UK Government Minimum Cyber Security Standard

Part of the Government Functional Standard for Security

What is the UK government’s Minimum Cyber Security Standard?

Launched by the UK government in June 2018, the MCSS (Minimum Cyber Security Standard) is the first in a proposed series of technical standards to be developed in collaboration with the NCSC (National Cyber Security Centre). It will be incorporated into the Government Functional Standard for Security when it is published.

The MCSS sets out a series of mandatory cyber resilience outcomes that all government departments (including “organisations, agencies, Arm’s Length Bodies and contractors”) must achieve in order to meet their obligations under the SPF (Security Policy Framework) and National Cyber Security Strategy.

The Standard can also be used by any other organisation to benchmark its cyber resilience efforts.

What are the MCSS requirements?

As the MCSS’s name suggests, the government expects departments to meet these standards as an absolute minimum and, ideally, exceed them. It plans to release new measures over time to increase departments’ ability to prepare for, respond to and recover from cyber attacks.

The MCSS comprises ten sections, also known as standards, covering five categories:


1. Departments shall put in place appropriate cyber security governance processes.
2. Departments shall identify and catalogue sensitive information they hold.
3. Departments shall identify and catalogue the key operational services they provide.
4. The need for users to access sensitive information or key operational services shall be understood and continually managed.


5. Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users of systems.
6. Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.
7. Highly privileged accounts shall not be vulnerable to common cyber-attacks.


8. Departments shall take steps to detect common cyber-attacks.



9. Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services.


10. Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.

The DSP Toolkit and the Minimum Cyber Security Standard

It is not just government departments that must comply with the MCSS.

For instance, all organisations that access NHS patient data must demonstrate their compliance with the Department of Health and Social Care’s data security and information governance requirements via an annual self-assessment.

Version 2 of the DSPT (Data Security and Protection Toolkit) standard “incorporates the requirements of […] the Minimum Cyber Security Standard (MCSS) for relevant larger NHS organisations”.

Learn more about the DSPT

Fulfilling your MCSS requirements

The MCSS’s outcomes-based approach allows departments “flexibility in how the standards are implemented, dependent on their local context”. This means compliance “can be achieved in many ways, depending on the technology choices and business requirements in question”. 

IT Governance’s range of cyber security products and services can be tailored to suit any organisation’s requirements.  

From consultancy services to training, staff awareness programmes, security testing, documentation toolkits, standards, software, books and guides, we have everything you need to support and enhance your security programme.   

Learn more about our cyber security solutions

This website uses cookies. View our cookie policy
SAVE 10%