On 28 November 2013, UK Government Department of Business, Innovation and Skills (BIS) announced, following a report on “UK Cyber Security Standards”, that a new cyber security standard is to be created based on ISO27000-series. This new standard will be created after BIS reviews the more than 1,000 separate cyber security standards that are currently in operation globally. The announcement came as a surprise as it had previously been suggested that the government would endorse an existing standard; however, BIS has concluded that there is no single standard or ‘one size fits all’ that fully met its requirement for effective cyber risk management.
The main findings of the BIS report were:
- 52% of organisations at least partially implement a standard relevant to cyber security, but only 25% implement it fully, and of those businesses only 25% seek external certification of compliance with those standards.
- 7/10 was the average level of importance placed on cyber security certification, with 10/10 representing the highest importance
- Cost is the main barrier to adoption of cyber security standards and investment in external certification with no financial incentive to invest
- Only 35% of organisations plan an increase in cyber security spending
- 48% of organisations implemented new policies to mitigate cyber security risks
- 43% conducted cyber security risk assessments and impact analysis
- 25% of organisations believe standards to not be important at all
BIS called for support in 2013 for a new cyber security standard, and business groups that responded overwhelmingly supported the ISO27000-series of standards. However, BIS has rejected a straight adoption of those standards in light of flaws it has identified with that framework. To this extent, BIS commented, “ISO27000-series of standards have perceived weaknesses in that implementation costs are high and that due to their complexity SME’s sometimes experience difficulties with implementation…the fact that in previous versions businesses were free to define their own scope for which area of their business should be covered by the standard can also make auditing ineffective and inconsistent.” However, despite these flaws, the report proposes that a new implementation profile security standard will be based on key ISO27000-series standards, and that this will be the government’s preferred standard. So far, BIS has support for the new standard from key industry players such as BAE Systems, BT, Lockheed Martin, Ernst & Young, GlaxoSmithKline and British Bankers Association.
To support the new profile standard, the government intends to create a new assurance framework whereby organisations that have passed their audit will be able to publicly state that their cyber risk management satisfies the government’s preferred standard. This will act as an accreditation for businesses to promote themselves and assure others that they have achieved a certain level of cyber security.
BIS anticipates the new standard to be launched in early 2014. BIS commented, “This will do more than fill the accessible cyber hygiene gap that industry has identified in the standards landscape…it will be a significant improvement to the standard currently available in the UK. We view the use of an organisation standard for cyber security as enabling businesses and their clients and partners to have greater confidence in their own cyber risk management, independently tested where necessary.”