Guidance given to public bodies on software systems: FOI release

Information requested

1. What central guidance, standards, or obligations does the Scottish Government issue to public bodies on:

• Maintaining up-to-date software inventories and system registers
• Identifying and managing AI-enabled tools
• Avoiding duplication or legacy bloat
• Ensuring training, audit, and security compliance

2. What steps are being taken to improve central oversight, risk monitoring, or shared system frameworks in light of cyber threats?

3. Has any Scottish Government department conducted reviews of these issues in recent years, or is there any plan to do so?

Response

What central guidance, standards, or obligations does the Scottish Government issue to public bodies on:

• Maintaining up-to-date software inventories and system registers
• Identifying and managing AI-enabled tools
• Avoiding duplication or legacy bloat
• Ensuring training, audit, and security compliance

The public sector provides a range of digital public services and it is critical that these are secure and resilient. The Scottish Government encourages public sector organisations to adopt a proactive, risk based governance approach, with board-level accountability to build their cyber resilience. To support the sector’s ability to prevent, detect and manage cyber threats, the Scottish Government has set out a framework that provides an approach for public bodies to follow.

The Public Sector Cyber Resilience Framework, 2nd Edition (referred to as “PSCRF v2.0”) was issued to Public Sector Organisations in June 2024 and formally published in December 2024. This highlights key policies which Public Sector Organisations may wish to have in place, including asset management. The PSCRF v2.0 also includes key actions (page 6) around public sector organisations having independent assurance and appropriate training in place. It also includes specific controls on asset management and includes key actions from the 2023 action plans around putting in place appropriate independent assurance.

The PSCRF 2.0 emphasises the importance of asset management as a foundational element of cyber resilience. Public bodies are advised to maintain comprehensive and current inventories of hardware and software assets and ensure that these inventories are used to support patch management, vulnerability assessments, and incident response. It also advises Public Sector Organisations to align with standards such as ISO/IEC 27001 and NCSC guidance on asset management.

While the PSCRF v2.0 does not explicitly mention AI tools, it advises Public Sector Organisations to use risk-based approaches to new technologies, as well as Governance structures that ensure emerging technologies (like AI) are assessed for cyber risks, data protection, and ethical implications – and are integrated with broader digital governance and data protection impact assessments.

The PSCRF v2.0 encourages regular reviews of digital infrastructure to identify and decommission redundant or legacy systems. Public Sector Bodies should adopt cloud-first and shared service models to reduce duplication, and align with Digital Scotland Service Standards, which promote efficient, userfocused digital services.

To the final point, The PSCRF v2.0 recommends that public bodies provide cyber awareness training for all staff, with enhanced training for those in key roles. Public Sector Bodies are advised to undertake regular internal and external audits aligned with the framework’s 14 control themes and integration with GDPR, NIS Regulations, and Cyber Essentials certification where applicable.

What steps are being taken to improve central oversight, risk monitoring, or shared system frameworks in light of cyber threats?

The Scottish Cyber Coordination Centre (SC3) Strategic Plan 2024–2027 outlines a comprehensive strategy to enhance cyber resilience across Scotland’s public sector. SC3 serves as the national coordination hub for cyber incidents, offering 24/7/365 on-call support to Public Sector Organisations. It plays a pivotal role in managing serious or multi-agency incidents, working in close collaboration with the National Cyber Security Centre (NCSC) and Police Scotland to ensure a coordinated and effective response.

A key feature of SC3’s approach is its commitment to data-driven risk monitoring. The Centre collects and analyses cyber risk metrics across the public sector, enabling it to provide timely and actionable threat intelligence. This includes the distribution of daily threat bulletins and weekly vulnerability reports. SC3 also promotes the use of automated threat intelligence sharing platforms, such as the CyberShield Malware Information Sharing Platform (MISP), to enhance situational awareness and collective defence.

To support consistency and reduce fragmentation, SC3 is actively working to establish common standards. It is piloting a Cyber Observatory that will collect data and provide tailored support to different parts of the public sector based on their specific needs. The Cyber Observatory is being developed to manage information from multiple relevant sources to allow Scottish Government to monitor maturity and identify common areas of strengths and weakness. This allows strategic decisions to be taken on the best up-to-date information available. Additionally, the Public Sector Cyber Resilience Survey is being developed and will be issued to the public sector later this year. The intention is to help organisations benchmark their maturity (against the NCSC Cyber Assessment Framework) and identify areas for improvement.

SC3 also places a strong emphasis on preparedness and capacity building. It supports public bodies in conducting cyber exercises to test and refine their incident response capabilities. The centre issues early warning alerts (CREW Notices) in response to known vulnerabilities and incidents, and provides support for remediation efforts. Furthermore, SC3 is investing in training and upskilling initiatives to ensure that the public sector has a well-prepared and resilient workforce capable of responding effectively to evolving cyber threats.

Has any Scottish Government department conducted reviews of these issues in recent years, or is there any plan to do so?

The Scottish Government surveys Public Sector Organisations on their cyber resilience periodically through the Public Sector Cyber Resilience Survey. The most recent highlights were included in the Strategic Framework for a Cyber Resilient Scotland: End Year Review 2023-24. Further surveys will be conducted in the future, as part of the SC3’s new Cyber Observatory (outlined above).

Under the UK GDPR and the Data Protection Act 2018, public sector bodies must ensure that appropriate technical and organisational measures are in place when suppliers process personal data on their behalf. This includes ensuring data security, transparency, and accountability in all data processing activities.

The Network and Information Systems (NIS) Regulations require that a Competent Authority be designated to oversee the cyber security of essential service sectors. There are two competent authorities within Scotland. The Drinking Water Quality Regulator for Scotland is the competent authority for water. Scottish Ministers are the competent authority for Health Boards in Scotland who are operators of essential services.

Operators of Essential Services including those in devolved sectors must implement and maintain robust cyber security measures to protect their networks and information systems. In Scotland, the designated Scottish Health Competent Authority for the health sector conducts formal assessments and audits of all NHS Scotland health boards. These audits are aligned with the Public Sector Cyber Resilience Framework. They evaluate the effectiveness of risk management, cyber security controls, and governance processes.

We also work closely with the National Cyber Security Centre (NCSC) to ensure Scotland is well prepared for cyber threats and urge all organisations to follow the NCSC's advice and guidance.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.