Principle: A2 Risk Management
The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.
This means having a process which ensures that identified risks are fully understood through your governance structures and that leadership, up to Accounting Officer level, has confidence mitigations are effective and accord with agreed risk appetites. It is important that this process is organisation wide so resources and effort can be prioritised accordingly, and reviewed regularly to take account of business evolution and changes in the strategic context. Where a risk owner seeks to accept a risk which exceeds the organisation’s risk tolerance, a process should be in place to ensure that the risk is fully understood, assigned to a named individual and that its acceptance is clearly documented.
Policy
The following requirements are placed on government departments:
- Government organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.
- The Government Functional Standard GovS 007: Security sets out the requirement that Government organisations shall establish policies, processes and capabilities to enable understanding of the risks to the organisation and its assets. That understanding should be achieved through risk assessment, relevant to each organisation’s own context. It should be done by skilled people using appropriate mechanisms, and by the establishment of risk appetites. It also outlines the role of the Accounting Officer and their responsibilities for risk management. For devolved administrations, organisations should adhere to the security functional standard and policy owned by its principal executive or devolved government body.
Guidance
- The NCSC’s Risk Management Guidance outlines the fundamentals of cyber security risk management describing both system-driven and component-driven methodologies.
- The NCSC’s Secure Design Principles outlines the importance of risk management as fundamental to the design process. The Establish the Context guidance outlines how risk tolerance, identification and assessment should be considered when designing a system, and how your organisation should use them to mitigate threats.
- More generally, HM Treasury and the Government Finance Function provide advice on broader risk management concepts as part of the Orange Book. Section D ‘Risk Management Process’ will provide you with principles on the risk management lifecycle from identification, assessment to treatment and monitoring; section E ‘Continual Improvement’ will assist with monitoring risks, performing lessons learned exercises and adapting risk management frameworks. It also promotes using both qualitative and quantitative metrics for risk reporting to identify trends, track risk mitigation and inform key decision making.
- NPSA’s Protective Security Risk Management (PSRM) guidance provides an approach for stakeholder engagement and security risk assessment to support effective decision making. It includes a flowchart on how an organisation should carry out end to end security risk management.
Further information
Further information can be found on NCSC’s CAF Guidance webpage.