The standards cover eight key areas:
Strategy & Framework: Effective cyber framework arrangements should be in place to establish, implement and review the approach to managing cyber risk.
Governance: There need to be appropriate lines of accountability, responsibility and cultural buy-in at all levels of an organisation regarding cyber resilience.
Risk Identification: To mitigate against new risk – in addition to monitoring existing ones – processes and business functions should reviewed and updated regularly.
Protection / Controls: It is important to continuously evolve protection measures, such as security controls, systems, processes (including behavioural monitoring) to keep pace with market developments.
Monitoring & Detection: Strong detection controls and standards should be in place that are proportionate to the organisation’s relative size, systemic importance, risk tolerance and threat landscape.
Response & Recovery: Strategies should ensure that critical systems can be restored to full operation as soon as practicable, acknowledging conditions will vary.
Information Sharing: Organisations should seek to proactively share experiences, knowledge and expertise, and to cooperate and collaborate through industry groups, such as the WFE’s GLEX working group (see below).
Testing, Situational Awareness, Learning & Evolving: Arrangements must evolve with the changing threat landscape.