Incyder news


08 April 2013


OECD Reviewing Its Security of Information Systems and Networks Guidelines

The Organisation for Economic Co-operation and Development (OECD) is reviewing its 2002 Guidelines for the Security of Information Systems and Networks, in order to help to address cyber security challenges in the developing internet economy.

The OECD focuses on various security-related issues, including confidence-building measures, policing strategies and counter-terrorism.1 In the domain of cyber security, the OECD is carrying out research in privacy, digital identity, and other aspects of the internet economy, as well as the protection of critical information infrastructure.

The most prominent products of the OECD’s work in cyber security are the 2002 Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security which are intended to address security as an enabler for Information Technologies (IT) and the internet as a tool to foster economic prosperity and social development.2 The Guidelines are in the format of OECD Council Recommendations and are therefore a non-binding instrument expressing the common viewpoint of the OECD’s members. Although in principle aimed at governments, the Guidelines can also be used by other public and private entities in developing their security policies.

In 2002, the adoption of the Guidelines represented a shift in OECD’s policy from the ‘risk avoidance’ model that had addressed the previously more isolated information systems; this had grown into a risk assessment and management approach which pays more attention to harnessing the economic and social benefits of an open and interconnected IT environment.3 As such, the Guidelines serve as an example for many similar documents and form the basis for most of the work of the OECD in the area of security.4

The review

Terms of reference for the review of the Guidelines were adopted in November 2012. The review will be carried out by the OECD Working Party on Information Security and Privacy (WPISP) for the Committee for Information, Computer and Communications Policy (ICCP), starting with a one-year consultation process.5 An expert group will propose ways to develop the Guidelines in the context of emerging security challenges and will also include guidance for government policy-making and international co-operation on cyber security and an explanatory text to accompany the Guidelines’ principles, as well as possibly integrating the 2008 Recommendation for the Protection of Critical Information Infrastructures into the revised Security Guidelines.6

To some extent, the review is building on the recent OECD comparative analysis of national cyber security strategies, which identified several concepts missing from the 2002 Guidelines such as ‘resilience’ and ‘real-time’.7