Dr. Richard Browne:

I will leave aside all the work we do on instant response, planning and contingency and focus on compliance. The NCSC has a compliance team that focuses on five of those seven sectors and engages with the designated operators of essential services on a daily basis. We require all the entities to produce a detailed assessment of their own security. We then give them a gap analysis of where they are versus where they need to be. If that gap analysis and that process identifies issues, we audit them using an external company, not the NCSC. We have an independent audit of company X, Y or Z, or the entity involved. The result of that audit is then brought to the operator of essential services or entity to ensure it is moving on.

The important point is that we have been able to demonstrate, over the four years we have been doing this kind of compliance, a stepwise improvement year-on-year across critical infrastructure. This process - it is a process and not a single event - has brought people along a journey towards much greater understanding of the risks and their responsibilities in this regard, in addition to the things they need to do. Some of the audits we are doing this year are essentially catch-up audits. We are checking up to ensure everything they said had been done has been completed. We are in a much more highly advanced and mature stage than we were when we started out. It is one of the reasons handing off the compliance process is now possible. We are not at a baseline anymore. We have a set of critical infrastructure operators that are operating mature, largely compliant models. Where they are not compliant, they are in a process with us whereby they will be by the end of the year. To be very clear, most of the audits found minor structural issues or minor governance lines or chains of command that were not clear. They were not fundamental cybersecurity challenges.