Consultation outcome

Cyber security organisational standards: call for evidence

This consultation was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government

This consultation has concluded

Download the full outcome

Detail of outcome

Businesses said that cyber security standards need to:

  • be internationally-recognised
  • promote international trade
  • allow sytems to exchange and use information
  • be auditable, like those in the ISO27000-series

Businesses also said we should balance compliance-based and outcome-based standards, whilst helping companies implement the right parts of a standard in the right parts of their business. This is what the Information Assurance for Small and Medium-sized Enterprises (IASME) and the Information Security Forum’s (ISF) ‘Standard of Good Practice’ offer.

Government will now work with industry to develop a new implementation profile, based on ISO27000-series standards.

The ‘UK Cyber Security Standards Research’ report provides a clearer overview of cyber security standards, and current and potential uptake.

Original consultation

This consultation ran from to


Seeks evidence to select and endorse an organisational standard that best meets the requirements for effective cyber risk management.


Consultation description

The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote.

On 30 April 2013 we published a guidance document and a response form to help organisations and groups prepare their evidence for submitting.

Cyber security strategy and standards

Government published its ‘Cyber security strategy’ in November 2011. This set out our intentions to encourage industry-led standards and guidance for organisations to manage the risk to their information, and to encourage companies that are good at managing information risk to make this a selling point for their business. This call for evidence, and our subsequent selection of a preferred standard, will help businesses identify what good cyber risk management looks like and select which organisational standard to invest in.

Further information

For further information on particular aspects of this call for evidence, contact us at