Cyber Resilience Framework

The Scottish Public Sector Action Plan on Cyber Resilience set out a commitment to develop a Scottish Public Sector Cyber Resilience Framework.

The key aim of this Framework is to: 

Provide a common, effective way for Scottish public sector organisations to assess their cyber resilience arrangements, identify areas of strength and weakness, gain reasonable confidence that they are adhering to minimum cyber resilience requirements, and take decisions on how/whether to achieve higher levels of cyber resilience on a risk-based and proportionate basis. 

In doing so, the Framework seeks to:

  • Align with key wider cyber-related requirements under the General Data Protection Regulation (GDPR), the Security of Network and Information Systems (NIS) Directive and other standards;
  • As far as possible, minimise any additional burdens on Scottish public sector organisations, including by making clear how the Framework relates to existing standards or requirements, and taking account of these when providing guidance on compliance;
  • Provide a clear basis for internal and external audit and inspection activity, promoting greater consistency in the areas and issues covered by audit and inspection bodies when assessing Scottish public sector organisations; and
  • Help to provide clarity and assurance to individual organisations, Ministers, the Scottish Parliament and the public that appropriate levels of cyber resilience are in place across the Scottish public sector and its individual subsectors.
Go to Framework

The framework outlines a natural hierarchy of the common cyber security standards, with PSAP/Cyber Essentials as the baseline and the Network and Information Systems Regulations at the advanced level.

The PSAP encouraged all public sector bodies to achieve the baseline by October 2018 and it is anticipated that the majority of public sector bodies will move to achieve the Target stage by the end of 2020.

Key Water and health sector organisations are already working towards the NIS regulations and the Scottish Government expects that a number of other bodies will align themselves with NIS as a sensible and pragmatic approach to managing their cyber risks and threats.

429

Cyber Resilience Framework

Provide a common, effective way for Scottish public sector organisations to assess their cyber resilience arrangements, identify areas of strength and weakness, gain reasonable confidence that they are adhering to minimum cyber resilience requirements, and take decisions on how/whether to […]

Back to top of the page