International Regulations & Standards

Governments are reacting to the increasing cyber threats by introducing various cyber security regulations and standards. Below is a broad set, but not an exhaustive list of international cybersecurity policies, regulations and standards.

Regulations

• Defence Standard 05-138, Issue 2 – Cyber security for Defence Suppliers is applicable to all Ministry of Defense (MOD) procurements, MOD suppliers and their subcontract suppliers which have a relationship to one or more MOD contracts.
• Essential Eight Maturity Model (AU) The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organizations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight.
• European Union Cybersecurity Act Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance).
• General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation.
• UK Cyber Essentials Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organization, whatever its size, against a whole range of the most common cyber attacks.
• UK Ministry of Defence’s (MOD) DEFCON 658 (Cyber) applies to all suppliers down the supply chain (edition October 2017).

Standards

• European Union Cybersecurity Certification Framework is established by the EU Cybersecurity Act for ICT digital products, services and processes. The European cybersecurity certification framework enables the creation of tailored and risk-based EU certification schemes.
• ISO 22301:2019 – Business Continuity Management Systems This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
• ISO/IEC 27001:2013 – Information Security Management Systems – Requirements specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
• ISO/IEC 27031:2011 – Guidelines for Information and Communication Technology Readiness for Business Continuity describe the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity.
• ISO/IEC 27032:2012 – Guidelines for Cybersecurity provide guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains.
• ISO/IEC 27035-1:2016 – Part 1: Principles of incident management is the foundation of this multipart International Standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.
• ISO/IEC 27035-2:2016 – Part 2: Guidelines to Plan and Prepare for Incident Response provides the guidelines to plan and prepare for incident response. The guidelines are based on the “Plan and Prepare” phase and the “Lessons Learned” phase of the “Information security incident management phases” model presented in ISO/IEC 27035‑1.