Scottish public sector cyber resilience framework v2.0

Footnotes

1. As implemented in the UK Data Protection Act 2018.

2. Note that BS EN ISO/IEC 27001:2017 is a modest revision restricted to Clause 6.1.3 and Annex A clause 8.1. Clause 6.1.3 was a formatting adjustment, separating the required content for a Statement of Applicability from the main paragraph into separated bullets. A.8.1.1 (Inventory of Assets) replaces the control’s objective text from:

“Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.” to: “Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.” Neither impact upon the CRF categories. Moreover, certification against the 2017 revision is not possible; all certifications remain against 27001:2013. To quote BSI “This is not a change from ISO/IEC, it is a regional update that just reflects the acceptance by CEN/Cenelec and has no other modifications requiring your actions. We therefore have no current plans to update certificates to the 2017 version so you will continue to receive an ISO/IEC 27001:2013 certificate at this stage.”

3. NCSC Cyber Essentials: Requirements for IT infrastructure, v. 3.1, 2023, 16pp.

4. Security Guidance for Critical Areas of Focus in Cloud Computing v4.0, 2021, 152pp.