We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Strategy/plan

Cyber Resilient Scotland - strategic framework: action plan 2025-2030

Published
24 February 2026
From
Cabinet Secretary for Justice and Home Affairs
Directorate
Digital Directorate
Topic
Business, industry and innovation, Children and families, Communities and third sector, +3 more … Education, Public sector, Work and skills
ISBN
9781806438471

Sets out the key actions during 2025 to 2030 to deliver the priorities set out in the strategic framework for a Cyber Resilient Scotland.

View supporting documents Supporting documents

Outcome 4

Public Sector organisations effectively manage their cyber risks

4.1 Positioning Cyber Risk and Assurance as a Leadership Priority

Public sector leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level, and that they drive a culture of accountability and resilience throughout the organisation.

The SG NCRU and SC3 will:

  • establish and promote mandatory cyber security and resilience policies and baseline standards to ensure consistent and effective cyber risk management across the public sector
  • strengthen public sector leaders’ understanding of cyber risk through a targeted programme of awareness raising for Chief Executives, board members and audit and risk committee leads, and by promoting resources including NCSC’s Board Toolkit and Cyber Governance Training.

Public sector organisations will:

  • designate a board member or senior leader to be responsible for assuring organisational cyber resilience.

4.2 Embedding Cyber Resilience into Governance

Organisations integrate relevant cyber security standards, regulations and compliance into governance, business risk management, planning and daily operations

The SG NCRU will:

Public sector organisations will:

  • establish robust governance arrangements for cyber security and resilience, including:
    • incorporating cyber risks within strategic or corporate risk registers
    • regular consideration of cyber risks at senior management and audit and risk committee levels
    • appointing a designated board member responsible for cyber security and resilience
    • adopting appropriate cyber security standards, such as NCSC’s Cyber Assessment Framework
    • obtaining independent assurance of critical technical controls, for example through Cyber Essentials and Cyber Essentials Plus
    • understanding the organisation’s critical systems and dependencies, implementing measures to mitigate impacts on essential functions and maintaining plans to restore services after an incident
    • familiarising themselves with the UK Government’s cyber security Codes of Practice
    • improving cyber security measures based on lessons learned from exercises and incidents.
    • promote the ScotlandIS Cyber Directory and ITMS Directory as the central source for Scotland based cyber products and services across the public sector

Public sector advisory and regulatory bodies will:

  • embed cyber threat and risk information within their guidance to public bodies.

4.3 Ensuring Incident Readiness

Organisations have robust incident response capabilities and regularly test and exercise.

Public sector organisations will:

  • participate in the Scottish Government’s annual assessment (CRA) of the cyber maturity of the Scottish public sector
  • continuously monitor networks and systems with secure logging in place
  • maintain secure, reliable backups required to restore essential functions
  • develop and maintain cyber incident response plans
  • test incident response plans at least annually against common attack scenarios at technical, operational and strategic levels, following SC3 guidance, including using tools from SC3, NCSC and relevant open-source providers
  • review and share lessons identified and learned from exercises and significant incidents through the Public Sector Cyber Resilience Network and SC3 reports
  • act quickly on Cyber Resilience Early Warning Notices.

4.4 Securing legacy systems and introducing secure-by-design and default systems

Organisations plan to migrate to modern secure-by-design and secure-by-default systems and/or to put in place appropriate mitigations to secure legacy systems.

Public sector organisations will:

  • review and understand their use of legacy systems
  • mitigate vulnerabilities associated with legacy systems in the short term
  • replace legacy systems with secure‑by‑design and secure‑by‑default alternatives in the longer term.

4.5 Using Trusted Tools

Organisations use proven security solutions, including NCSC’s Active Cyber Defence services.

Public sector organisations will:

4.6 Securing the Supply Chain

Organisations actively manage third-party risks with confidence and throughout the life cycle of contracts.

The SG NCRU and SC3 will:

  • support public bodies with advice, guidance and common solutions to secure their supply chains.

Public sector organisations will:

  • build appropriate cyber assurance into procurement and contract management processes.

4.7 Building Professional Capability

Organisations develop their professional cyber security workforce, through inclusive recruitment, training, professional development and career progression. Cyber security staff will be encouraged to register with the UK Cyber Security Council, with a view to gaining a relevant professional standard.

The SG NCRU will:

  • encourage public sector organisations to support the continuous professional development of their cyber security workforce
  • promote the UK Cyber Security Council and the benefits of professionalisation, creating opportunities for engagement with cyber professionals across Scotland
  • provide employers with practical guidance to attract, recruit and retain diverse cyber talent by identifying and removing barriers, including those affecting women and those with disabilities.

Public sector organisations will:

  • encourage continuous professional development of their cyber security staff.

4.8 Raising Workforce Awareness

The public sector workforce demonstrates strong cyber resilient behaviours.

Public sector organisations will:

  • provide appropriate cyber resilience training and awareness for staff at all levels
  • signpost staff to authoritative cyber resilience training and resources via CyberScotland Portal and the NCSC website.

4.9 Reporting Cyber Incidents

Organisations report cyber incidents to Police Scotland, NCSC, SC3, ICO, where appropriate.

Public sector organisations will:

  • use the Scottish Public Sector Cyber Incident Notification Process to report incidents to SC3, Police Scotland and NCSC, where appropriate
  • report a cyber crime to Police Scotland on 101
  • notify relevant regulatory authorities, such as the ICO, to report cyber security incidents within required timescales.

4.10 Strengthening Cross-Sector Collaboration

The Public Sector, government, academia and industry continue to build stronger partnerships to improve incident response and share knowledge, innovation and expertise

The SG NCRU and SC3 will:

  • exchange and co‑develop briefing materials for the public sector
  • organise quarterly Public Sector Cyber Resilience Network events
  • utilise the expertise of the National Cyber Resilience Advisory Board to provide strategic advice and constructive challenge to support effective delivery of the Strategic Framework for a Cyber Resilient Scotland
  • encourage widespread use of CyberScotland Portal for best practice guidance and support.

Contact

Email: CyberResilience@gov.scot

Back to top