Cookies on this site
We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use our website so we can improve our services.
The vast majority of organisations in the UK rely on information, data and digital technology to function. Cyber security ensures organisations can operate effectively in our increasingly online world.
When it’s done well, cyber security is so much more than a compliance function or the implementation of technical controls. You can use it to exploit the opportunities that technology brings, drive your company’s agenda, and deliver real value throughout your organisation.
Crucially, good cyber security facilitates better cyber resilience; the ability of an organisation to protect itself from, respond to, and recover from a cyber attack, data breach or service outage. The Executive Team, Audit Committee, Risk Committee and Remuneration Committee all have roles to play in making sure that there is the right level of assurance in the business, but ultimate accountability to the shareholders is with the board.
The NCSC’s Board Toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes and technologies.
Boards are pivotal in improving the cyber security of their organisations. The benefits of effective cyber security include:
The toolkit is aimed at board members in medium to large organisations in any sector. That could be:
Additionally, committees reporting to the board and security practitioners may find the Essential activities section useful in ensuring the organisation is adopting best practices. The included questions will help frame discussions with the board and key stakeholders.
Regardless of how established your cyber risk process is, the accountability for cyber risk is still with the board, even when cyber aspects are outsourced. Good cyber security has to work for your organisation. It has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept. Which is why ultimately, cyber security is a board-level responsibility.
Smaller organisations who my not have the resources to implement the Board Toolkit in full (but still want to improve their cyber security) should, in the first instance, refer to the NCSC's Small Business Guide.
Managing cyber security risk is a continuous, iterative process. It can be divided into 3 main sections, and we've organised the toolkit to address key cyber security themes in each one.
Organisations should create the right environment so that cyber security can flourish by:
• Embedding cyber security in your organisation
• Developing a positive cyber security culture
• Growing cyber security expertise
They then need to get the right information to support decision making, by:
• Identifying the critical assets in your organisation
• Understanding the cyber security threat
• Use this information to evaluate and prioritise risks
This allows them to take steps to manage those risks, by:
• Implementing effective cyber security measures
• Collaborating with your supply chain and partners
• Planning your response to cyber incidents
This toolkit also includes an Introduction to Cyber Security for board members who are new to the domain.
In each of the themes above, we’ve included:
The Indicators of success are designed to encourage productive cyber security discussions between boards and key stakeholders in your organisation (such as your legal, procurement and HR as well as technical teams). They are designed as a ‘starting point’, rather than a checklist that’s simply to be worked through.
Board members don't need to be technical experts, but you do need to know enough about cyber security to discuss issues with key staff. The Board Toolkit supports the board by providing the right questions to ask to gain a good understanding of the cyber risk profile of the organisation.