This guidance is intended to be used by businesses as a suggested activity plan. Each of the areas may then be revisited in subsequent year’s cycle to continuously improve the area in order to keep pace with external developments and standard practice in protecting the business from cyber threats.
1. Establish governance and organisation.
2. Identify what matters most.
3. Understand the threats.
4. Define your risk appetite.
5. Focus on education and awareness.
6. Implement basic protections.
7. Be able to detect an attack.
8. Be prepared to react.
9. Adopt a risk-based approach to resilience.
10. Implement additional automated protections.
11. Challenge and test regularly.
12. Create a cyber risk management lifecycle.
Have a cyber risk management plan, consider a cyber responce plan. Organisations should take steps to ensure they apply appropriate cyber security controls.