Government Cyber Security Kite Mark vs ISO 27001

Last Thursday (12th December) the British Government issued a statement on the progress against the objectives set out in the UK Cyber Security Strategy.

Unsurprisingly, making cyberspace safer for UK business remains a top priority.  In order to achieve that the Government is said to have been working closely with industry to develop an agreed ‘Organisational Standard’ also referred to as cyber security kitemark (See “The Telegraph”). Moreover, in order to reinforce this and give the standard a kick-start, the Government will be mandating its use in government procurement.

But is this not slightly confusing?

Firstly, kitemark schemes for services are for services where there is not an already existing UKAS-accredited certification scheme. But there is a UKAS-accredited scheme for ISO27001 already so it seems overly costly to create a new certification scheme to go on top of or replace an existing internationally recognised scheme.  After all, the Government wants to enable companies to trade internationally, so it should be pursuing internationally recognised standards.

Secondly, the Government already requires ISO27001 certification across a broad range of services it obtains from the private sector. Therefore, it is incomprehensible that the government should be discarding years of work it’s done to establish ISO27001 in favour of something that doesn’t yet exist!

It is worth applauding that the Government is putting its shoulder to the wheel in terms of cyber security, but I just wished they were being more sensible about it!