Further to the consultation earlier this year on selection of a cyber security standard for UK businesses, universities, charities and others, a report was published in November.
The research report on the consultation responses, interviews and analysis. That report identified properties (Annex B) of over 100 related standards such as target sector, product type, service type, language, status, currency, relevance and prevalence (Annex C). Nine shortlisted standards were assessed further against the cyber security framework.
- Australian Defence Signals Directorate (DSD) Information Security Manual (ISM); formerly known as "ACSI33"
- Bundesamt fur Sicherheit in der Informationstechnik (BSI) '100 Series'
- HMG SPF (Security Policy Framework)
- IASME (Information Assurance for Small & Medium-sized Enterprises
- ISF (Information Security Forum) Standard for Good Practice for Cyber Security (SGP)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Publicly Available Specification (PAS) 555:2013 (including Annexes)
The analysis concluded that no single standard comprehensively covers the totality of cyber security as defined in the government's framework.
The government has therefore announced it will not adopt a single standard, but will instead "work with industry to develop a new implementation profile" to become the preferred standard. It is understood this "profile will be based upon key ISO27000-series standards and will focus on basic cyber hygiene".
The new profile will be developed in conjunction with the Information Security Forum (ISF) and Information Assurance for Small and Medium Enterprises (IASME), and will be available in "early 2014" free of charge.
Posted on: 30 December 2013 at 10:53 hrs