UK develops cyber risk management tool box

01 March 2018

New cyber risk management standards are due to be published in the spring, just a few months after the UK government launched its cyber risk management tool box.

The British Standards Institution (BSI) is due to launch the final version of BS 31111 in March 2018. The standard, aimed at senior executives and risk managers, was published in draft form in 2017 and has since been consulted upon and reviewed.

BS 31111 aims to support good decision making by top management rather than concentrating on technical details. It also aims to support existing standards and good practice guides by providing a simple overarching framework.

The draft BS 31111 standard encourages board members and senior management to assess cyber risk and address the most common failings driving cyber incidents. More specifically, it will encourage leadership to evidence their planning across six key themes:

  • Cyber governance policies
  • Security and risk management frameworks
  • Clear risk reporting
  • Flexible response capability
  • Embedding of cyber risk and resilience
  • Threat intelligence capabilities and information sharing. 


The standard is intended to complement guidance on cyber risk management recently published by the UK’s National Cyber Security Centre (NCSC). In December, it issued cyber risk management guidance as part of its ongoing ‘Risk Management Collection’ work on cyber risk management.

The NCSC guidance is intended to be accessible to a wide audience, including decision makers and senior management, risk and IT professionals alike. The main purpose of the guidance is to give organisations a range of risk management techniques that will help improve cyber security decision making.

The cyber security agency warns that cyber risk management solely for “compliance” purposes can lead to risk being managed in a “tick-box” fashion, with unintended negative consequences. “Tick-box risk management can be worse than no risk management at all,” it says.

The NCSC added that its guidance is not intended as a ‘blueprint’ but rather as a toolbox of cyber risk management techniques. It includes an introduction to cyber risk, as well as discussions on cyber risk governance and risk management frameworks.

The NCSC also calls on organisations not to adopt a single, standardised approach for every kind of cyber risk assessment. As such, the guidance published in December examines two risk management techniques; component-driven and system-driven risk management. Guidance on further risk management techniques will be forthcoming, the NCSC said.

Both the standards and the guidance were welcomed by UK risk management association Airmic, which plans to review the emerging body of cyber risk management guidance and standards being made available to companies, risk managers and business leaders.

Last year, the Federation of Risk Management Associations and the European Confederation of Institutes of Internal Auditing published joint cyber risk management and governance guidance. The guidance calls for organisations to establish a cyber risk governance framework to identify and quantify the potential impact of cyber risk on an organisation, before prioritising investment in mitigation and risk transfer.

Download Cyber Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on