The risk management guidance provided by NCSC (National Cyber Security Centre) has undergone its first update in five years, taking into account the significant changes that have occurred in global politics, technology, and cybersecurity during that time.
The updated guidance introduces three entirely new sections:
1. The development of an 8-step framework for cyber security risk management. This framework aims to provide organizations with a clear understanding of what an effective risk management approach entails. While the steps in the framework align with ISO/IEC 27005, similar activities can be found in various other risk management methods and approaches.
2. The introduction of a cyber security risk management toolbox, which recognizes that there is no one-size-fits-all approach to risk management. The toolbox concept emphasizes the need to employ the most appropriate technique or method to address specific risk management challenges. Currently, the toolbox includes component-driven and system-driven approaches, qualitative and quantitative risk management, threat modelling, attack trees, and cyber security scenarios. It is expected that the toolbox will expand as new techniques emerge.
3. The inclusion of a basic risk assessment and management method designed for readers who are new to risk management or have simple risk management requirements. This method is not suitable for complex scenarios and should not be regarded as the officially endorsed risk management method by NCSC. While it draws from multiple methods, it shares similarities with the bottom-up and component-driven approaches recommended by NIST (National Institute of Standards and Technology) and the International Standards Organization.
Additionally, the assurance model has been updated, moving away from CESG’s deprecated “Good Practice Guides.” The four assurance mechanisms remain unchanged, but the list of potential assurance activities for gaining and maintaining intrinsic, extrinsic, operational, and implementation assurance has been revised.
These updates aim to provide organizations with improved guidance and approaches to effectively manage cybersecurity risks in a rapidly evolving landscape.