NCSC cyber toolkit for boards

Back in March 2019, the National Cyber Security Centre released its Board Toolkit.  A comprehensive guide designed to help board members manage cyber risk.

As the NCSC says:

Boards are pivotal in improving the cyber security of their organisations. The Board Toolkit has been created to encourage essential discussions about cyber security to take place between the Board and their technical experts.

The guidance is extensive and applies to firms of all sizes. The guide breaks the advice down into three sections:

  1. Get the information you need to make well informed decisions on the risks you face.
  2. Use this information to understand and prioritise your risks.
  3. Take steps to manage those risks.

Each of the sections contains subsections on how to approach each step. By following the guide any organisation will be able to implement information protection controls that work for them. There is no single good approach to cyber security. Each organisation will need to evaluate its own risks, technologies and ways of working. This guide sets out a series of questions a board could ask its self, technical staff and suppliers. These questions will a firm better understand its own cyber risk and the controls it has in place.

A real-world case study

One major international professional services firm took the Board Toolkit and extracted from it five questions they considered to be key to their organisation. The firm is happy to share the questions to help others get started. 

These were:

  1. How do we defend our organisation against phishing attacks?
  2. How does this firm control the use of privileged IT accounts?
  3. How do we ensure that our software and devices are up to date?
  4. How do we make sure our partners and suppliers protect the information we share with them?
  5. What authentication methods are used to control access to systems and data?

These questions are taken from the section, What does good look like? on page 32 (PDF).

An agenda item was added to their regular board meeting and the questions extensively discussed. The resulting discussions did not always reveal clear and simple answers. However, it allowed the organisation to consider ways in which cyber risk could be better managed. This could be by implementing new ways of working, better training or extending the use of technology.

Subsequent board meetings will revisit these questions and hear updates from those responsible for addressing each area. In the future further questions taken from the Toolkit and will be added to the agenda of meetings.

The advice contained in the Board Toolkit is written in a way that is easy to follow, digest and to implement. It is highly recommended that firms consider using this guide to manage cyber risk.