The National Cyber Security Center (NCSC) has released updated guidance on cyber risk management. This guidance is designed to make the advice more accessible and customizable, even for those new to the field.
Developed based on user feedback, research from NCSC’s Socio-Technical and Risk Group, and real-world experience addressing risk management issues, the guidance includes three new sections: rice field.
- A new 8-step cybersecurity risk management framework designed to help readers understand what a good approach looks like in an organization
- The cybersecurity risk management “toolbox” grows over time as new technologies emerge. It now includes sections on using attack trees, threat modeling, and cybersecurity scenarios.
- Basic risk assessment and management methods for readers new to risk management or with simple requirements. It is inspired by the “bottom-up and component-driven approach” promoted by NIST and ISO.
NCSC has also reinstated an assurance model from one of its obsolete “Good Practice Guides.”
Read more about risk management: Global companies fear the worst for risk management failure
“We do this so that you understand how you can obtain and maintain warranties for the products, systems and services you use,” the agency explained.
“While the four assurance mechanisms of the CESG Assurance Model have not changed (and all must be applied in order for an organization to earn and maintain trust and assurance), we are We have updated our list of potential assurance activities that we can: obtain and maintain intrinsic, external, operational and implementation assurance.”
Not all guidance is new. The emphasis remains on using a “component-driven and system-driven view of risk” and leveraging a variety of risk management information sources.
However, the NCSC has recognized that many things have changed in terms of geopolitics, technology and cybersecurity since this guidance was first produced five years ago.
