National CERT Submits Pakistan Information Security Framework For Federal Cabinet Approval

National CERT Submits Pakistan Information Security Framework For Federal Cabinet Approval

National CERT has submitted the Pakistan Information Security Framework (PISF) to the federal cabinet for approval after completing consultations with federal and provincial governments, regulators, critical infrastructure operators, and other stakeholders, according to sources. Once approved, the framework will establish a unified cybersecurity baseline for government organizations and designated Critical Information Infrastructure (CII) entities across Pakistan. The proposed framework is intended to strengthen cybersecurity governance, standardize security practices, and improve the country’s ability to prevent, detect, respond to, and recover from cyber incidents affecting public sector organizations and critical national infrastructure.

Under the proposed framework, public sector organizations will be required to establish formal cybersecurity governance structures, conduct regular risk assessments, implement standardized incident response procedures, and maintain business continuity and disaster recovery plans. PISF also introduces mandatory cybersecurity controls covering governance, risk management, incident response, data protection, physical security, supply chain management, secure software development, data centres, web hosting services, and the protection of Critical Information Infrastructure. The framework will apply to federal and provincial ministries, divisions, departments, autonomous bodies, corporations, Computer Emergency Response Teams (CERTs), and designated CII organizations. By creating consistent security requirements across these entities, the framework aims to improve cybersecurity preparedness while supporting a coordinated approach to risk management and incident handling throughout the public sector.

The proposed framework also establishes mandatory cyber incident reporting timelines to improve coordination during security incidents. Verified incidents affecting Critical Information Infrastructure must be reported immediately to the relevant regulator, the appropriate sectoral CERT, and National CERT, followed by a detailed report within 72 hours. Verified incidents involving non critical organizations must be reported within 120 hours. Organizations providing data centre, web hosting, and email services will also be required to implement enhanced cybersecurity measures, including multi factor authentication, network security controls, continuous monitoring, vulnerability management, secure backup systems, and annual independent security audits. In addition, organizations hosting government websites or applications outside Pakistan will be required to prepare plans for migrating those services to data centres located within the country. The framework further requires cybersecurity obligations to be included in agreements with software developers, cloud service providers, and hosting companies to strengthen security throughout the technology supply chain.

The Pakistan Information Security Framework also promotes security by design principles during software development, strengthens supply chain risk management requirements, mandates periodic information security audits, and introduces sector specific security controls for operators of Critical Information Infrastructure. Organizations will be required to classify critical assets, protect personal data, conduct resilience testing, maintain coordination with sectoral and National CERT teams, and provide regular cybersecurity awareness training for employees. Following cabinet approval, PISF is expected to become the primary cybersecurity baseline for public sector organizations, with implementation carried out according to its prescribed compliance and security requirements. The framework is intended to provide a consistent national approach to cybersecurity governance while supporting stronger protection of government systems, critical infrastructure, and essential digital services across Pakistan.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment