Increasingly, businesses are being asked, as part of their pre-qualification, to prove their cyber-resilience in order to win work. The Common Assessment Standard establishes an industry-agreed question set based on existing PQ questionnaires (including PAS 91 and corresponding assessment standards). CAS is being adopted throughout the supply chain as a means of homogenising the pre-qualification landscape and providing contractors with a single data repository for their pre-qualification data and systems. Our prediction is that because the adoption of CAS is accelerating, CAS will inevitably feature increased scrutiny of an organisation’s cyber-resilience, systems, processes and accreditation.
The updated version of the Common Assessment Standard is due to be published on 31 March 2022.
The Government has backed an initiative called “Cyber Essentials” which is designed to help you protect your organisation against a wide range of cyber-attacks.
On 12 May 2021, the National Cyber Security Council (NCSC) published the Cyber Essentials Readiness Toolkit. This is designed to help businesses meet the Cyber Essentials requirements for certification.
In January 2022, the NCSC announced that it had updated its Cyber Essentials scheme with changes that cover the use of cloud services, home working, password management and security updates.
In February 2022, the NCSC published construction-specific guidance on issues affecting the Industry. This guidance offers tailored, practical advice for the industry on how to protect their businesses and building projects at each stage of construction, from design to handover. It explores the most common cyber threats faced by the industry including, without limitation, spear-phishing, ransomware and supply chain attacks.
The new guidance is split into two parts: the first aimed at helping business owners and managers understand why cyber security matters, the second aimed at advising staff responsible for IT equipment and services within construction companies on actions to take. The advice also outlines seven steps for boosting resilience, covering topics including creating strong passwords; backing up devices; how to avoid phishing attacks; collaborating with partners and suppliers; and preparing for and responding to incidents. Further information on these recent changes can be viewed in Frequently Asked Questions.
ECA recommends that you review NCSC’s press release on actions UK organisations can take to strengthen their cyber security resilience. These actions can be viewed in the form of the recently published guidance on the NCSC website.