Initial cyber risk assessment
Capabilities should produce an initial cyber security risk assessment to guide and prioritise security activities and requirements.
This risk assessment should be reviewed against the capability’s risk appetite to make sure risks remain within the stated appetite.
You should take action where risks fall outside the stated risk appetite.
Risks should also be escalated within the agreed governance framework.
Capabilities should follow JSP 892: Risk Management, as the MOD’s approach to risk assessments and risk management. You can use other frameworks to comply with this such as NIST SP 800-30 and ISO 27005.The NCSC provides fundamental guidance on a simple risk management framework.
The unacceptable losses defined within the risk appetite should help focus the risk assessment.
It is important to involve as many stakeholders as possible when conducting a risk assessment to capture the full breadth of risks to a capability.
Where necessary, identified risks should be shared with stakeholders, for example, Senior Responsible Owners (SROs), or suitable equivalent.
This risk assessment should be reviewed against the capability’s risk appetite to make sure risks remain within the stated appetite.
You should take action where risks fall outside the stated risk appetite.
Risks should also be escalated within the agreed governance framework.
Capabilities should follow JSP 892: Risk Management, as the MOD’s approach to risk assessments and risk management. You can use other frameworks to comply with this such as NIST SP 800-30 and ISO 27005.The NCSC provides fundamental guidance on a simple risk management framework.
The unacceptable losses defined within the risk appetite should help focus the risk assessment.
It is important to involve as many stakeholders as possible when conducting a risk assessment to capture the full breadth of risks to a capability.
Where necessary, identified risks should be shared with stakeholders, for example, Senior Responsible Owners (SROs), or suitable equivalent.
Benefits
Your assessment will help initial security activities by providing an understanding of high-level risks to the capability.
Outcomes
An initial cyber risk assessment.
Responsibility
Who is responsible for an initial risk assessment:
- delivery team lead
- project management office (PMO)
When to complete an initial cyber risk assessment
You should carry out an initial cyber risk assessment at the pre-concept or concept stage.