The UK National Cyber Security Centre (NCSC) revised its guidance on risk management on 26 June 2023, which was last updated in 2018.

The revised guidance includes new sections on:

• an eight-step cyber security risk management framework that is based on International Organisation for Standardisation guidance (ISO/IEC 27005);
• a cyber-security risk management toolbox that encourages users to select the most appropriate technique or method to deal with the relevant risk management challenge (as opposed to employing a ‘one size fits all’ approach) – the tools discussed include component-driven and system-driven approaches, the use of qualitative and quantitative information, threat modelling, attack trees and cyber security scenarios; and
• a basic risk assessment and management method that is intended to serve as introductory guidance for new readers (although not suitable for complex risk management scenarios).

The NCSC also updated an old assurance model from the UK government’s National Technical Authority for Information Assurance (CESG) Good Practices Guides to include a list of potential assurance activities for managing cyber risks and practical examples of applying it (e.g. when using cloud services or a certified encryption device).

The press release is available here.