‌‌	On 17 September 2015 the OECD Council adopted the Recommendation on Digital Security Risk Management, which replaces the 2002 Guidelines

"Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security"

Objective - Process - Preparatory process - What are the Security Guidelines - Contact - See also

In December 2013, the OECD Committee on Digital Economy Policy (CDEP, formerly ICCP) agreed to revise the 2002 Recommendation of the Council concerning Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Security Guidelines). It also agreed to start its review of the Recommendation on the Protection of Critical Information Infrastructures in December 2014.

 

Objective of the revision

In 1992, the OECD developed the first Security Guidelines to foster confidence in information systems. In 2002, these Guidelines were revised to help policy makers foster security of information systems and networks for economic and social prosperity in an open and interconnected technical environment. Building on more than 20 years of OECD experience, the current revision aims to take into account changes since 2002, including:

• ICTs and the Internet becoming an essential platform for innovation, new sources of growth and social development. They also support critical infrastructures and have become vital for the functioning of society and the economy.
• The threat landscape changing, both in scale and in kind, with more sophisticated actors, cyberespionage, and other sorts of economic and social disruptions.
• Trends such as digital mobility, cloud computing, “bring your own device” (BYOD), social networks and the Internet of things, blurring the perimeter of information systems.
• To respond to these challenges, governments are adopting a new generation of national cybersecurity strategies which elevate the priority of cybersecurity and holistically encompass economic and social objectives of security with sovereignty aspects such as international security, intelligence and military issues.

The 2002 Security Guidelines target national public policy makers in charge of cybersecurity strategies, as well as leaders of public and private organisations whose economic and social activities rely on the digital environment.

 

Revision process

The revision was carried out by the OECD Working Party on Security and Privacy in the Digital Economy (SPDE, formely WPISP, which reports to the OECD CDEP) throughout 2014.

The process involved all delegations from OECD member countries, international and regional organisations, business (through the Business and Industry Advisory Committee to the OECD, BIAC), civil society (through the Civil Society Information Society Advisory Council, CSISAC), and the technical community (through the Internet Technical Community Advisory Committe, ITAC).

 

Preparatory process

To prepare the revision, the OECD carried out in 2013 a broad multistakeholder consultation of experts from OECD members and non-members (see the Terms of Reference adopted in November 2012). An expert group developed and discussed proposals in view of the development of proposals for revising the Guidelines.This expert group included policy experts from:

• Governments, business, civil society, the Internet technical community and academia (see the flyer targeting business audiences).
• OECD member and non-member economies.

‌‌‌‌ Download the documents seperately: Terms of Reference for the Review of the 2002 Security Guidelines The Role of the 2002 Security Guidelines Cybersecurity Policy Making at a Turning Point

The Secretariat developped several papers which were discussed by the group through an electronic platform. In addition, the group met informally in the course of 2013: on 8 April in Paris, on 7 June in Brussels (agenda) and on 10 December 2013 in Paris. Input to the process was also provided through:

• The OECD-APEC Symposium on the Management of Digital Security Risk in the Internet Economy which took place in the context of the 48th meeting of APEC Telecommunications and Information Working Group (TEL) in Hawaii, United States.
• A session on “Cybersecurity, searching for a common understanding” organised by ISOC at the first WSIS+10 review meeting hosted by UNESCO in Paris (27 February 2013), and
• The Internet Governance Forum in Bali, Indonesia (22-25 October 2013) where the Secretariat and ISOC co-organised a workshop on “Cybersecurity: throwing out preconceptions”,
• Informal bilateral discussions with various experts.

 

What are the Security Guidelines?

The “Security Guidelines” is a Recommendation of the OECD Council. It is a non-binding instrument of the Organisation which represents the political will of Member countries. OECD Recommendations have a great moral force as there is an expectation that Member countries will do their utmost to fully implement them. The database of OECD instruments includes all other Recommendations adopted by the organisation in various areas.

Since 1992, the OECD has been developing policy analysis and recommendations to address security as a fundamental requirement for ICTs to contribute to economic and social development. The adoption of the 2002 Security Guidelines, which superseded Guidelines adopted in 1992, helped policy makers approach security in an open and interconnected technical environment. A separate paper explains the Role of the 2002 Security Guidelines: Towards Cybersecurity for an Open and Interconnected Economy. 

Although OECD Recommendations are aimed at governments, the high level principles of the 2002 Security Guidelines can be used both by governments to develop policy frameworks and by public and private organisations as a first building block to develop their security policy.

The Security Guidelines are a widely recognised international policy standard. The United Nations General Assembly adopted a resolution based on their principles in 2003 (UN A/RES/57/239). The Guidelines were also reflected in various regional organisations such as the European Council Resolution on a European Approach towards a culture of network and information security and the Asia-Pacific “Strategy to Ensure Trusted, Secure and Sustainable Online Environment” (APEC, 2005). More information can be found in this document. Finally, the Guidelines' principles are annexed to ISO 27001 Information Security Management System standard which "provides a robust model for implementing the principles in those Guidelines".

 

Contact

For more information, please contact laurent.bernat@oecd.org

 

See also:

• OECD-APEC Symposium on the Management on Digital Security Risk in the Internet Economy (2013)
• Terms of Reference for the Review of the 2002 Security Guidelines (2012)
• Cybersecurity Policy Making at a Turning Point. Analysing a New Generation of National Cybersecurity Strategies (2012)
• 2002 Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002)
• Flyer for the 2002 Security Guidelines consultation.
• Critical Information Infrastructures (CIIP)