The National Cyber Security Centre (NCSC) has updated its risk management guidance to help practitioners manage cyber risk.
It said this reflects changers in cyber security, technology and global politics since the last update five years ago.
The aim of the update is to provide practical advice based on experience of working on risk management problems, feedback from users and research by the NCSC’s sociotechnical and risk group.
The new guidance includes three new sections, the first of which is an eight-step cyber security risk management framework to help users understand what a good approach looks like for their organisation. It is based on the ISO/IEC 27005 standard while drawing on other methods.
Toolbox components
Second is a ‘toolbox’ for cyber security risk management that comprises: component and system drive approaches to the issue; using qualitative and quantitative risk management information; threat modelling; attack trees; and cyber security scenarios.
Third is a basic assessment and management method for users new to risk management or have a very simple requirement. This is not based on any single method and is not suitable for complex scenarios, but it is similar to bottom up and component driven approaches recommended by the National Institute of Standards and Technology and the International Standards Organsation.
NCSC added that has revived the assurance model from one of the Communications-Electronics Security Group’s good practice guide, with an update of the list of potential assurance activities.
