guidance

Cyber Security Toolkit for boards

Resources designed to help board members govern cyber risk more effectively.
Invalid DateTime

PAGE 1 OF 19

Change
Cyber Security Toolkit for boards

PAGE 1 OF 19

The vast majority of organisations in the UK rely on information, data and digital technology to function. Cyber security ensures organisations can operate effectively in our increasingly online world.

When it’s done well, cyber security is so much more than a compliance function or the implementation of technical controls. You can use it to exploit the opportunities that technology brings, drive your company’s agenda, and deliver real value throughout your organisation.

Crucially, good cyber security facilitates better cyber resilience; the ability of an organisation to protect itself from, respond to, and recover from a cyber attack, data breach or service outage. The Executive Team, Audit Committee, Risk Committee and Remuneration Committee all have roles to play in making sure that there is the right level of assurance in the business, but ultimate accountability to the shareholders is with the board.

Download the entire toolkit as pdf 


What is the Board Toolkit?

The NCSC’s Board Toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes and technologies.

What are benefits of using the Board Toolkit?

Boards are pivotal in improving the cyber security of their organisations. The benefits of effective cyber security include:

  • Organisations can prioritise areas for investment that balance the value of protection against the needs of the business. This will enable them to create a roadmap for improvements and set aside a budget for the risk exposure.
  • Taking cyber security seriously builds trust and confidence with customers and shareholders, particularly at a time where risks and threats are becoming increasingly complex in customer supply chains.
  • Organisations that need to demonstrate compliance to regulators are able to do so more efficiently where cyber security is well integrated into the business.
  • Organisations that understand their 'enterprise estate' (that is, their people, systems, processes and technology) are better able to identify areas that are critical to the business operation and identify appropriate resources to mitigate against identified threats.
  • Organisations with a healthy security culture are able to learn from incidents, driving improvement and innovation. As well as benefits to productivity it can also lead to greater employee wellbeing and retention.
  • Investing resources in cyber security training and education enables organisations to prepare their workforce for adverse events and incidents by empowering their decision making.

Who is the Board Toolkit for?

The toolkit is aimed at board members in medium to large organisations in any sector. That could be:

  • a Board of Directors
  • a Board of Governors/Advisors
  • Non-executive Directors or a Board of Trustees

Additionally, committees reporting to the board and security practitioners may find the Essential activities section useful in ensuring the organisation is adopting best practices. The included questions will help frame discussions with the board and key stakeholders.

  • If your organisation already has a risk management process in place, this toolkit can help you to embed cyber risks through this process, which includes understanding your organisation’s overall cyber security strength and resilience.
  • If your organisation has a mature cyber risk management process in place, the toolkit will give board members the confidence to challenge how frameworks (such as NIST, ISO/IEC 27005 or CAF) are helping the organisation to achieve its broader objectives.

Regardless of how established your cyber risk process is, the accountability for cyber risk is still with the board, even when cyber aspects are outsourced. Good cyber security has to work for your organisation. It has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept. Which is why ultimately, cyber security is a board-level responsibility.

Note

Smaller organisations who my not have the resources to implement the Board Toolkit in full (but still want to improve their cyber security) should, in the first instance, refer to the NCSC's Small Business Guide.


How is the Board Toolkit organised?

Managing cyber security risk is a continuous, iterative process. It can be divided into 3 main sections, and we've organised the toolkit to address key cyber security themes in each one.

  1. Organisations should create the right environment so that cyber security can flourish by:
    Embedding cyber security in your organisation
    Developing a positive cyber security culture
    Growing cyber security expertise

  2. They then need to get the right information to support decision making, by:
    Identifying the critical assets in your organisation
    Understanding the cyber security threat
    Use this information to evaluate and prioritise risks

  3. This allows them to take steps to manage those risks, by:
    Implementing effective cyber security measures
    Collaborating with your supply chain and partners
    Planning your response to cyber incidents

Note

This toolkit also includes an Introduction to Cyber Security for board members who are new to the domain.


How to use the Board Toolkit

In each of the themes above, we’ve included:

  • a summary of the theme that explains what it is, and why it’s important
  • Essential activities that should take place (effectively, the good practices that boards should expect to see in your organisation)
  • Indicators of success: a series of questions (with possible answers) that boards can use to help evaluate your organisations performance

Note:

The Indicators of success are designed to encourage productive cyber security discussions between boards and key stakeholders in your organisation (such as your legal, procurement and HR as well as technical teams). They are designed as a ‘starting point’, rather than a checklist that’s simply to be worked through. 

Board members don't need to be technical experts, but you do need to know enough about cyber security to discuss issues with key staff. The Board Toolkit supports the board by providing the right questions to ask to gain a good understanding of the cyber risk profile of the organisation.

Introduction to cyber security for board members