10 Oct 2023
by Isabel Forkin

GovAssure and the UK cyber security strategy

Guest blog by Isabel Forkin, Principal Consultant, Digital Trust, Consulting Services at BSI #techUKCyber2023

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

25 May, 2023 - In January 2022, the U.K. government published the Government Cyber Security Strategy, which extends from 2022 through to 2030. The strategy exists to enhance the country’s resilience against cyberattacks across essential government agencies, bolstering the U.K. as a sovereign nation.

Build resilience with GovAssure

An essential element of the Government Cyber Security Strategy is GovAssure, a scheme to give central government a better understanding of the security and resilience capabilities of the public sector, to empower organizations to better protect themselves from hostile threats. GovAssure uses the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC), which is comprised of four high-level objectives and 14 principles as shown below:

BSI-blog-pic1.jpg

Across the four objectives, there are 39 contributing outcomes, and each is associated with a set of indicators of good practice (IGP), which are broken down into three categories:

  • Achieved: All outcomes must be met to be assessed as achieved.
  • Partially achieved: This column may not be present for all outcomes. It is important that the partial achievement is delivering specific, worthwhile cyber security benefits.
  • Not achieved: Normally, just one indicator in this column will result in an assessment of not achieved.

The GovAssure scheme requires organizations to review each of the IGPs against the essential services and state whether they meet the requirement. Each IGP must have a justification for the response and evidence of the activities being implemented in practice. The responses are then validated by a third party to ensure that responses are consistent across departments and enable a collaborative and standardised approach. Departments must also plan activities to close any gaps between the required level of compliance and the actual responses documented.

Follow a strategy

Whilst that sounds straightforward in theory, the reality becomes complicated very quickly when applied to a large governmental department. The key to this process is identifying the correct stakeholders and ensuring that the resources are made available as needed for each of the critical services. The work should be set up as a formal project with milestones as well as a management sponsor to help drive it.

This is the first stage of an ongoing process. If the evidence is not available or the controls are not implemented, this will be added to a non-compliance list.

Tips and recommendations

Tips and recommendations for completing the process as efficiently and quickly as possible include:

  • Take time to fully understand the scope of the critical systems. This will make the responses to the IGP more straightforward.
  • Ensure that any centralised controls (e.g., governance) are documented before requesting local-level or technology-specific responses. This will prevent repetition of work.
  • Provide a series of example responses and evidence tailored to your department systems and language. This will make the process smoother and more consistent across departments.
  • Use the process to highlight known issues and risks. The scheme should be seen as a tool to get more support to close gaps and remediate vulnerabilities.

The purpose of the initial GovAssure work is to provide the Cabinet Office’s Government Security Group (GSG) with greater visibility of the common cyber security challenges facing government. Therefore, the key is to provide an accurate view of the status so the risks can be properly understood and prioritised.

Learn more about BSI Digital Trust’s cyber risk advisory and compliance services. Follow along with other digital trust, environmental, health, safety, and supply chain topics that should be at the top of your list at BSI’s Experts Corner.


techUK’s Cyber Security Week 2023 #techUKCyber2023

The Cyber Programme team are delighted to be hosting our annual Cyber Security Week between 9-13 October.

Click here to read all the insights

Join us for these events!

11 October 2023

Cyber Innovation Den 2023

Central London Conference

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

 

Related topics

Authors

Isabel Forkin

Isabel Forkin

Principal Consultant, Digital Trust, Consulting Services, BSI