This paper outlines proposed requirements in a new cross-industry prudential standard for the management of information security as part of a broader project to update the prudential framework in respect of the qualitative management of operational risk.