The Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) recently signed a Memorandum of Understanding (MoU) to establish a framework for cooperation and information sharing between the parties in relation to cyber security.
The MoU sets out the following ways that the parties will work together:
- Cyber security standards and guidance: The parties will work together to develop cyber security guidance. A key focus is on the NCSC’s Cyber Assessment Framework (CAF), which is part of the NCSC’s standards and guidance. Where the ICO wishes to use the CAF, the NCSC will advise the ICO on how it is intended to be used, and the ICO will provide feedback on its experience using the CAF. If the ICO develops a framework which is based on the CAF and it diverges in a material way from the CAF, the parties will discuss and seek to understand and resolve any differences in approach.
- Improvements in cyber security of regulated organisations: The ICO will encourage good practice and continuous improvement in cyber security through its guidance. Its guidance will promote NCSC’s technical standards and guidance and use of their training courses and assurance providers. The NCSC may provide cyber security guidance and assistance to the ICO.
- Information sharing: The parties will share information with each other, which may include but is not limited to (a) the NCSC sharing relevant cyber threat information with the ICO, and (b) the ICO sharing information on cyber security incidents with the NCSC (on a systemic, anonymous, aggregate basis and, where appropriate, on an organisation specific basis). The MoU emphasises that the NSCS will not share information from an organisation with the ICO unless the organisation consents.
- NCSC supporting ICO’s cyber security: The NCSC will provide the ICO with support in relation to the ICO’s own cyber security.
- Deconfliction: Where both parties are engaged in managing a cyber security incident, they will seek to co-ordinate their work to minimise disruptions to the affected organisation’s efforts to contain and mitigate harm.
- Public communication: As far as reasonably practicable, public communications on matters relating to both parties will be agreed in advance.
A copy of the MoU can be found here.