Over two intensive weeks, learners will explore:
Module 0 - NCSC Cyber Security Risk Management Framework
Get familiar with the NCSC’s high-level approach to managing cyber risk:
- Overview of the NCSC framework and how each component connects
- Key considerations for each stage of the risk lifecycle
- Understand the purpose and flow of the cyber risk management lifecycle
Module 1 - Establish organisational context
Understand your business before managing its risks:
- Define your organisation’s objectives and risk appetite
- Identify internal/external risk factors using tools like PESTLE and SWOT
- Prioritise focus areas from a cyber perspective
- Recognise the value of understanding business context in cyber risk decisions
Module 2 - Identify decision makers, governance, processes and constraints
Lay the groundwork for effective risk ownership:
- Map out governance structures and accountability
- Identify key stakeholders, their authority, and decision-making processes
- Align cyber risk with wider organisational processes and change management
- Understand supply chain responsibility models and resource requirements.
Module 3 - Define your cyber risk challenge
Clarify what needs protecting - and from whom:
- Set scope boundaries and assess maturity of your current approach
- Understand threat intelligence and organisational risk synergies
- Conduct impact assessments and identify critical assets
- Analyse organisational priorities and readiness for change
Module 4 - Select your approach
- Choose the right tools and methods for your risk assessment:
- Compare global methodologies and NCSC-endorsed approaches
- Assess suitability and limitations of various tools
- Explore the NCSC blueprint and risk assessment toolsets
- Understand what makes a method fit for purpose
Module 5 - Understand risks and how to manage them
Dig into the core risk assessment process:
- Follow the ISO 27005 model to identify, evaluate, and treat risks
- Differentiate between inherent and residual risk
- Use risk matrices, registers, and documentation effectively
- Develop risk treatment plans and justify control decisions
Module 6 - Communicate and consult
Build a culture of risk awareness:
- Effectively communicate findings, priorities, and recommendations
- Engage allies and stakeholders across the organisation
- Present risks clearly using dashboards, KRIs/ KPIs, and heat maps
- Encourage ongoing consultation and re-assessment
Module 7 - Implement and assure
Put your plan into action with confidence:
- Apply defence-in-depth strategies and layered controls
- Leverage “Secure by Design” and “Secure by Default” principles
- Evaluate control effectiveness and maintain desired state
- Understand cloud shared responsibility and assure supply chain security
- Use NCSC-assured services and assurance models
Module 8 - Monitor and review
Make risk management a continuous process:
- Review controls, scope, and metrics in light of evolving threats
- Monitor performance using dashboards and testing mechanisms
- Reassess risks periodically to maintain effectiveness
- Ensure your approach stays relevant and aligned with organisational goals