National Cyber Security Centre updates risk management framework

The UK’s National Cyber Security Centre (NCSC) has updated its guidance on cyber risk management.

Drawn up with feedback from users, research from the NCSC’s sociotechnical and risk group, and practical experience of working on risk management problems, the updated guidance now provides:

  • A new eight-step cybersecurity risk management framework designed to help readers understand what a good approach looks like in their organisation
  • A cybersecurity risk management ‘toolbox’ which will grow over time as new techniques emerge. It currently includes sections on using attack trees, threat modelling and cybersecurity scenarios
  • A basic risk assessment and management method for readers new to risk management or those with simple requirements.

The NCSC said: “Whilst the four assurance mechanisms in the CESG assurance model haven’t changed (and they all still need to be applied for an organisation to gain and maintain confidence or assurance), we have updated the list of potential assurance activities that could be used to gain and maintain intrinsic, extrinsic, operational and implementation assurance.”

The NCSC said it has recognised that a considerable amount has changed since the guidance was first developed five years ago – in terms of geopolitics, technology and cybersecurity.