A NSW government-sponsored taskforce of industry leaders has called on federal, state and local governments across Australia to adopt internationally recognised cyber security standards for cloud services.

It has also urged governments to more favourably evaluate proposals or tender bids from companies that adopt cyber security and other risk standards for telecommunications and the Internet of Things (IoT).

The NSW cyber security standards harmonisation taskforce made the recommendations alongside 22 others in a 16-page report [pdf] released on Thursday.

It follows six-months of work by the taskforce – which consists of representatives from across the defence, energy health and financial services sectors – to drive the adoption of standards.

The report separates recommendations for standards development and implementation into seven key areas: cloud, defence, education, energy, financial services, health and telco and IoT.

The taskforce found that there was generally a myriad of cyber security standards to select from, with some embedded into policy and others not.

In the cloud arena, the report urges governments to “adopt and leverage recognised ISO and/or IEC standards as baseline requirements for information security (i.e. ISO/IEC 27000 series)”.

Governments looking to introduce new cloud services at a protected level or below should also consider “ISO/IEC 27001, SOC 2 and potentially FedRAMP as part of a uniform security baseline”.

ISO/IEC 27000 is a widely-known family of standards used to ensure information assets are secure, whereas FedRamp is a US program providing a standardised approach to cloud security assessments.

The report said that standards could be embedded within “any regulatory frameworks or procurement models proposed in relation to cyber security”.

Governments have similarly been urged to adopt standards for protective security and supply chain security and risk management, namely ISO 28001, ISO 31000 and the forthcoming ISO 22340.

In a bid to assist this, the report recommends that businesses and governments develop material that “clearly communicates any business benefits around that adoption of standards”.

The report also indicates that international standards should be followed in the event that a principles-based approach is adopted instead.

Standards within tenders, government policy

Governments have also been urged to “explore mechanisms to consider, and weight, proposals or tender bids” where a company demonstrates the adoption of standards for telecommunications and IoT.

The report points to standards around cyber security, including IoT security in particular, and risk management.

“This could occur, for example, through assurance processes with routine reporting on the percentage of vendors who demonstrated that they met the requirements of particular standards,” the report said.

“It could also include prioritising proposals or tender bids which demonstrate compliance with recognised international standards or codes.”

New government digital policy documents and directives should similarly  “explicitly consider cyber security consideration, including recognised standards”.

“This might, for example, be prior to Cabinet or Expenditure Review Committee consideration,” the report added.

Other recommendations include:

Following the release of the report, Standards Australia CEO Adrian O’Connell said that governments and business will “now begin working collectively towards implementing these key recommendations”.

The taskforce is currently in the process of developing a publically accessible list of standards for cyber security across the report’s seven priority areas.

AustCyber CEO Michelle Price said that while standards are not a pancea, when “combined with the latest advances in technology, and embedded across global supply chains, they can assist in guiding baseline cyber security requirements”.

“This will help raise the posture of small to medium enterprise (SME), organisations and government agencies to compete in the Australian market and internationally,” she said.

NSW customer service minister Victor Dominello welcomed the report, which he said was the result of an Australian-first collaboration between the NSW government, AustCyber and Standards Australia.

“We brought together some of country’s best and brightest cyber minds, to ensure we have the highest standards in place and remain ahead of the curb,” he said of the taskforce in a statement.