IT service providers could be forced to follow new cyber security rules such as the NCSC’s Cyber Assessment Framework, as part of the governments proposed plan to help boosts cyber security within the UK’s digital supply chains.
The NCSC’s Cyber Assessment Framework details the following eight requirements for IT service providers.
1. Provide a suitable framework to assist in carrying out cyber resilience assessments
2. Maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises
3. Be compatible with the use of appropriate existing cyber security guidance and standards
4. Enable the identification of effective cyber security and resilience improvement activities
5. Exist in a common core version which is sector-agnostic
6. Be extensible to accommodate sector-specific elements as may be required
7. Enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security
8. Be as straightforward and cost-effective to apply as possible
Other proposals include new procurement rules to ensure the public sector buys services from firms with good cyber security and plans for improved advice and guidance campaigns to help businesses manage security risks.
Minister for Media, Data and Digital Infrastructure, Julia Lopez, said: “Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the NCSC to secure their businesses’ digital footprint and protect their sensitive data.”