A2. Risk management

Created:  28 Jan 2018
Updated:  31 Oct 2018


The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.


There is no single blueprint for cyber security and therefore organisations need to take steps to determine security risks that could affect the delivery of essential services and take measures to appropriately manage those risks.

Threats can come from many sources, in and outside the organisation. A good understanding of the threat landscape and the vulnerabilities that may be exploited is essential to effectively identify and manage risks. Such information may come from sources including NCSC, information exchanges relevant to the organisation's sector, and reputable government, commercial, and open sources, all of which can inform the organisation's own risk assessment process.  Organisations may contribute to the understanding of threats and vulnerabilities in their sector by participating in relevant information exchanges and liaising with authorities as appropriate. 

There should be a systematic process in place to ensure that identified risks are managed and the organisation has confidence mitigations are working effectively. Confidence can be gained through, for example, product assurance, monitoring, vulnerability testing, auditing and supply chain security.


NCSC Risk Management Guidance

Our Risk Management guidance aims to help you to choose an approach that's right for your organisation.

Operators of essential services are likely to benefit from a combination of a system-based approach, which looks at the interactions between components of the service, and a component-driven analysis, which considers the threats, vulnerabilities, and impacts relevant to particular critical components. 

Risk methods and frameworks

Your organisation should choose a method or framework for managing risk that fits with the organisation's business and technology needs. The NCSC has summarised some commonly used risk methods and frameworks as a starting point.

Whichever approach you choose, the scope of your programme must include all systems relevant to the operation of essential services.  Simply following the minimum requirements of a standard or applying blanket controls across the organisation is unlikely to adequately manage risks to critical systems. 

Where industrial control and automation systems are in scope of the essential service, you should keep in mind that controls suitable for managing risks on the corporate IT network may be inappropriate or damaging in an operational technology environment. These systems will likely require a more tailored approach, and some frameworks and standards address specific concerns relating to such systems.

Cyber security assurance

Various means are available to gain confidence in the effectiveness of the security of technologies, processes and people. The NCSC assurance blog provides some examples that may be useful to understand cyber security confidence in your organisation and there are some specific technical NCSC guides:

NCSC Penetration Testing Guidance

This guidance will help you understand the proper use and commissioning of penetration tests to gain assurance in the security of an IT system.

NCSC Cloud Security Collection: Having confidence in cyber security

Our Cloud Security Collection provides guidance on managing the risks involved with using cloud services, and some of the principles and guidance are more broadly applicable. The cloud guidance for having confidence in cyber security provides principles that are useful for assuring cyber security effectiveness of essential services. The collection will be of particular interest if your organisation hosts any part of your essential service infrastructure on a cloud service.

Physical Risks (Advice supplied by DCMS)

Your organisation should have adequate policies and measures in place to identify and address risks to the physical infrastructure that supports your network and information systems. This can be achieved through measures such as identifying single points of failure, assessing the impact of physical failures on your ability to provide your essential service, maintaining a list of risks and assets.

Physical risks include, but are not limited to, hardware failure, power failure, environmental hazards such as fire and flood, physical damage etc.


NCSC Risk Management Guidance

NCSC Assurance Blog

NCSC Penetration Testing Guidance

NCSC Cloud Security Collection: Having confidence in cyber security

Risk frameworks and methods


CCS 6.11 Risk Management and 6.12 Security Management

ENISA Technical Guidelines for Digital Service Providers: SO2




< Back to Principle A1                  Forward to Principle A3 >

Was this guidance helpful?

We need your feedback to improve this content.

Yes No