Digital economy

Critical information infrastructures protection (CIIP)


Return to > Information security and privacy  > Security

Short address for this page:


The OECD Council Recommendation on the Protection of Critical Information Infrastructures provides a high level policy framework for the development of a national policy and international co-operation for CIIP.

The Recommendation reflects a shared understanding of the concept of Critical Information Infrastructures (CII) and of how national CII are identified across countries. It calls for the introduction and maintenance of effective policy frameworks to implement the OECD Security Guidelines in relation to the protection of CII and makes recommendations with respect to the protection of CII at the domestic level and across borders.

The Recommendation focuses on how governments should demonstrate leadership and commitment regarding CIIP, manage risks to CII and work in partnership with private sector. It also calls for bilateral and multilateral cooperation at regional and global levels, for example to share knowledge and experience, develop a common understanding and share information.

This Recommendation builds on the findings of a comparative analysis of policies in seven OECD countries in 2006-2007. At that time, the concept of CII was emerging and there was no agreement across countries on what it meant. Some countries did not even use these terms at all. The comparative analysis helped develop a shared understanding of the concept.

The report also analysed commonalities and differences across countries in areas such as how the policies are developed, what they include, risk management practices, strategies to mitigate vulnerabilities and monitor threats, roles and responsibilities, cross-border co-operation, public-private co-operation and information sharing at international level.

Work in this area is carried out by the Working Party on Information Security and Privacy (WPISP) of the Committee for Information, Computers and Communications Policy (ICCP).


See also:

2002 OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security ("Security Guidelines")


Related Documents