B1 Service Protection Policies and Processes

Proportionate security measures in place to protect essential services and systems from cyber attack. 

Principle

The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support delivery of essential services.

B1.a Policy and process development

You have developed and continue to improve a set of service protection policies and processes that manage and mitigate the risk of cyber security-related disruption to the essential service.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true  All of the following statements are true  All of the following statements are true
Your service protection policies and processes are absent or incomplete.

Service protection policies and processes are not applied universally or consistently.

People often or routinely circumvent service protection policies and processes to achieve business objectives.

Your organisation’s security governance and risk management approach has no bearing on your service protection policies and processes.

System security depends upon users’ careful and consistent application of manual security processes.

Service protection policies and processes have not been reviewed in response to major changes (e.g. technology or regulatory framework), or within a suitable period.

Service protection policies and processes are not readily available to staff, too detailed to remember, or too hard to understand.

Your service protection policies and processes document your  overarching security governance and risk management approach, technical security practice and specific regulatory compliance. Cyber security is often treated as a separate issue.

You review and update service protection policies and processes in response to major cyber security incidents.

You document your overarching security governance and risk management approach, technical security practiceand specific regulatory compliance. Cyber security is embedded throughout these policies and processes and key performance indicators are reported to your executive management.

Your organisation’s service protection policies and processes are developed to be practical, usable and appropriate for your essential service and your technologies.

Where your service protection policies and processes place requirements on people, e.g. changes in behaviour or activity, this is practical and they can do what is expected.

You review and improve policies and processes at suitably regular intervals to ensure they remain relevant to threats, the way people and systems work, adapt to lessons learned and remain appropriate and effective. This is in addition to reviews following a major cyber security incident.

Your systems are designed with ‘guard rails’, so that they remain secure even when user security policies and processes are not always followed.

B1.b Policy and process implementation 

You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true  All of the following statements are true
None or only part of your service protection policies and processes are enacted.

You do not have an understanding of the impact of your service protection policies and processes on your security.

Some or all staff are unaware of their responsibilities under your service protection policies and processes.

You do not detect breaches of service protection policies and processes.

All your service protection policies and processes are enacted and you assess their correct application.

Your service protection policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals’ trustworthiness.

All staff are aware of their responsibilities under your service protection policies and processes.

All significant breaches of service protection policies and processes are investigated; less significant breaches are tracked and assessed for trends or aggregation as a larger breach.

All your service protection policies and processes are enacted. You regularly evaluate the correct application and security effectiveness of your service protection policies.

Your service protection policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals’ trustworthiness.

Your service protection policies and processes are effectively and appropriately communicated across all levels of the organisation. All staff are aware of their responsibilities under your service protection policies and processes.

Suitable action is taken to correct significant single or aggregated breaches of service protection policies and processes.

B2 Identity and Access Control

Principle

The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.

B2.a Identity verification, authentication and authorisation

You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential service.

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true  All of the following statements are true  All of the following statements are true
You cannot individually identify all users (whether by user identifier or secondary means) with access to networks or information systems on which your essential service depends.

Unknown or unauthorised users or devices can connect to your networks or information systems.

User access is not limited to the minimum necessary.

You individually identify all the users that are granted access to your networks or information systems (both logically and physically), whether by user identifier or alternative / secondary means.

User access to essential service networks and information systems is limited to the minimum necessary.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for access to sensitive systems such as operational technology.

You individually authenticate and authorise all remote access to all your networks and information systems that support your essential service.

The list of users with access to essential service networks and systems is reviewed on a regular basis, e.g. annually.

Only individually authenticated and authorised users can connect to or access your networks or information systems. Both logical and physical accessrequire this individual authentication and authorisation.

User access to all your networks and information systems supporting the essential service is limited to the minimum necessary.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for all systems that operate or support your essential service.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, when you individually authenticate and authorise all remote access to all your networks and information systems that support your essential service.

The list of individuals with access to all your networks and systems supporting the essential service is reviewed on a regular basis, e.g. annually.

The list of users with access to essential service networks and systems is reviewed on a regular basis, e.g. every 6 months.

B2.b Device management

You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential service.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true  All of the following statements are true  All of the following statements are true
Users are allowed to connect to your essential service’s networks using personal devices.

Administrators are able to perform administrative functions from non-corporately managed devices (such as remote access from personal devices).

You have not gained assurance in the security of any third-party devices or networks connected to your systems.

Physically connecting to your network gives a device access to systems without further authentication.

Only enterprise-owned and managed devices are allowed to access your essential service’s networks and information systems.

All administrative access occurs from dedicated management devices.

You have sought to understand the security properties of third-party devices and networks before they are allowed to be connected to your systems. You have taken appropriate steps to mitigate any risks identified.

The act of connecting to a network port or cable does not grant access to any systems.

You are able to detect unknown devices being connected to your network, and investigate such incidents.

Dedicated devices are used for privileged actions (such as administration or accessing the essential service’s network and information systems). These devices are not used for directly browsing the web or accessing email.

You have obtained independent or professional assurance of the security of third-party networks, or you only allow third-party devices / networks dedicated to supporting your systems to connect.

You perform device identity management which is cryptographically backed, and only allow known devices to access systems.

You perform regular scans to detect unknown devices and investigate any findings.

B2.c Privileged user management

You closely manage privileged user access to networks and information systems supporting the essential service.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true All of the following statements are true
You do not know the names of all individuals with privileged access to administer your system (infrastructure, platforms, software, configuration, etc.)

It is not known whether all privileged users are strongly authenticated when accessing the system.

Privileged access is granted from remote sessions without additional validation.

The list of system administrators has not been reviewed recently, e.g. within the last 12 months.

Privileged user access is granted on a system-wide basis (as opposed to by specific roles).

System administrators use generic (shared or default name) accounts to administer servers and devices.

Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted.

User roles are not suitably logically segregated, e.g. users have a single user identifier for routine business activities and privileged or segregated roles.

Privileged access requires additional validation, but this does not use a strong form of authentication (e.g. two-factor/ hardware authentication or active monitoring).

You know the names of all individuals in your organisation and your supply chain with privileged access to your networks and information systems (infrastructure, platforms, software, configuration, etc.)

Activity by privileged users is periodically validated, e.g. annually.

Privileged users are only granted specific privileged permissions and roles which are essential to their business function.

Privileged access (e.g. to systems controlling the essential service or system administration) is carried out with separate accounts that are closely managed.

Where you don’t already issue temporary, time-bound rights for privileged access and external third-party support access, you are migrating to access control that supports this functionality.

You regularly review privileged access rights and always update privileges as part of your joiners, movers and leavers process.

All privileged access to your networks and information systems requires strong authentication, such as two-factor/ hardware authentication, or additional real-time security monitoring.

Privileged access is only granted on devices owned and managed by your organisation.

Activity by privileged users is routinely validated.

The list of system administrators is regularly reviewed, e.g. every 6 months.

You record and store all privileged user sessions for offline analysis and investigation.

B2.d IDAC management and maintenance

You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential service.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true  All of the following statements are true
Greater rights are granted to users than necessary.

User rights are granted without validation of their identity and requirement for access.

User rights are not reviewed when they move jobs.

User rights remain active when people leave your organisation.

You have a robust procedure to verify each user and issue minimum required access rights.

You regularly review access rights and those no longer needed are revoked. 

Your joiners, leavers and movers process ensures that user permissions are reviewed both when people change roles and at regular intervals.

All access is logged and monitored.

You have an auditable, robust procedure to verify each user and issue minimum required access rights.

Your joiners, leavers and movers process ensures that, in addition to when people change roles, user permissions are reviewed regularly.

All access is logged and monitored.

You regularly review access logs and correlate this data with other access records and expected activity.

Attempts by unauthorised users to connect to your systems are alerted, promptly assessed and investigated where relevant.

B3 Data Security

Principle

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause disruption to essential services. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the delivery of essential services. It also covers information that would assist an attacker, such as design details of networks and information systems.

B3.a Understanding data

You have a good understanding of data important to the delivery of the essential service, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would impact the service. This also applies to third parties storing, or accessing data important to the delivery of essential services. 

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true  All of the following statements are true  All of the following statements are true
You have limited or incomplete knowledge of what data is used by and produced in the delivery of the essential service. You cannot identify the important data on which your essential service relies.

You cannot identify who has access to data important to the delivery of the essential service.

You are not able to clearly articulate the impact of data compromise or inaccessibility.

You have identified and catalogued all the data important to the delivery of the essential service, or that would assist an attacker. You know who has access to that data.

You periodically review location, transmission, quantity and quality of data important to the delivery of the essential service.

You have identified all mobile devices and media that hold data important to the delivery of the essential service.

You understand the impact on your essential service of all relevant scenarios, including unauthorised access, modification or deletion, or when authorised users are unable to appropriately access this data.

You validate these impact statements regularly, e.g. every 12 or 24 months.

You have identified and catalogued all the data important to the delivery of the essential service, or that would assist an attacker. You know who has access to this important data.

You maintain a current understanding of the location, quantity and quality of data important to the delivery of the essential service.

You take steps to remove or minimise unnecessary copies or unneeded historic data.

You have identified all mobile devices and media that may hold data important to the delivery of the essential service.

You maintain a current understanding of the data links used to transmit data that is important to your essential service.

You understand the context, limitations and dependencies of your important data.

You understand the impact on your essential service of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.

You validate these impact statements regularly, e.g. annually.

B3.b Data in transit

You have protected the transit of data important to the delivery of the essential service. This includes the transfer of data to third parties. 

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true  All of the following statements are true  All of the following statements are true
You do not know what all your data links are, or which carry data important to the delivery of the essential service.

Data important to the delivery of the essential service travels without technical protection over untrusted or openly accessible carriers.

Critical data paths that could fail, be jammed, be overloaded, etc. have no alternative path.

You have identified and suitably protected all the data links that carry data important to the delivery of the essential service.

You apply appropriate technical means (e.g. cryptography) to protect data that travels over an untrusted carrier, but you have limited or no confidence in the robustness of the protection applied.

You have identified and suitably protected all the data links that carry data important to the delivery of the essential service.

You apply appropriate physical or technical means to protect data that travels over an untrusted carrier, with justified confidence in the robustness of the protection applied.

Suitable alternative transmission paths are available where there is a risk of impact on the delivery of the essential service due to resource limitation (e.g. transmission equipment or service failure, or important data being blocked or jammed).

B3.c Stored data

You have protected stored data important to the delivery of the essential service.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All the following statements are true All of the following statements are true
You have no, or limited, knowledge of where data important to the delivery of the essential service is stored.

You have not protected vulnerable stored data important to the delivery of the essential service in a suitable way.

Backups are incomplete, untested, not adequately secured or could be inaccessible in a disaster recovery or business continuity situation.

All copies of data important to the delivery of your essential service are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.

You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.

If cryptographic protections are used, you apply suitable techical and procedural means, but you have limited or no confidence in the robustness of the protection applied.

You have suitable, secured backups of data to allow the essential service to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.

You have only necessary copies of this data. Where data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.

You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.

If cryptographic protections are used you apply suitable techical and procedural means, and you have justified confidence in the robustness of the protection applied.

You have suitable, secured backups of data to allow the essential service to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.

Necessary historic or archive data is suitably secured in storage.

B3.d Mobile data

You have protected data important to the delivery of the essential service on mobile devices.

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true  All of the following statements are true  All of the following statements are true
You don’t know which mobile devices may hold data important to the delivery of the essential service.

You allow data important to the delivery of the essential service to be stored on devices not managed by your organisation, or to at least equivalent standard.

Data on mobile devices is not technically secured, or only some is secured.

You know which mobile devices hold data important to the delivery of the essential service.

Data important to the delivery of the essential service is only stored on mobile devices with at least equivalent security standard to your organisation.

Data on mobile devices is technically secured.

Mobile devices that hold data that is important to the delivery of the essential service are catalogued, are under your organisation’s control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.

Your organisation can remotely wipe all mobile devices holding data important to the delivery of essential service.

You have minimised this data on these mobile devices.  Some data may be automatically deleted off mobile devices after a certain period.

B3.e Media / equipment sanitisation

You appropriately sanitise data from the service, media or equipment.

Not Achieved Achieved
At least one of the following statements is true  All of the following statements are true
Some or all devices, equipment or removable media that hold data important to the delivery of the essential service are disposed of without sanitisation of that data.

Providers of any cloud services you use are not able to explain how storage is sanitised when it is released.

You catalogue and track all devices that contain data important to the delivery of the essential service (whether a specific storage device or one with integral storage).

All data important to the delivery of the essential service is sanitised from all devices, equipment or removable media before disposal.

Your cloud service providers appropriately sanitise data storage areas before reallocating to another user.

B4 System Security

Principle

Network and information systems and technology critical for the delivery of essential services are protected from cyber attack. An organisational understanding of risk to essential services informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.

B4.a Secure by design

You design security into the network and information systems that supports the delivery of essential services.  You minimise their attack surface and ensure that the delivery of the essential service should not be impacted by the exploitation of any single vulnerability.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true  All of the following statements are true
Systems essential to the operation of the essential service are not appropriately segregated from other systems.

Internet access is available from operational systems.

Data flows between the essential service’s operational systems and other systems are complex, making it hard to discriminate between legitimate and illegitimate/malicious traffic.

Remote or third party accesses circumvent some network controls to gain more direct access to operational systems of the essential service.

You employ appropriate expertise to design network and information systems.

You design strong boundary defences where your networks and information systems interface with other organisations or the world at large.

You design simple data flows between your networks and information systems and any external interface to enable effective monitoring.

You design to make network and information system recovery simple.

All inputs to operational systems are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.

You employ appropriate expertise to design network and information systems.

Your networks and information systems are segregated into appropriate security zones, e.g. operational systems for the essential service are segregated in a highly trusted, more secure zone.

The networks and information systems supporting your essential service are designed to have simple data flows between components to support effective security monitoring.

The networks and information systems supporting your essential service are designed to be easy to recover.

All inputs to operational systems are transformed and inspected at the border where possible. Where this is not currently possible, content-based attacks are mitigated by other means.

B4.b Secure configuration

You securely configure the network and information systems that support the delivery of essential services.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true All of the following statements are true
You haven’t identified the assets that need to be carefully configured to maintain the security of the essential service.

Your network and information systems have inconsistent security in operating system builds or configurations.

Configuration details are not recorded or lack enough information to be able to rebuild the system or device.

You don’t record changes or adjustments to security configuration at security boundaries with the networks and information systems supporting your essential service.

You have identified and documented the assets that need to be carefully configured to maintain the security of the essential service.

Secure platform and device builds are used across the estate.

Consistent, secure and minimal system and device configurations are applied across the same types of environment.

Changes and adjustments to security configuration at security boundaries with the networks and information systems supporting your essential service are approved and documented.

You verify software before installation is permitted.

You have identified, documented and actively manage the assets that need to be carefully configured to maintain the security of the essential service.

All platforms conform to your secure, consistent baseline build, or latest known good configuration version for that environment.

You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.

You regularly review and validate that your network and information systems have the expected, secured settings and configuration.

Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.

If automated decision-making technologies are in use, their operation is well understood and decisions can be replicated.

B4.c Secure management

You manage your organisation’s network and information systems that support the delivery of essential services to enable and maintain security.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true All of the following statements are true  All of the following statements are true
Essential service networks and systems are administered or maintained using non-dedicated devices.

You do not have good or current technical documentation of your networks and information systems.

Your systems and devices supporting the delivery of the essential service are only administered or maintained by authorised privileged users from dedicated devices.

Technical knowledge about networks and information systems, such as documentation and network diagrams, is regularly reviewed and updated.

You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.

Your systems and devices supporting the delivery of the essential service are only administered or maintained by authorised privileged users from dedicated devices that are technically segregated and secured to the same level as the networks and systems being maintained.

You regularly review and update technical knowledge about networks and information systems, such as documentation and network diagrams, and ensure they are securely stored.

You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.

B4.d. Vulnerability management

You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service.

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true All the following statements below are true All the following statements are true
You do not understand the exposure of your essential service to publicly-known vulnerabilities.

You do not mitigate externally-exposed vulnerabilities promptly.

There are no means to check data or software imports for malware.

You have not recently tested to verify your understanding of the vulnerabilities of the networks and information systems that support your essential service.

You have not suitably mitigated systems or software that is no longer supported. These systems may still be running, but not in operational use.

You are not pursuing replacement for unsupported systems or software.

You maintain a current understanding of the exposure of your essential service to publicly-known vulnerabilities.

Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential service are tracked, prioritised and externally-exposed vulnerabilities are mitigated (eg by patching) promptly.

Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.

You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.

You regularly test to fully understand the vulnerabilities of the networks and information systems that support your essential service.

You maintain a current understanding of the exposure of your essential service to publicly-known vulnerabilities.

Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential service are tracked, prioritised and mitigated (eg by patching) promptly.

You regularly test to fully understand the vulnerabilities of the networks and information systems that support your essential service and verify this understanding with third-party testing.

You maximise the use of supported software, firmware and hardware in your networks and information systems supporting your essential service.

B5 Resilient Networks and Systems

Principle

The organisation builds resilience against cyber attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services.

B5.a Resilience preparation

You are prepared to restore your essential service following disruption. 

Not Achieved Partially Achieved Achieved
Any of the following statements are true  All of the following statements are true All of the following statements are true
You have limited understanding of all the elements that are required to deliver the essential service.

You have not completed business continuity and/or disaster recovery plans for your essential service’s networks, information systems and their dependencies.

You have not fully assessed the practical implementation of these plans.

You know all networks, information systems and underlying technologies that are necessary to deliver the essential service and understand their interdependencies.

You know the order in which systems need to be restored to most quickly and effectively restore the essential service.

You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods, e.g. manual failover, table-top exercises, or red-teaming.

You use your security awareness, e.g. threat intelligence sources, to make temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.

B5.b Design for resilience

You design the network and information systems supporting your essential service to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true  All of the following statements are true  All of the following statements are true
Operational networks and systems are not sufficiently segregated.

Internet services, such as browsing and email, are accessible from essential service operational systems.

You do not understand or lack plans to mitigate all resource limitations that could adversely affect your essential service.

Operational systems for your essential service are logically separated from your business systems, e.g. they reside on the same network as the rest of the organisation, but within a DMZ. Internet access is not available from operational systems.

Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.

Your essential service’s operational systems are segregated from other business and external systems by appropriate technical and physical means, e.g. separate network and system infrastructure with independent user administration. Internet services are not accessible from operational systems.

You have identified and mitigated all resource limitations, i.e. bandwidth limitations.

You have identified and mitigated any geographical constraints or weaknesses. For example, systems that your essential service depends upon are duplicated to another location, important network connectivity has alternative physical paths and service providers.

You review and update dependencies, resource and geographical limitation assessments and update mitigations when required.

B5.c Backups

You hold accessible and secured current backups of data and information needed to recover.

Not Achieved Partially Achieved Achieved
At least one of the following statements is true  All of the following statements are true All of the following statements are true
Backup coverage is incomplete in coverage and would be inadequate to restore your essential service.

Backups are not frequent enough for your essential service to be restored within a suitable timeframe.

You have appropriately secured backups (including data, configuration information, software, equipment, processes and key roles or knowledge). These backups will be accessible to recover from an extreme event.

You routinely test backups to ensure that the backup process functions correctly and the backups are usable.

Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.

Key roles are duplicated and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential service.

Suitable backups of all important data and information needed to recover the essential service are made, tested, documented and routinely reviewed.

BStaff Awareness and Training

Principle

Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the delivery of essential services.

B6.a Cyber security culture

You develop and pursue a positive cyber security culture.

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true   All of the following statements are true  All of the following statements are true
People in your organisation don’t understand what they contribute to the cyber security of the essential service.

People in your organisation don’t know how to raise a concern about cyber security.

People believe that reporting issues may get them into trouble.

Your organisation’s approach to cyber security doesn’t reflect the way staff work to deliver the essential service. It is perceived by staff as being incompatible with the ability of the organisation to deliver the essential service.

Your executive management understand and widely communicate the importance of a positive cyber security culture. Positive attitudes, behaviours and expectations are described for your organisation.

All people in your organisation understand the contribution they make to the essential service’s cyber security.

All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.

Your executive management clearly and effectively communicates the organisation’s cyber security priorities and objectives to all staff.  Your organisation displays positive cyber security attitudes, behaviours and expectations.

People in your organisation are positively recognised for bringing cyber security incidents and issues to light, not reprimanded or ignored.

Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.

Your management is seen to be committed to and actively involved in cyber security.

Your organisation communicates openly about cyber security, with any concern being taken seriously.

People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.

B6.b Cyber security training

The people who operate and support your essential service are appropriately trained in cyber security.  A range of approaches to cyber security training, awareness and communications are employed.

Not Achieved Partially Achieved Achieved
 At least one of the following statements is true  All of the following statements are true  All of the following statements are true
There are teams in your organisation that do not have at least one individual with full cyber security training in that role.

Cyber security training is only offered to specific roles in your organisation.

Records of role-specific cyber security training do not exist, or are incomplete.

There are incomplete or no records of cyber security training for your organisation.

You have defined appropriate cyber security training and awareness activities for all roles in your organisation, from executives to the most junior roles.

You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.

Cyber security information is easily available.

All people in your organisation, from executives to the most junior roles, follow appropriate cyber security training paths.

You track individuals’ cyber security training and ensure that refresh update training is completed at suitable intervals.

You routinely engage all people across your organisation on cyber security and evaluate that your cyber security training and awareness activities reach the widest audience effectively.

Cyber security information and good practice guidance is easily and widely available. You know this is referenced and employed by people in your organisation.

< previous                            next >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!