Cyber Resilience Framework

In doing so, the Framework seeks to:

• Align with key wider cyber-related requirements under the General Data Protection Regulation (GDPR), the Security of Network and Information Systems (NIS) Directive and other standards;
• As far as possible, minimise any additional burdens on Scottish public sector organisations, including by making clear how the Framework relates to existing standards or requirements, and taking account of these when providing guidance on compliance;
• Provide a clear basis for internal and external audit and inspection activity, promoting greater consistency in the areas and issues covered by audit and inspection bodies when assessing Scottish public sector organisations; and
• Help to provide clarity and assurance to individual organisations, Ministers, the Scottish Parliament and the public that appropriate levels of cyber resilience are in place across the Scottish public sector and its individual subsectors.

Go to Framework

The framework outlines a natural hierarchy of the common cyber security standards, with PSAP/Cyber Essentials as the baseline and the Network and Information Systems Regulations at the advanced level.

The PSAP encouraged all public sector bodies to achieve the baseline by October 2018 and it is anticipated that the majority of public sector bodies will move to achieve the Target stage by the end of 2020.

Key Water and health sector organisations are already working towards the NIS regulations and the Scottish Government expects that a number of other bodies will align themselves with NIS as a sensible and pragmatic approach to managing their cyber risks and threats.