Privacy & Information Security Law Blog

On November 28, 2013, the UK government published a paper in response to its March 2013 consultation on cybersecurity standards (“Response Paper”), and announced that it will create a new cybersecurity standard. The original consultation concluded in October 2013.

UK Consultation
The consultation focused primarily on assessing the suitability of existing cybersecurity standards (such as the IASME standards and the ISO 27000-series standards) for use by businesses and government agencies. The consultation sought input from businesses, standards bodies, law firms and other interested parties. The consultation concluded that no existing standard is suitable because all of the existing standards have perceived weaknesses, including complexity, high costs and implementation difficulties.

Government Response Paper
The Response Paper explains that the UK government will now work with cybersecurity industry representatives to develop a new standard to serve as the government’s preferred cybersecurity standard. This new standard will be largely based upon key ISO 27000-series standards and will focus on basic cyber hygiene. It is intended to be a “significant improvement” over existing standards, and will provide a simple framework that can be implemented by small and medium enterprises. At this stage, it is not clear what requirements the new standard will include, or whether it will appeal to larger businesses.

According to the Response Paper, the UK government aims to publish the new standard by early 2014. Once implemented, the new standard will enable businesses that conform to the standard to publish a “badge” on their websites and in their promotional materials, indicating that they have achieved a certain level of cybersecurity. It remains to be seen whether there will be significant interest in adopting this standard outside of government departments.

View the UK government’s existing cybersecurity guidance.