Skip to the content

NCSC updates cyber risk management guidance


Mark Say Managing Editor

Get UKAuthority News


Cyber lock on computer grid
Image source:

The National Cyber Security Centre (NCSC) has updated its risk management guidance to help practitioners manage cyber risk.

It said this reflects changers in cyber security, technology and global politics since the last update five years ago.

The aim of the update is to provide practical advice based on experience of working on risk management problems, feedback from users and research by the NCSC’s sociotechnical and risk group.

The new guidance includes three new sections, the first of which is an eight-step cyber security risk management framework to help users understand what a good approach looks like for their organisation. It is based on the ISO/IEC 27005 standard while drawing on other methods.

Toolbox components

Second is a ‘toolbox’ for cyber security risk management that comprises: component and system drive approaches to the issue; using qualitative and quantitative risk management information; threat modelling; attack trees; and cyber security scenarios.

Third is a basic assessment and management method for users new to risk management or have a very simple requirement. This is not based on any single method and is not suitable for complex scenarios, but it is similar to bottom up and component driven approaches recommended by the National Institute of Standards and Technology and the International Standards Organsation.

NCSC added that has revived the assurance model from one of the Communications-Electronics Security Group’s good practice guide, with an update of the list of potential assurance activities.

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.