UK government sets minimum standards for cybersecurity

UK government departments must record which “security related responsibilities” lie with them and which with their suppliers when outsourcing services, according to new cybersecurity standards that have been mandated.

The new ‘minimum cybersecurity standard’ (7-page / 382KB PDF) was published by the Cabinet Office.

The new standards address a number of areas, including specifying measures departments must put in place to protect their business technology, end user devices, email and digital services from exploitation of known vulnerabilities.

Commenting on the news are the following security professionals:

Javvad Malik, security advocate at AlienVault:

“Unfortunately, many government departments lack the funding or expertise to implement even a baseline set of security controls. With that in mind, this minimum cybersecurity standard is a positive move that will hopefully raise the bar consistently across government departments and organisations.

While ideal, it is probably not feasible to force this across all organisations outside of government bodies, but it could be used as a baseline for third parties wanting to do business with government departments. 

A good next step would be to extend the scope of minimum cybersecurity standards to apply to vendors, particularly IoT or smart device manufacturers.”


Martin Jartelius, CSO at Outpost24:

“This is a great step and a positive change. We have regulations for health and safety at work, and the financial industry is littered with rules and regulations for the protection of customer data. Soft regulations, including the GDPR, work in a similar fashion to put some degree of basic controls in place.

IT is a crucial part of any business so by defining and setting a baseline or best practices via regulatory control, it sends a strong signal and prompts businesses to improve their security awareness.

The success or failure of this mandate will depend on the implementation. The danger is whether this becomes another compliance ‘checkbox’, where the regulation does set a clear baseline or bare minimum requirement, resulting in organizations doing as little as possible to be compliant, rather than to become secure.”