Skip links

The National Cyber Emergency Response Team (National CERT) has submitted the Pakistan Information Security Framework (PISF) to the federal cabinet for approval after completing consultations with federal and provincial governments, regulators, critical infrastructure operators and other stakeholders, sources told ProPakistani.

Once approved, the framework will become Pakistan’s baseline cybersecurity standard for government institutions and designated Critical Information Infrastructure (CII), introducing a uniform set of security requirements across the public sector.

The framework proposes mandatory controls covering cybersecurity governance, risk management, incident response, data protection, physical security, supply chain security, secure software development, data centres, web hosting services and the protection of critical infrastructure. It will apply to federal and provincial ministries, divisions, departments, autonomous bodies, state-owned entities, CERTs and designated CII organizations.

Government entities will be required to establish cybersecurity governance mechanisms, conduct regular risk assessments, implement standardized incident response procedures and maintain business continuity and disaster recovery plans.

The proposal also sets strict cyber incident reporting deadlines. Confirmed incidents affecting Critical Information Infrastructure must be reported immediately to the relevant regulator, sectoral CERT and National CERT, followed by a detailed report within 72 hours. Other public sector organizations must report confirmed incidents within 120 hours.

Data centre, web hosting and email service providers will be required to adopt stronger security measures, including multi-factor authentication, network protection, continuous monitoring, vulnerability management, secure backup systems and annual independent security audits.

The framework also requires organizations hosting government websites or applications overseas to prepare plans for migrating them to data centres located in Pakistan. It further mandates cybersecurity obligations in contracts with software developers, cloud providers and hosting companies.

In addition, the framework introduces security-by-design requirements for software development, strengthens supply chain security, mandates periodic information security audits and establishes sector-specific controls for critical infrastructure operators. Organizations will also be required to classify critical assets, protect personal data, conduct cyber resilience testing, coordinate with sectoral and National CERTs, and provide regular cybersecurity training to employees.

Following cabinet approval, the Pakistan Information Security Framework will serve as the country’s primary cybersecurity baseline for public sector organizations, with compliance implemented under its prescribed security requirements.

Leave a comment

RBN Community

Join our whatsapp channels below to get the latest news and updates.

rBusiness rMarkets