A1. Governance

Created:  28 Jan 2018
Updated:  30 Apr 2018


The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.


Effective security of network and information systems should be driven by organisational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems.

Senior management should clearly articulate unacceptable impacts to the business (often called risk appetite), which should take into account the organisation’s role in the delivery of essential services, so decision makers at all levels can make informed decisions about risk without constantly referring decisions up the governance chain.

There should be an individual(s) who holds overall responsibility and is accountable for security. This individual is empowered and accountable for decisions regarding how services are protected. For small organisations, the governance structure can be very simple.


NCSC Introduction to Security Governance

Your organisation's approach to security governance needs to be an appropriate fit for your organisation. Good security governance is integrated with your business's usual decision making structures and processes.

Decisions about risk can be made at all levels of your organisation when delegated effectively to people with the right security, business and technical knowledge, skills and experience. Clear lines of communication are also necessary.

Risk management standards

Following a standardised risk management approach can help in achieving good cyber security governance. There are many such standards to choose from. Some of the most well-known for NIS sectors are:

ISO 27001

An Information Security Management System can aid governance of cyber security risk

An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential services.

A properly scoped and implemented ISMS can help your organisation to meet the requirements of the NIS Directive by putting in place policies, procedures, and roles which govern the organisational approach to managing cyber security risks to essential services. 

ISO 27001 is one of many standards you can use to implement an ISMS. If your organisation is intending to use ISO 27001, you should consider which elements will help achieve your organisational objectives - full compliance and certification may be unnecessary. 

Your organisation must incorporate into the ISMS any relevant external requirements, for example direction from the competent authority.  You should also set appropriate cyber security requirements for your supply chain to ensure their support in achieving your NIS objectives (see A4 Supply Chain Security).

IEC 62443-2-1:2010

An industrial automation and control system (IACS) cyber security management system (CSMS) that is relevant to particular essential service sectors.

The CSMS defined in IEC 62443-2-1 is designed to build on ISO 27001 & 27002 for IACS environments, with the aim of aligning cyber security risk management with existing safety risk management practices. A management system framework is provided as a baseline, which organisations are encouraged to tailor for their own context.


NCSC Introduction to Security Governance

ISO 27001

IEC 62443-2-1:2010

< Back to NIS Objectives                Forward to Principle A2 >

Was this guidance helpful?

We need your feedback to improve this content.

Yes No