Return to > Information security and privacy > Security
Short address for this page:
The OECD is launching a broad multistakeholder consultation including OECD members and non-members to review its 2002 Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Security Guidelines).
The Security Guidelines address security as an enabler for Information Technologies (IT) and the Internet to foster economic prosperity and social development.
Their adoption in 2002 marked a switch from a “risk avoidance” model for the security of previously isolated and siloed information systems, to a risk assessment and management approach which enables to harness the economic and social benefits of an open and interconnected IT environment.
Ten years later, the context has considerably evolved:
- ICTs and the Internet are an essential platform for innovation, new sources of growth and social development. They also support critical infrastructures and have become vital for the functioning of the society and the economy.
- The threat landscape has changed, both in scale and in kind, with more sophisticated actors, cyberespionage, and other sorts of economic and social disruptions.
- Trends such as digital mobility, cloud computing, “bring your own device” (BYOD), social networks and the Internet of things have blurred the perimeter of information systems.
- To respond to all these challenges, governments are adopting a new generation of cybersecurity strategies which elevate the priority of cybersecurity and holistically encompass economic and social objectives of security with aspects related to sovereignty such as international security, intelligence and military issues.
Objective of the review
The review will assess whether the high level principles of the 2002 Guidelines are still sufficient to help participants address security challenges posed to the further development of the Internet economy.
According to the Terms of Reference adopted in November 2012, the review will aim to:
- Update and strengthen the Guidelines to enhance their impact while preserving their internal coherence and overall logic, and their high level and technology neutral nature.
- Develop guidance for government policy making and international co-operation in the area of cybersecurity for the Internet economy, based on the finding of the OECD comparative analysis of national cybersecurity strategies. This guidance will aim to facilitate the application of the Guidelines’ principles.
- Explore the value of integrating the 2008 Recommendation for the Protection of Critical Information Infrastructures into the Security Guidelines.
- Develop explanatory text to accompany the Guidelines’ principles, facilitate their interpretation by all stakeholders and improve their impact.
Participating in the consultation and global cybersecurity dialogue
This review is carried out by the OECD Working Party on Information Security and Privacy (WPISP) for the Committee for Information, Computer and Communications Policy (ICCP).
The OECD recognises both that the development of the Internet economy and its contribution to prosperity is a global challenge that concerns all actors of society.
Therefore, the first phase of the review consists in a one year consultation during which an expert group will develop and discuss proposals to inform the Secretariat of the WPISP in view of the development of possible proposals for revising the Guidelines, as appropriate.
This expert group includes policy experts from:
- Governments, business, civil society, the Internet technical community and the academia. Experts from all sectors of the economy and society are welcome (see the flyer targeting business audiences).
- OECD member and non-member economies.
The expert group will:
- Work electronically by reacting to Secretariat papers and submitting proposals to the Secretariat.
- Meet informally in the course of 2013. One meeting took place on 8 April 2013 in Paris. The next event related to the consultation took place on 7 June, in Brussels, alongside the EU Cybersecurity Forum. Another one is planned on 10 December 2013 in Paris. In addition, a workshop is planned to be organised in the fall. Participation in the meetings is not required to participate in the expert group.
For information on the consultation, please contact the Secretariat (laurent dot bernat at oecd dot org, +33 1 45 24 93 83).
What are the Security Guidelines?
The “Security Guidelines” is a Recommendation of the OECD Council. It is a non-binding instrument of the Organisation which represents the political will of Member countries. OECD Recommendations have a great moral force as there is an expectation that Member countries will do their utmost to fully implement them. The database of OECD instruments includes all other Recommendations adopted by the organisation in various areas.
Since 1992, the OECD has been developing policy analysis and recommendations to address security as a fundamental requirement for ICTs to contribute to economic and social development. The adoption of the 2002 Security Guidelines, which superseded Guidelines adopted in 1992, helped policy makers approach security in an open and interconnected technical environment. A separate paper explains the Role of the 2002 Security Guidelines: Towards Cybersecurity for an Open and Interconnected Economy.
Although OECD Recommendations are aimed at governments, the high level principles of the Security Guidelines can be used both by governments to develop policy frameworks and by public and private organisations as a first building block to develop their security policy.
The Security Guidelines served as a widely recognised international policy standard. The United Nations General Assembly adopted a resolution based on their principles in 2003 (UN A/RES/57/239). The Guidelines were also reflected in various regional organisations such as the European Council Resolution on a European Approach towards a culture of network and information security and the Asia-Pacific “Strategy to Ensure Trusted, Secure and Sustainable Online Environment” (APEC, 2005). More information can be found in this document. Finally, the Guidelines' principles are annexed to ISO 27001 Information Security Management System standard which "provides a robust model for implementing the principles in those Guidelines".
For more information, please contact laurent dot bernat at oecd dot org , +33 1 45 24 93 83.