Govt Proposes Mandatory Cyberattack Reporting Deadlines Under PISF
The government has proposed mandatory timelines for reporting cybersecurity incidents through the Pakistan Information Security Framework (PISF), requiring ministries, departments, and public sector organizations to strengthen incident reporting and response mechanisms.
Under the proposed framework, organizations designated as Critical Information Infrastructure (CII) will be required to immediately report verified cybersecurity incidents to their respective sectoral regulators, Computer Emergency Response Teams (CERTs), and the National CERT. A comprehensive incident report must be submitted within 72 hours of verification.
Public sector organizations that are not classified as CII will be required to report verified cybersecurity incidents to the relevant sectoral regulator or CERT within 120 hours.
The framework also mandates organizations to establish comprehensive cybersecurity incident management policies covering preparedness, detection, response, mitigation, reporting, recovery, remediation, and post-incident reviews. Organizations will be required to classify incidents based on their severity and impact while defining clear roles and responsibilities throughout the incident response process.
To enhance cyber resilience, the proposed framework calls for adequate staffing, regular training, and periodic cybersecurity drills to test response capabilities. These exercises are intended to identify operational gaps, improve incident handling procedures, and strengthen organizational readiness against cyber threats.
Additionally, the framework recommends that organizations assess the need for Security Operations Centres (SOC), Security Information and Event Management (SIEM) platforms, and other security monitoring technologies to improve threat detection and response.
Following every cybersecurity incident, organizations will be required to document lessons learned and implement corrective measures within specified timelines to reduce the likelihood of similar incidents in the future.
The proposed framework also integrates cybersecurity incident response with business continuity and disaster recovery planning by requiring organizations to establish recovery objectives, conduct annual continuity exercises, and maintain documented procedures for communication, recovery, and restoration during cyber emergencies.
The PISF aims to establish a standardized cybersecurity governance framework across the public sector, enhancing preparedness, improving incident reporting, and strengthening the protection of government information systems against evolving cyber threats.