The National Cyber Emergency Response Team (National CERT) has submitted the Pakistan Information Security Framework (PISF) to the federal cabinet for approval after completing consultations with federal and provincial governments, regulators, critical infrastructure operators and other stakeholders, sources told ProPakistani.
Under the framework, public sector organizations will be required to establish cybersecurity governance structures, conduct regular risk assessments, implement standardized incident response procedures and maintain business continuity and disaster recovery plans.
Once approved, the framework will serve as the country’s baseline cybersecurity standard for government organizations and designated Critical Information Infrastructure (CII) entities.
The proposed framework introduces mandatory cybersecurity controls covering governance, risk management, incident response, data protection, physical security, supply chain management, secure software development, data centres, web hosting services and the protection of critical information infrastructure.
It will apply to federal and provincial ministries, divisions, departments, autonomous bodies, corporations, Computer Emergency Response Teams (CERTs) and designated CII organizations.
The framework also introduces mandatory cyber incident reporting timelines. Verified incidents affecting Critical Information Infrastructure must be reported to the relevant regulator, sectoral CERT and the National CERT immediately, followed by a detailed report within 72 hours. Verified incidents involving non-critical organizations must be reported within 120 hours.
Organizations providing data centre, web hosting and email services will be required to implement enhanced security measures, including multi-factor authentication, network security controls, continuous monitoring, vulnerability management, secure backup systems and annual independent security audits.
In addition, organizations hosting government websites or applications outside Pakistan will be required to develop plans to migrate them to data centres located within the country. The framework also requires cybersecurity obligations to be incorporated into agreements with software developers, cloud service providers and hosting companies.
The proposed framework further mandates security by design principles for software development, strengthens supply chain risk management, requires periodic information security audits and introduces sector-specific security controls for critical infrastructure operators.
Organizations will also be required to classify critical assets, protect personal data, conduct resilience testing, maintain coordination with sectoral and national CERTs, and provide regular cybersecurity awareness training to employees.
Following cabinet approval, the Pakistan Information Security Framework is expected to become the primary cybersecurity baseline for public sector organizations, with implementation carried out in accordance with its prescribed compliance and security requirements.
Stay Connected with ProPakistani
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
