Implications for ISO 27001:2022 Information Security and wider compliance considerations for organisations will be impacted by the publication in 2025 of the Cyber Security and Resilience Bill.
The new bill is intended to update the UK’s NIS Regulations 2018, which considers network and information systems, to align them more closely with the EU’s NIST 2 Directive.
The bill is intended to enhance the UK’s cyber defenses and ensure that critical infrastructure and digital services are better protected.
Key updates include:
- Expanding the scope of regulations to cover more digital services and supply chains.
- Strengthening the role of regulators such as the Information Commissionaires Office (ICO) to ensure essential cybersecurity measures are implemented.
- Increased incident reporting requirements to improve our understanding of cyber threats.
These changes are seen as essential if we are to address evolving cyber threats and ensure resilience in our digital economy.
For those considering the impact on management systems such as ISO9001 then bringing external providers, particularly those in IT and other managed service providers (MSP), into scope could be relevant. IT in particular have unprecedented access to our information systems, networks, infrastructure and data and the new cyber law is undoubtably going to increase the number included.
The bill will define MSPs and expected characteristics of such companies but it’s likely to include those whose services include:
- IT infrastructure and applications management
- IT remote support
- Managed security services
- Managed service operations centres
- Security information and event management
- Incident response, threat and vulnerability management
- Relevant business process outsourcing
The ICO will act as the regulator and will regulate MSPs through enhanced information gathering, investigation and enforcement powers.
With increased levels of ransomware threat the risk to supply chains is greater than ever and whilst the legislation will focus on critical suppliers in essential services it may be worth looking at your own supply chain including an assessment of information security planning encompassing controls and disruption. Guidelines and best practice continue to be provided by the National Cyber Security Centre (NCSC).
For further information on ISO 27001 Information Security Management and consideration of information security in your supply chain as always, we welcome feedback and discussion. Our consultants can help and if you have an enquiry or wish to seek support contact the team now through our web site www.qcsl.co.uk
