NCIIPC Critical Information Infrastructure Guidelines

National Critical Information Infrastructure Protection Centre guidelines. Coming soon — applicable to operators of declared Critical Information Infrastructure (power, banking, transport, telecom).

Composition

35 controls currently indexed; participates in 21 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Authentication architecture and multi-factor authentication
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Business continuity and ICT recovery readiness
• CISO role — independence, authority, Board access
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cryptographic controls, key management, and post-quantum readiness
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Event-to-incident categorisation and assessment
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Network segmentation with zero-trust principles
• Physical access controls — secure areas, entry monitoring, asset protection
• Ransomware-resilient backup architecture
• Secure configuration baselines and hardening discipline
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• VAPT cycle — vulnerability assessment and penetration testing programme
• Workforce security awareness, role-based training, and human-factor controls