The UK National Cyber Security Centre (NCSC) and the Information Commissioner\u2019s Office (ICO) have signed a joint Memorandum of Understanding (MoU) that sets out how both organisations will cooperate on cybersecurity and digital resilience. This includes cooperation on the development of cybersecurity standards and guidance as well as influencing improvements in the cybersecurity of organisations regulated by the ICO. It also covers information sharing, deconfliction between the NCSC and the Commissioner in relation to incident management, and how the NCSC will support the ICO\u2019s own cybersecurity.\n\nThe MoU was signed by NCSC chief executive, Lindy Cameron, and the Information Commissioner, John Edwards. \u201cThis new MoU with the Information Commissioner builds on our existing relationship and will boost the UK\u2019s digital security,\u201d said Cameron. \u201cIt provides us with a platform and mechanism to improve cybersecurity standards across the board while respecting each other\u2019s remits.\u201d\n\nThe ICO already works closely with the NCSC to offer the right tools, advice, and support to businesses and organisations on how to improve their cybersecurity and stay secure. The MoU reaffirms commitments to improve the UK\u2019s cyber resilience, so people\u2019s information is kept safe online from cyberattacks, added Edwards.\n\nDevelopment of cybersecurity standards and guidance\n\nAn important component of the NCSC\u2019s standards and guidance is the Cyber Assessment Framework (CAF). \u201cShould the Commissioner wish to use the CAF, NCSC will provide advice on how the CAF is intended to be used and technical support about its application. The Commissioner will provide feedback on its experience of using the CAF to inform its future development,\u201d read the MoU. Where appropriate and practicable, the NCSC will consult with the Commissioner about possible changes to the CAF, provide advance notice of new versions of the CAF to the Commissioner, and discuss in advance public NCSC communications on CAF changes, it added.\n\nThe NCSC and ICO will also work together to enhance international cybersecurity guidance and encourage its adoption, the MoU stated. \u201cThe NCSC seeks to influence the development of international standards and guidance on cybersecurity in a manner that supports its work with regulators in the UK. Similarly, the Commissioner contributes to international standards and guidance through working with a range of regulatory partners across jurisdictions with the purpose of further international cooperation, including in relation to cybersecurity,\u201d the document read. The Commissioner and the NCSC will inform each other about international developments and opportunities that would support their respective abilities to achieve these outcomes.\n\nEncouraging good cybersecurity practice, continuous improvement in organisations\n\nThe Commissioner will encourage good practice and continuous improvement in cybersecurity amongst the organisations it regulates, promoting the application and use of the NCSC\u2019s technical standards and guidance, NCSC accredited training courses, and assurance providers to mitigate cyber risks within organisations, the MoU said. \u201cThe Commissioner will continue to take into account how proactive an organisation is on cybersecurity matters and will recognise and encourage appropriate engagement with the NCSC on cybersecurity matters, including the response to cyber incidents.\u201d\n\nThe NCSC will also invite the Commissioner to participate in the Cyber Security Regulators Forum hosted by the NCSC, as well as other relevant initiatives, while the Commissioner will aim to support the NCSC in such initiatives and encourage organisations to engage with the NCSC in relevant forums and working groups.\n\nSecure information sharing about cyber incidents\n\nThe ICO will support the NCSC\u2019s visibility of UK cyberattacks by sharing information with NCSC about cyber incidents, on an anonymised and aggregate basis, as well as incident specific details where the matter is of national significance, the MoU stated. \u201cFor the avoidance of doubt, the NCSC will not share information from an organisation it is engaged with due to a cyber incident with the Commissioner unless it has the consent of the organisation to do so.\u201d Disclosure of such information to the Commissioner, without consent, may be a breach of the duty of the director of GCHQ, according to the MoU.\n\nThe NCSC and the Commissioner will also share information to the extent permitted by law, and as appropriate and relevant to their respective missions, statutory functions, and objectives, the document added. \u201cInformation that is directly or indirectly supplied to the Commissioner by, or that relates to the NCSC is exempt from Freedom of Information requests received by the Commissioner.\u201d Appropriate security measures shall be agreed to protect information transfers in accordance with the sensitivity of the information and any classification that is applied by the sender.\n\nWhere the NCSC and ICO are both engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation\u2019s efforts to contain and mitigate harm, according to the MoU. In doing so, the Commissioner will seek to enable organisations to prioritise engagement with the NCSC and their partners in the immediate aftermath where that will prioritise mitigative work, it added.\n\n\u201cThe NCSC and the Commissioner recognise that the priority for an organisation suffering an incident should be the incident\u2019s remediation and the mitigation of harm to the organisation, its customers, and the UK and its citizens more generally,\u201d the document stated. \u201cBoth parties will seek to ensure that their interventions align with this priority and will provide each other with feedback where they view the other\u2019s approach to intervention may have worked against it.\u201d\n\nWhere cross government coordination in response to an incident is required, the NCSC will lead coordination in its role as national technical authority. Should the Commissioner intend to issue public communications concerning an incident, it will share with the NCSC such communications in advance. \u201cIn respect of a NIS incident that affects a relevant digital service provider (as defined in the NIS Regulations), the NCSC and the Commissioner will consult each other before issuing public communications about an incident.\u201d\n\nNCSC to support ICO\u2019s own cybersecurity\n\nThe NCSC will support the ICO\u2019s own cybersecurity through the provision of technical tools and guidance. In some cases, the NCSC may be able to provide consultancy advice to the Commissioner, for example where significant changes are planned that may have implications for cybersecurity. \u201cThe Commissioner can expect to receive NCSC support in the event it experiences a serious cybersecurity incident,\u201d the MoU said.