The National Cyber Emergency Response Team (National CERT) has submitted a New Security framework to the federal cabinet for approval. The proposal comes after extensive consultations with federal and provincial governments, regulators, critical infrastructure operators, and other stakeholders.
The proposed Pakistan Information Security Framework (PISF) is expected to become the country’s baseline cybersecurity standard once it receives cabinet approval. It will apply to government organizations and designated Critical Information Infrastructure (CII) entities across Pakistan.
The New Security framework aims to improve the country’s ability to prevent, detect, and respond to cyber threats. It also introduces standardized cybersecurity requirements for public sector organizations.
Under the proposed framework, government institutions will be required to establish clear cybersecurity governance structures. They must also carry out regular risk assessments to identify and manage security threats.
The framework requires organizations to adopt standardized incident response procedures. They must also prepare business continuity and disaster recovery plans to ensure essential services continue during cyber incidents.
The New Security framework introduces mandatory cybersecurity controls across several key areas. These include governance, risk management, incident response, data protection, physical security, and supply chain management.
It also covers secure software development, data centre operations, web hosting services, and the protection of critical information infrastructure. These measures are designed to strengthen the country’s overall cybersecurity posture.
The framework will apply to federal and provincial ministries, government departments, autonomous bodies, public corporations, Computer Emergency Response Teams (CERTs), and organizations classified as Critical Information Infrastructure.
Another important feature is the introduction of mandatory cyber incident reporting deadlines. Organizations managing Critical Information Infrastructure must immediately report verified cyber incidents to the relevant regulator, sectoral CERT, and National CERT.
A detailed incident report must then be submitted within 72 hours. For verified incidents involving non-critical organizations, the reporting deadline will be 120 hours.
The framework also places additional responsibilities on organizations providing data centre, web hosting, and email services. These service providers must implement stronger security measures to protect digital infrastructure.
Required measures include multi-factor authentication, network security controls, continuous monitoring, vulnerability management, secure backup systems, and annual independent security audits.
The New Security framework also addresses data hosting requirements. Organizations that currently host government websites or applications outside Pakistan will be required to develop plans to move them to data centres within the country.
In addition, cybersecurity obligations must be included in agreements with software developers, cloud service providers, and hosting companies. This requirement aims to improve security throughout the digital supply chain.
The proposed framework also promotes security-by-design principles during software development. It strengthens supply chain risk management and requires regular information security audits.
Critical infrastructure operators will also have to follow sector-specific security controls. These measures are intended to improve the protection of essential national services.
Organizations covered under the framework will be required to classify critical assets, safeguard personal data, conduct resilience testing, and maintain coordination with sectoral and National CERTs. They must also provide regular cybersecurity awareness training for employees.
In other news read more about Operation Shaaban Continues as Security Forces Kill Two More Militants, Death Toll Rises to 123
Once approved by the federal cabinet, the Pakistan Information Security Framework will become the country’s primary cybersecurity standard. Public sector organizations will then implement the framework according to its prescribed compliance and security requirements.




