Civil Nuclear Industry and the move to outcomes-based regulation.

News and information from the Advent IM team.

With thanks to our Security Consultant, Osian Cassells for his perspective on this change of regulatory style.

The move from requirements-based to outcomes-based regulation within the Civil Nuclear Industry- National Objectives, Requirements and Model Standards (NORMS) to Security Assessment Principles (SyAPs)

Whilst a member of the information security team for an organisation within the UK Civil Nuclear Industry, there was a change in how the industry was regulated. Moving from a more requirements-based document (NORMS) to a more outcome focused document (SyAPs). Now being able to take a more flexible and innovative approach to how you meet the outcomes set out by ONR in SyAPs. This should allow organisations to improve how security enables the business in reaching its goals securely, by allowing them to use methods which best suit that particular organisation. It’s a move away from the ‘one size fits all’ approach, allowing organisations to be creative and identify business needs and implement solutions based on what best fits a particular organisation. By organisations within the civil nuclear industry embracing this change I believe it would have a positive impact on the industry as the organisations within it all operate and run in various different ways.

There are a number of positives that I believe SyAPs will bring to the industry. Besides the point that I have mentioned previously that it enables business to implement security in a way that best suits that organisation. SyAPs also aims at enforcing duty holders in mitigating emerging threats in the cyber security and information assurance area. Being that the threat landscape in this area is continuously changing, staying up to date with the latest threats and attack methods is vital in ensuring an organisations information asset are secure. By embedding the way an organisation manages its threats into company processes, procedures and Nuclear Site Security Plans this will allow organisations to effectively understands the threats to its organisation and what it may need to do in order to protect assets against a particular threat. As a result of embedding these steps within Site Security Plans should assist in ensuring information risks are managed effectively.

It’s understandable that the industry as a whole is used to more requirements-based regulation as that is what the industry had known previously. An issue that stood out to myself was organisation’s uncertainty/hesitance around the absence of that more requirements-based framework and how organisations demonstrate they meet the SyAPs outcomes. Having the confidence in your organisation approach’s security in order to demonstrate to the regulator how you meet the outcomes required.

It’s inevitable on initial release there is going to be teething problems and it’s going to take time for organisations to grasp and understand SyAPs. As a whole though I believe making the move to a more outcomes focused rather than requirements-based regulation is the right move and will have a positive impact in the long term. For security to be as effective as it can possibly be it needs to be bespoke and fit for each particular organisation and outcome-based regulation allows organisations to do this.

Share this Post