|||On 17 September 2015 the OECD Council adopted the Recommendation on Digital Security Risk Management, which replaces the 2002 Guidelines|
In December 2013, the OECD Committee on Digital Economy Policy (CDEP, formerly ICCP) agreed to revise the 2002 Recommendation of the Council concerning Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Security Guidelines). It also agreed to start its review of the Recommendation on the Protection of Critical Information Infrastructures in December 2014.
In 1992, the OECD developed the first Security Guidelines to foster confidence in information systems. In 2002, these Guidelines were revised to help policy makers foster security of information systems and networks for economic and social prosperity in an open and interconnected technical environment. Building on more than 20 years of OECD experience, the current revision aims to take into account changes since 2002, including:
The 2002 Security Guidelines target national public policy makers in charge of cybersecurity strategies, as well as leaders of public and private organisations whose economic and social activities rely on the digital environment.
The revision was carried out by the OECD Working Party on Security and Privacy in the Digital Economy (SPDE, formely WPISP, which reports to the OECD CDEP) throughout 2014.
The process involved all delegations from OECD member countries, international and regional organisations, business (through the Business and Industry Advisory Committee to the OECD, BIAC), civil society (through the Civil Society Information Society Advisory Council, CSISAC), and the technical community (through the Internet Technical Community Advisory Committe, ITAC).
To prepare the revision, the OECD carried out in 2013 a broad multistakeholder consultation of experts from OECD members and non-members (see the Terms of Reference adopted in November 2012). An expert group developed and discussed proposals in view of the development of proposals for revising the Guidelines.This expert group included policy experts from:
The Secretariat developped several papers which were discussed by the group through an electronic platform. In addition, the group met informally in the course of 2013: on 8 April in Paris, on 7 June in Brussels (agenda) and on 10 December 2013 in Paris. Input to the process was also provided through:
The “Security Guidelines” is a Recommendation of the OECD Council. It is a non-binding instrument of the Organisation which represents the political will of Member countries. OECD Recommendations have a great moral force as there is an expectation that Member countries will do their utmost to fully implement them. The database of OECD instruments includes all other Recommendations adopted by the organisation in various areas.
Since 1992, the OECD has been developing policy analysis and recommendations to address security as a fundamental requirement for ICTs to contribute to economic and social development. The adoption of the 2002 Security Guidelines, which superseded Guidelines adopted in 1992, helped policy makers approach security in an open and interconnected technical environment. A separate paper explains the Role of the 2002 Security Guidelines: Towards Cybersecurity for an Open and Interconnected Economy.
Although OECD Recommendations are aimed at governments, the high level principles of the 2002 Security Guidelines can be used both by governments to develop policy frameworks and by public and private organisations as a first building block to develop their security policy.
The Security Guidelines are a widely recognised international policy standard. The United Nations General Assembly adopted a resolution based on their principles in 2003 (UN A/RES/57/239). The Guidelines were also reflected in various regional organisations such as the European Council Resolution on a European Approach towards a culture of network and information security and the Asia-Pacific “Strategy to Ensure Trusted, Secure and Sustainable Online Environment” (APEC, 2005). More information can be found in this document. Finally, the Guidelines' principles are annexed to ISO 27001 Information Security Management System standard which "provides a robust model for implementing the principles in those Guidelines".
For more information, please contact email@example.com