

A Public Sector Action Plan on Cyber Resilience was launched in November 2017 which outlines how Scottish public bodies can improve cyber security and be more secure online.

It sets out the 11 key actions that the Scottish Government, public bodies and key partners will take up to the end of 2018 to further enhance cyber resilience in Scotland’s public sector.

The action plan lists 11 requirements and minimum cyber risk governance arrangements are required to be in place by the end of June 2018.

Stages of Progression

There will be three stages of progression – initial baseline, target and advanced.

The initial baseline stage must be achieved by end June 2018 “or end October 2018 in the case of Cyber Essentials certification and independent assurance of critical controls”.

The target stage is for public bodies to work towards a new Security Policy Framework Technology Security Standard, on a risk-based and proportionate basis.

The Advanced stage will align with the NIS Directive legislation and guidance. “Scottish public bodies in the health and water sectors will automatically be subject to these requirements under relevant legislation”.

Key Actions and Timelines:

All Scottish public bodies will be asked to provide written assurance at Board level, by end March 2018, to the Scottish Government in line with key monitoring and evaluation measures that have been introduced.

“The Information Commissioner has, for example, noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. Public bodies should consider how work on cyber resilience aligns with their wider work on GDPR compliance.” (Public Sector Action plan on Cyber Resilience)

  • The Scottish Government aims to develop a common cyber resilience framework for Scottish public bodies and update the Public Finance Manual by June 2018.
  • The Scottish Government aims to implement a dynamic purchasing system for procuring digital services, including cyber security (by October 2017).

All Scottish public bodies must:

  • Implement minimum cyber risk governance arrangements, by end June 2018.
  • Ensure membership of the NCSC’s Cybersecurity Information Sharing Partnership (CiSP) to promote cyber threat intelligence sharing by end June 2018.
  • Adopt independent assurance of critical cyber security controls by end October 2018 through Cyber Essentials certification.
    • Cyber Essentials pre-assessments must be undertaken by March 2018.
    • A board-level decision must be taken on whether to pursue Cyber Essentials or Cyber Essentials Plus certification by end April 2018.
    • The organisation must achieve Cyber Essentials or Cyber Essentials Plus certification by end October 2018.

See more >>

Cyber Resilience Best Practice Guidelines

A set of best-practice guidelines (view draft) has been developed to support the Cyber Resilience Action Plan.

The Scottish government has listed a range of existing standards, guidelines and controls that can contribute to increased cyber resilience, including the ISO 27001, Cyber Essentials and the PCI DSS.

Scottish public bodies should have regard to these best practice guidelines when providing governance statements and certificates of assurance under the requirements set out in the Scottish Public Finance Manual.

See more >>


Funding will be made available for public bodies to undergo Cyber Essentials “pre-assessments”, by the end of March 2018.

Implications for non-public sector organisations

There are separate action plans in place for the private and third sectors. 

  • Private sector action plan 2018-2020

    This details the key actions that the Scottish Government and its partners will take during 2018-20 to help address existing issues to ensure greater confidence in standards of cyber resilience in Scotland’s private sector.

    Read more about the private sector action plan for Scottish businesses >>

  • Third sector action plan 2018-2020

    This action plan sets out the steps which need to be considered for developing a Third Sector Cyber Resilience Framework/Pathway. This includes providing a simple, structured way for organisations in Scotland – particularly small and medium sized third sector organisations – to assess the cyber threat to their operations and to select an appropriate set of controls or guidance to help them work progressively towards strengthening their cyber resilience.

    Read more about the third sector action plan for Scottish businesses >>

Monitoring and Evaluation

For Scottish Public Sector Cyber Catalysts, a bespoke monitoring and evaluation framework has been developed to provide assurance to Scottish Ministers, the public and the Scottish Parliament with regard to progress towards best practice in cyber resilience in their organisations.

Complete range of Cyber Resilience resources

Why work with IT Governance?

  • IT Governance is a leading provider of IT governance, risk management and compliance solutions.
  • We have been advising global businesses and government bodies for the last fifteen years.
  • We are known for delivering cost-saving and risk reducing solutions based on international best practice and frameworks.
  • We offer everything you need to achieve cyber resilience – from standards, books, free resources, webinars, policies and procedure templates, gap analysis tools, PCI DSS compliance, ISO 27001 certification, business continuity and incident response management consultancy, training, penetration testing, staff awareness courses and software.
  • Find IT Governance in Lot 3 of the new Scottish Government Dynamic Purchasing System

Speak to an expert in Scotland

Get cyber resilient today with comprehensive solutions aligned to international best practice.