1.1 The cyber security standard supports Government Functional Standard GovS 007: Security. GovS 007 sets out expectations and reasons for the security activities which organisations need to carry out to protect government assets. The cyber security standard defines the cyber security outcomes which organisations must meet and the assurance process which they must follow.
2.1 The cyber security standard contains both mandatory and advisory elements, using the same language as GovS 007:
- shall means a requirement: a mandatory element
- should means a recommendation: an advisory element
2.2 “Critical systems” are those that support the operation of the organisation’s essential services, day-to-day business and mission, and without which the organisation would not be able to operate. For example, the primary organisational corporate network.
3.1 Organisations shall comply with applicable cross-government policies published on the UK Government Security site and GOV.UK.
3.2 Organisations shall meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) under the appropriate government CAF profile (Baseline or Enhanced) for their critical systems.
3.3 Organisations should meet or exceed the security outcomes specified in the CAF under the appropriate government CAF profile for all systems.
3.4 Organisations shall assure their critical systems using the GovAssure cyber assurance process.
3.5 Organisations delivering new digital services and technical infrastructure shall comply with the cross-government Secure by Design (SbD) principles, demonstrated by achievement of a “high” confidence profile using the SbD Self-Assessment Tracker.
4.1 Organisations shall take a threat-driven, risk-based approach when applying the government CAF profiles and implementing cross-government cyber security policies. Implementation shall be proportionate to the prevailing risk, delivered within practicable timescales, and aligned with business objectives and priorities. This allows organisations the flexibility to decide how to meet the specified security outcomes in practice.
4.2 Where a government department has responsibility for arm’s length bodies (ALBs), the department shall:
4.2.a) take a threat-driven, risk-based approach when applying the government CAF profiles and implementing cross-government cyber security policies within ALBs, proportionate to the prevailing risk and aligned with ALBs’ business objectives and priorities.
4.2.b) define the extent to which the GovAssure cyber assurance process will be implemented for their ALBs, either through the complete GovAssure process, partial implementation, or exemption.
4.3 Where an organisation is not compliant with the government CAF profiles, or with cross-government cyber security policies, this risk shall be formally managed and the appropriate mitigations put in place in line with the organisation’s risk tolerance.
4.4 If applicable, organisations should have a plan in place to work towards future compliance with the cyber security standard, in a way that meets their business objectives and priorities and ensures continuous improvement over time.
5.1 Further guidance for organisations to help them meet the security outcomes in the CAF is provided on the UK Government Security site and by the National Cyber Security Centre.
5.2 For more information on the CAF and the Baseline and Enhanced government CAF profiles, see Introduction to the Cyber Assessment Framework.
6.1 Email gsgcyber@cabinetoffice.gov.uk if you have any questions regarding the cyber security standard.
OFFICIAL