Board Toolkit:

Executive summary
The NCSC’s Board Toolkit helps boards
to ensure that cyber resilience and risk
management are embedded throughout an
organisation, including its people, systems,
processes and technologies.

This document summarises the contents of

each section of the Board Toolkit.

Introduction to An introduction to cyber security, explaining the fundamental

cyber security concepts that boards should be aware of, and why cyber security is
for board a board-level issue.
members

Part 1: Create the right environment

Embedding Developing a Growing

cyber security positive cyber cyber security
into your security culture expertise
organisation
Security culture refers to the As the demand for cyber
Cyber security is not just ‘good values that determine how security professionals grows,
IT’. It should be integrated people are expected to think senior leaders should ensure
into organisational risk about and approach security in that recruitment and training
management and decision an organisation. meet their cyber security
making, and all the business A positive cyber security culture needs. This will include a
units in your organisation is essential because it’s people combination of investing
should be clear about their that make an organisation in your people, bringing
cyber security obligations secure, not just technology in external expertise, and
and responsibilities. Done well, and processes. If this is in developing a pipeline of
cyber security will enable your place, people view security as talent. The assessment of
organisation’s digital activity to a collective and collaborative cyber skills might be an
flourish, adding value to your endeavour that supports and activity within the people
business. It’s also a team sport, is supported by their everyday planning part of the business,
and as Board Member, it’s vital work. and the board should have
that you empower everyone. sight of this.

@NCSC @cyberhq ncsc.gov.uk National Cyber Security Centre

Part 2: Get the right information to support decision making

Identifying the Understanding Risk

critical assets in the cyber management for
your organisation security threat cyber security
Understanding how technical Understanding the threats faced Every organisation has to
assets are critical to your by your organisation will enable make difficult decisions around
organisation’s objectives is key you to tailor your organisation’s how much time and money
to effective risk management. approach to cyber security to spend protecting their
This means having a good investment accordingly. You technology and services; cyber
understanding of your technical need to prioritise what threats risk management should inform
estate, and being able to identify you are trying to defend against, and improve these decisions.
which are the critical assets otherwise you risk trying to Many of your operational and
upon which your key business defend against everything (and organisational risks will have
objectives depend. The board will doing so ineffectively). Threats a cyber component to them.
therefore need to communicate will evolve over time, so it’s Cyber security risk should
key objectives so technical experts important to stay up-to-date therefore be integrated within
can focus on protecting the things and regularly perform threat your overall approach to risk
that ensure these objectives are assessments. management, and not be
fulfilled. dealt as a standalone topic (or
considered simply in terms of ‘IT
risk’).

Part 3: Take steps to manage those risks

Implementing Collaborating Planning your

effective with your response to
cyber security supply chain cyber incidents
measures and partners
Cyber security incidents can
Implementing effective cyber Many organisations rely upon have a huge impact on an
security measures will help suppliers to deliver products, organisation in terms of cost,
reduce the likelihood of a systems, and services. Supply productivity, reputation and loss
significant incident. Even basic chains are often large and of customers. Being prepared
cyber security measures complex, and effectively to detect and quickly respond
can reduce your exposure securing the supply chain can to incidents will prevent the
to cyber attacks, and lessen be hard because vulnerabilities attacker from inflicting further
the associated reputational, can be inherent, introduced or damage, and can reduce
financial and legal impacts. exploited at any point within the financial and operational
With a baseline of controls in it. Building a clear picture of impact. Having a well-prepared
place to mitigate against the your suppliers (and working cyber incident response
most common cyber attacks, with them to establish their approach is essential for cyber
you should then tailor your sub-contractors) is essential resilience.
defences to mitigate your if you are to gain assurance
organisation’s highest priority that threats from the supply
risks. chain are understood, and risks
mitigated.

@NCSC @cyberhq ncsc.gov.uk National Cyber Security Centre

© Crown copyright 2023. Photographs and infographics may include material under licence from third parties
and are not available for re-use. Text content is licenced for re-use under the Open Government Licence v3.0.