- 15 Jan 2020
The Scottish public sector action plan on cyber resilience set out a commitment to develop a public sector cyber resilience framework.
This framework aims to provide a consistent way for Scottish public sector organisations to:
- assess their cyber resilience arrangements
- identify areas of strength and weakness
- gain reasonable confidence that they are adhering to minimum cyber resilience requirements
- take informed decisions on how/whether to achieve higher levels of cyber resilience on a risk-based and proportionate basis
In doing so, the framework seeks to:
- align with key wider cyber-related requirements under the General Data Protection Regulation (GDPR), the Security of Network and Information Systems (NIS) Directive and other standards
- minimise any additional burdens on Scottish public sector organisations, including by making clear how the framework relates to existing standards or requirements, and taking account of these when providing guidance on compliance
- provide a clear basis for internal and external audit and inspection activity, promoting greater consistency in the areas and issues covered by audit and inspection bodies when assessing Scottish public sector organisations
- help to provide clarity and assurance to individual organisations, Ministers, the Scottish Parliament and the public that appropriate levels of cyber resilience are in place across the Scottish public sector and its individual subsectors
A concept self-assessment tool has been made available to support public sector organisations to implement the framework.