The key innovative factor of the project was the extensive collaboration that occurred in delivering this project. Rather than the NCSC creating this document itself in a vacuum, it took a whole-of-government approach that brought together 13 Government Departments and agencies in order to ensure that the framework met their needs and was compatible with the realities of working at the “coalface” of defending public ICT systems.

The breath of Departments and Agencies and the depth of expert knowledge in the steering group ensured the work was informed by appropriate technical expertise for the establishment and delivery of the Irish Cyber Security Baseline Standard and fit for purpose in Ireland's Public Administration.

The Cyber Security Standards have been published and Public Service Bodies are using this framework to address effectively the multiple public sector ICT challenges and to improve the resilience and security of public sector IT systems. A simple measure in the National Cyber Security Strategy has been developed into an entire cyber security framework and a network of motivated cyber security professionals within the public sector. There have been numerous examples of the Cyber Security Baseline Standards being adopted by both Public Sector Bodies and private organisations. The project also involved the creation of the Government Cyber Security Coordination and Response (CORE) Network which is a group of senior cybersecurity and ICT professionals throughout the public service to collaborate and share information on cyber security issues.

The "Whole of Government" approach brought together 13 Government Departments and Agencies in order to ensure that the framework met their needs and was compatible with the realities of working at the “coalface” of defending public ICT systems. By having the Department of Social Protection chair the group and not the National Cyber Security Centre, it created a sense of ownership for the project as being a “Whole of Government” and collaborative effort of all involved.

There are over 800 Public Service Bodies in Ireland using this framework to address effectively the multiple public sector ICT challenges and to improve the resilience and security of public sector IT systems. In addition, the establishment of the Government CORE Network shares information, best practice and cyber threat intelligence and prepares for, and will coordinate during, a major cyber security incident affecting Government networks.

The publication of the Cyber Security Baseline Standards gives over 800 Public Sector Bodies a process, procedure, a common language and a risk-based approach to Cyber Security. The main goal of improving resilience and security of Public Sector IT systems has been achieved with feedback both publicly and privately to the NCSC and the Government has been overwhelmingly positive. There have been numerous examples of the Cyber Security Baseline Standards being adopted by both Public Sector Bodies and private organisations to develop their ability to defend against malicious activity and cyber threats. There was also praise from the private sector with many multinational companies publicly praising the Irish approach to Cyber Security. Among the further lasting benefits of the Cyber Security Baseline Standards is that it drove the creation of other projects such as Civil Service wide Cyber Security assessment metrics, training for Civil Servants and Public Sector procurement advice.

Key challenges included taking a strategic view on the Cyber Security Baseline Standards and overcoming any technical obstacles and issues by prioritising problem areas and anticipating issues before they arose. The work of the group was directed and facilitated by using workshops to discuss and deal with any outstanding technical issues and the used an iterative process to build upon the collective strengths of the group to develop practical solutions to problems. There is no single solution when it comes to Cyber Security. For instance, "zero day" attacks exploiting previously unknown vulnerabilities are especially problematic. However, using the Baseline Standard to assess and improve management risks will put Public Service Bodies in a much better position to identify, protect, respond to, and recover from a Cyber Security attack, minimising damage. Support and buy-in from senior managers and senior stakeholders was essential to the success of this project.

Another challenge of the group was to agree on an approach which could be applied by all public sector bodies and that the work of the group had to be achievable and have lasting benefits. The work had to be achieved in the first instance by all Public Sector Bodies and as such was seen as the start of an iterative process with the Baseline Standards to be revised and issued every 2 year period. This would reflect the growing level of Cyber Maturity in the sector and adapt for technological innovation and changes within the ICT systems.

This project embodies the Irish Civil Service Renewal 2030 Strategy by delivering evidence-informed policy and services, harnessing digital technology and innovation and building the Civil Service workforce, workplace and organisation of the future. Conditions for success included the support of Senior Management across all the 13 Government Departments and key Agencies. There was a general legislative mandate in place which provided the momentum at the start of the project but the key to success was down to the collective vision and drive of all the participants to produce a Cyber Security Standard that would be useful to all Irish Public Sector Bodies and that would stand the test of time.

This project roadmap can be easily replicated. The key lesson from the project was that a structured pragmatic approach which engages and involves key stakeholders from the start of the project ensures future buy-in from other stakeholders. In addition, one of the central creative aspects of the project was the holistic nature of the Cyber Security Baseline Standards. Instead of aligning with one single international standard, the group picked the best ideas from various known international standards to create an efficient, effective forward-looking model adapted to Ireland and which can be updated over time in subsequent iterations. The group adopted a trusting and blameless culture, similar to practices in the aviation and healthcare industries, where real incidents and faults are reviewed and every identified risk is seen as an opportunity to strengthen the system. This approach prevents cyber security blame culture and positively reinforces cyber security best practices.

Following the success of the Baseline Standards, this work has been replicated by establishing a key operational group called The Government Cyber Security Coordination and Response (CORE) Network. All the Government Departments are represented on the CORE Network with additional representation from key agencies and Local Government. In addition, we have been able to use the Baseline Standards and the CORE Network as a solid foundation and a pivot point for many other related projects such as:

• Public Service Cyber Security self-assessment forms
• Future alignment of Public Administration with European Legislation
• ICT Procurement advice
• Government Instructor Led Cyber Security Training

The success of the project has been gauged by the high level of reference, interest and enquiries received by the NCSC regarding the Baseline Standards. Many Public Sector bodies have shown their appreciation for the composition and work of the Steering Group and the “Whole of Government” consensus driven model. The Cyber Security Baseline Standards are now used as a “go to” reference point for a Cyber Security Governance with the Public Sector. In addition, the Baseline Standards provide a Cyber Incident Response Plan (CIRP) which was designed to enable all public sector bodies to develop their own CIRP and be straightforward to apply.