IT

Prerequisites

• Attendees must have at least six months’ experience in a cyber risk-related role.

• Learners will need to bring their own laptop, that is able to connect to the internet, to complete group tasks.

Target Audience

This course is for UK government department employees only working as Cyber Security Risk Consultants and Practitioners who are responsible for reviewing, managing, or advising on cyber risk.

NCSCs Cyber Security Risk Management Course Content

Over two intensive weeks, learners will explore:

Module 0 - NCSC Cyber Security Risk Management Framework

Get familiar with the NCSC’s high-level approach to managing cyber risk:

• Overview of the NCSC framework and how each component connects
• Key considerations for each stage of the risk lifecycle
• Understand the purpose and flow of the cyber risk management lifecycle

Module 1 - Establish organisational context

Understand your business before managing its risks:

• Define your organisation’s objectives and risk appetite
• Identify internal/external risk factors using tools like PESTLE and SWOT
• Prioritise focus areas from a cyber perspective
• Recognise the value of understanding business context in cyber risk decisions

Module 2 - Identify decision makers, governance, processes and constraints

Lay the groundwork for effective risk ownership:

• Map out governance structures and accountability
• Identify key stakeholders, their authority, and decision-making processes
• Align cyber risk with wider organisational processes and change management
• Understand supply chain responsibility models and resource requirements.

Module 3 - Define your cyber risk challenge

Clarify what needs protecting - and from whom:

• Set scope boundaries and assess maturity of your current approach
• Understand threat intelligence and organisational risk synergies
• Conduct impact assessments and identify critical assets
• Analyse organisational priorities and readiness for change

Module 4 - Select your approach

• Choose the right tools and methods for your risk assessment:
• Compare global methodologies and NCSC-endorsed approaches
• Assess suitability and limitations of various tools
• Explore the NCSC blueprint and risk assessment toolsets
• Understand what makes a method fit for purpose

Module 5 - Understand risks and how to manage them

Dig into the core risk assessment process:

• Follow the ISO 27005 model to identify, evaluate, and treat risks
• Differentiate between inherent and residual risk
• Use risk matrices, registers, and documentation effectively
• Develop risk treatment plans and justify control decisions

Module 6 - Communicate and consult

Build a culture of risk awareness:

• Effectively communicate findings, priorities, and recommendations
• Engage allies and stakeholders across the organisation
• Present risks clearly using dashboards, KRIs/ KPIs, and heat maps
• Encourage ongoing consultation and re-assessment

Module 7 - Implement and assure

Put your plan into action with confidence:

• Apply defence-in-depth strategies and layered controls
• Leverage “Secure by Design” and “Secure by Default” principles
• Evaluate control effectiveness and maintain desired state
• Understand cloud shared responsibility and assure supply chain security
• Use NCSC-assured services and assurance models

Module 8 - Monitor and review

Make risk management a continuous process:

• Review controls, scope, and metrics in light of evolving threats
• Monitor performance using dashboards and testing mechanisms
• Reassess risks periodically to maintain effectiveness
• Ensure your approach stays relevant and aligned with organisational goals