“You have effective organisational security management led at board level and articulated clearly in corresponding policies.”

Cyber resilience starts at the top. Organisations must ensure that their board or executive leadership actively directs and oversees cyber security strategy. This includes setting priorities, allocating resources, and embedding cyber risk into decision-making. Strong board direction is essential to building a culture of accountability and ensuring that cyber security supports the organisation’s mission.

The board should:

• set clear expectations for cyber security outcomes
• ensure cyber risks are considered in strategic planning and decision-making
• allocate appropriate resources to manage cyber risks
• receive regular updates on cyber posture and incidents
• champion a culture of cyber awareness and accountability

Board-level engagement is critical to embedding cyber resilience into the organisation’s core operations.

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• the board has formally endorsed cyber security objectives and priorities
• cyber risk is integrated into strategic planning and governance
• the board receives regular, structured reporting on cyber posture and incidents
• there is a clear link between board decisions and cyber security resource allocation
• board members are informed and engaged in cyber risk discussions
• cyber security responsibilities are clearly defined at the leadership level
• board members have access to cyber expertise or training

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• explain how the board sets and reviews cyber security objectives
• reference evidence of cyber security being discussed at board level (e.g. meeting minutes, agenda items)
• describe how cyber risk is integrated into strategic decision-making
• describe the frequency and format of cyber reporting to the board
• explain how board decisions influence cyber security investment and priorities
• describe any training or awareness provided to board members on cyber issues
• outline relevant governance structures that support board oversight of cyber risk

“Your organisation has established roles and responsibilities for the security of network and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.”

Clear roles and responsibilities are essential for strong governance and resilience. Organisations should define and document security roles, and communicate them clearly and regularly. They should ensure everyone understands responsibilities and risk escalation paths, and review and update roles periodically to maintain clarity and accountability. Processes should be aligned with external partners and suppliers. 

Organisations should:

• define roles for senior leadership, operational teams, and third parties
• document responsibilities for security tasks such as risk management, incident response, and compliance
• communicate effectively through policies, training, and organisational charts
• establish escalation routes for reporting security concerns
• integrate suppliers by embedding responsibilities in contracts and service agreements

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a clear role matrix mapping responsibilities across the organisation
• you document responsibilities in policies, job descriptions, and SLAs
• there are well-defined and understood escalation channels that are operational
• you communicate roles and responsibilities across the organisation and have appropriate training in place
• suppliers are aligned with contractual obligations and you monitor this

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe how roles are assigned, communicated, and reviewed
• describe the frequency and process for reviewing and updating roles and responsibilities
• reference evidence in the form of a summary table showing roles, responsibilities, and escalation paths
• describe relevant training and awareness activities
• include details of supplier integration and contractual responsibilities

“You have senior-level accountability for the security of network and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of the essential function(s) are considered in the context of other organisational risks.”

Cyber decisions must be informed, accountable, and aligned with organisational priorities, particularly where they affect essential functions. Organisations should ensure that decision-making processes are clear, supported by accurate information, and involve the right people. Strong governance around cyber decisions enhances resilience, reduces risk, and supports strategic outcomes.

Effective cyber decision-making requires:

• clear governance structures that support informed and timely decisions
• defined processes for escalating and approving cyber-related decisionsd
• Access to accurate and timely risk, threat, and operational information.
• Involvement of appropriate stakeholders, including technical experts and business leaders.
• Documentation of decisions and rationale to support accountability and learning.
• Integration of cyber decision-making into broader organisational risk and strategic planning.

Decisions should be made in a way that balances security, operational needs, and business risk appetite.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• your organisation establishes governance frameworks that define how cyber decisions are made and by whom
• you ensure that decision-makers have access to relevant risk, threat, and performance data
• risk and threat information is used to inform decisions
• decisions affecting essential functions are escalated and reviewed appropriately
• you involve cross-functional stakeholders in cyber decision-making processes
• you document decisions thoroughly, including rationale, risks considered, and expected outcomes
• cyber decisions are integrated into wider organisational governance and planning
• you review decision-making processes regularly to ensure they remain effective and responsive
• you ensure cyber decisions are aligned with organisational strategy and risk appetite

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable:

• describe how cyber decisions are made, escalated, and approved
• explain who is involved in decision-making and the governance structures that support this
• describe the information used to inform decisions (e.g. risk assessments, threat intelligence)
• explain how decisions are documented and reviewed.
• describe how cyber decision-making aligns with organisational strategy and risk management
• share any recent examples of decisions affecting essential functions and how they were handled
• explain how decision-making processes are evaluated and improved

“Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential function(s) and communicating associated activities.”

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• risk assessments are informed by an understanding of the vulnerabilities to the essential function
• the output from the security risk management (SRM) process is a clear set of security requirements that will address the identified risks
• key security decision-makers and accountable individuals are informed of significant conclusions drawn from the output of risk assessment activity
• there is a clear shared understanding of what triggers initiation of a risk assessment
• appropriate threat analysis activity is conducted

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable.

1. Policy, standards and processes:

• outline your risk management policy, standards and processes
• explain how these are communicated to the organisation
• describe any reviews undertaken and their frequency

2. Governance

• outline how security risk is communicated to stakeholders at board level
• demonstrate that risk owners are identified and are accountable for ownership of security risks within their area of responsibility
• outline the criteria for escalation of risk reporting and the relevant processes
• explain how staff are made aware of their responsibilities around security risk and outline any training provided

3. Risk assessment

• describe what triggers a risk assessment to be conducted by the organisation
• explain how security risk subject matter experts (SMEs) are involved in risk assessment activity
• outline the risk management documentation for the essential function
• explain how third-party suppliers are captured in the security risk management process

4. Vulnerabilities

• explain how vulnerabilities affecting the essential function are identified and used in the risk assessment process.
• describe how security SMEs are engaged to identify these vulnerabilities

5. Threat analysis

• describe how the organisation uses threat intelligence to inform risk assessments
• outline the sources used to identify threats to the essential function

6. Mitigation

• describe how mitigation plans are agreed and prioritised with input from security subject matter experts
• describe how mitigating controls are tested for effectiveness and re-assessed should they be considered ineffective

“You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to your essential function(s).”

Organisations must have appropriate mechanisms in place to confirm that cyber security controls are effective and operating as intended. This includes internal and external assurance activities that provide confidence to leadership, stakeholders, and regulators that risks to essential functions are being managed appropriately.

Effective assurance practices include:

• regular testing and validation of cyber security controls
• independent reviews or audits of cyber processes and systems
• use of metrics and reporting to track performance and compliance
• engagement with third-party assurance providers where appropriate
• integration of assurance findings into risk management and decision-making
• continuous improvement based on assurance outcomes

Assurance should be proportionate to the organisation’s risk profile and support informed governance.

Structured assurance processes validate control effectiveness, inform decision-making, and drive continuous improvement. Strong assurance practices underpin trust, accountability, and resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• assurance activities are planned, conducted regularly, and documented
• assurance activities encompass security risk management, secure development lifecycle and organisational change process activities, enabling real time assurance at any point of a build, project or change
• you test cyber controls for effectiveness and coverage
• you conduct reviews, audits, and control testing at regular internals
• you use internal assurance to validate controls
• you use external assurance (e.g. penetration testing, certifications) where appropriate
• assurance findings are reported to decision-makers and acted upon
• you track remediation actions and ensure they are followed up appropriately
• you use metrics and KPIs to measure cyber performance
• assurance is integrated with risk management and governance processes.
• you have a cycle of continuous improvement based on assurance outcomes

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe your cyber assurance programme and its scope
• outline the types of assurance activities conducted (e.g. audits, testing, reviews)
• explain how assurance findings are reported and used
• outline the use of external assurance providers or certifications
• explain how assurance supports governance and risk management
• share examples of improvements made based on assurance outcomes
• share any metrics or indicators used to track assurance performance

“Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).”

Asset categories include:

• data (information assets)
• people (roles, responsibilities, skills)
• systems (hardware, software, cloud services)
• supporting infrastructure (e.g., power supply, cooling systems, environmental controls)

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• your organisation identifies, tracks, and manages all relevant assets from acquisition/commissioning through to decommissioning
• you have documented policies and procedures in place to govern asset management are in place
• you assign responsibilities to suitably qualified and experienced personnel (SQEP) with appropriate training
• you have clear accountability structures in place for managing assets throughout their lifecycle

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Definition of an asset

• outline how your organisation defines “assets” (e.g., hardware, software, data, people, supporting infrastructure)
• explain how you communicate this definition internally

2. Asset register

• confirm that an asset register exists
• explain how you actively maintain it and and keep it up-to-date 
• describe the frequency of reviews and updates

3. Roles and responsibilities

• describe your organisation’s process for formally assigning asset managers 
• explain how you identify asset owners for each asset

4. Dependencies and criticality

• describe how you record dependencies (e.g., power, cooling, business continuity measures) in the asset register.
• explain how you assess and record each asset’s criticality to operations or legal obligations (e.g., personal data handling, critical infrastructure).

5. Change and decommissioning

• describe how you involve of cyber security subject matter experts when new assets are created, changed, or retired
• describe how you record decommissioning activities in the asset register

“The organisation understands and manages security risks to network and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third-party services are used.”

The supply chain is part of the attack surface. Organisations must actively manage cyber risks associated with third-party providers by embedding security into procurement, contracts, and ongoing oversight. This includes third-party providers, contractors, and service partners who support or have access to systems underpinning essential functions. 

Supply chain risk management is essential because third parties can be a source of vulnerabilities. Effective practices include:

• identifying suppliers and service providers that support essential functions
• assessing the cyber risks associated with each supplier
• embedding cyber security requirements into contracts and procurement processes
• monitoring supplier compliance with security expectations.
• ensuring suppliers have appropriate incident response and resilience capabilities
• reviewing supply chain risks regularly and updating controls as needed

Cyber security must be considered throughout the lifecycle of supplier relationships from onboarding to offboarding. Strong supply chain governance helps protect essential functions and ensures resilience against external threats.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have well-established supplier management processes and policies
• you have identified suppliers supporting essential functions
• you conduct cyber risk assessments for suppliers
• contracts include cyber security clauses and service level agreements (SLAs)
• you require suppliers to meet minimum security standards (e.g. certifications, policies, internal and external security testing)
• you monitor supplier performance and compliance for security requirements
• you have established processes for managing and responding to supplier-related incidents
• you have contractual timeframes for suppliers to report security incidents to the organisation prior to the ICO 72 hours
• supply chain risks are reviewed regularly
• the organisation understands the impact of supplier failure or compromise on essential functions
• you review supply chain risks periodically and adjust controls accordingly
• the right to audit of the subcontractors is contractual

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe how you identify and manage suppliers supporting essential functions
• explain how you assess and mitigate cyber risks for key suppliers
• describe the security requirements that are included in contracts and SLAs
• explain how supplier compliance is monitored and reviewed
• describe how supply chain risks are integrated into broader risk management
• outline processes for responding to supplier-related incidents
• share examples of improvements made based on supply chain reviews or incidents

“You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s).”

Policies, processes, and procedures form the foundation of a strong cyber security posture. Effective documentation supports consistency, accountability, and continuous improvement. Policies, processes, and procedures should:

• be aligned with organisational objectives and legal/regulatory requirements
• be tailored to the organisation’s risk profile and operational context
• clearly define expected behaviours, responsibilities, and control requirements
• be accessible to relevant staff and stakeholders
• be reviewed and updated regularly to reflect changes in technology, threats, and business operations

Cyber security policies and procedures are not just paperwork – they are essential tools for guiding secure behaviour and consistent control implementation. Organisations must ensure documentation is clear, current, and embedded into daily operations to support resilience and compliance.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• cyber security policies, processes, and procedures are documented and maintained
• documentation is aligned with organisational objectives and legal requirements
• policies are supported by operational procedures that guide implementation
• staff are aware of and can access relevant documentation
• there is a formal process for reviewing and updating documentation
• documentation is used to support consistent and effective cyber control implementation
• stakeholders are engaged in development and review of policies, processes and procedures
• policies are aligned with wider organisational governance and risk management frameworks

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• summarise the cyber security policies and procedures in place
• explain how these documents support the protection of essential functions
• describe how documentation is developed, reviewed, and maintained
• describe how staff are made aware of and access relevant policies
• explain how procedures support consistent implementation of controls
• describe how policies, processes and procedures are aligned with legal, regulatory, and organisational requirements
• share examples of recent updates or improvements to documentation

“You have successfully implemented your security policies, processes and procedures and can demonstrate the security benefits achieved.”

Organisations must ensure that cyber security policies, processes, and procedures are not only documented but actively implemented and followed across the organisation. This outcome focuses on embedding cyber security into day-to-day operations to support the protection of essential functions. Policies should be practical, enforceable, and tailored to the organisation’s context.

Effective cyber security requires:

• clear, accessible policies and procedures that align with organisational goals and risk appetite
• processes that are embedded into operational workflows
• staff awareness and training to ensure consistent application
• mechanisms to monitor compliance and effectiveness
• regular reviews and updates to reflect changes in technology, threats, and business needs

Cyber security must be lived, not just written. Organisations must ensure that policies and procedures are actively followed, understood, and embedded into everyday operations. Strong implementation builds a culture of security and supports the protection of essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• cyber security policies and procedures are actively implemented across the organisation
• staff understand and follow documented processes
• mechanisms are in place to monitor and enforce compliance
• processes are embedded into operational activities (e.g. access control, incident response, patch management)
• policies and procedures are reviewed and updated regularly, including updates based on lessons learned, changes in systems, or threat intelligence
• provide training and guidance to staff on how to follow procedures
• monitor adherence to policies through audits, reviews, or automated tools
• cyber security is embedded into operational workflows, not treated as a separate activity
• ensure leadership supports and enforces policy compliance

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• summarise key cyber security policies and procedures
• explain how these are implemented in practice across the organisation
• describe how you approach staff awareness and training on cyber security policies and procedures
• describe how compliance is monitored and enforced
• outline how policies are reviewed and updated
• share examples of how cyber processes are embedded into operational workflows
• share examples of improvements made based on feedback or incidents

“You robustly verify, authenticate and authorise access to the network and information systems supporting your essential function(s).”

Organisations must ensure that only verified and authorised individuals can access network and information systems supporting essential functions. This outcome focuses on the strength and appropriateness of identity verification processes, authentication mechanisms, and access controls to prevent unauthorised access and misuse.

Strong identity verification and access control are essential to protecting critical systems and data. Departments must use robust authentication and role-based access controls. Regular reviews, integration with HR processes, and monitoring are key to maintaining secure and accountable access management.

Organisations must:

• verify user identities before granting access
• use strong authentication methods (e.g. multi-factor authentication)
• ensure access is granted based on business need and role
• revoke access promptly when no longer required
• monitor and review access rights regularly
• apply least privilege principles to minimise exposure

These controls help prevent unauthorised access and reduce the impact of compromised credentials.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• identity verification is performed before access is granted for all users, including third parties
• strong authentication (e.g. MFA) is used for all critical systems
• privileged access is subject to additional controls
• access rights are assigned based on role and reviewed regularly
• access controls are integrated with HR processes (e.g. joiners, movers, leavers)
• there is a clear process for revoking access when no longer needed
• temporary access is time-bound and approved
• authentication and access logs are monitored and retained

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable.

• explain how identities are verified before access is granted
• describe the authentication methods used (e.g. MFA, biometrics)
• explain how access rights are assigned, reviewed, and revoked
• explain how temporary access is managed and monitored
• describe integration with HR processes for access lifecycle management
• explain how authentication and access events are monitored and logged
• describe any additional controls for privileged or sensitive access

“You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function(s).”

Device management ensures that all devices accessing network and information systems supporting essential functions are securely configured, actively managed, and monitored. This includes corporate, personal, and third-party devices. The goal is to reduce the risk of compromise through unmanaged or insecure endpoints.

Devices are a key entry point for cyber threats. Effective device management includes:

• maintaining an accurate inventory of all devices accessing essential systems
• ensuring devices are securely configured and regularly updated
• applying endpoint protection (e.g. antivirus, EDR)
• enforcing policies for personal and third-party device use
• monitoring device health, compliance, and activity
• restricting access by unmanaged or non-compliant devices

Unmanaged or insecure devices pose a significant risk to essential functions. Organisations must ensure all devices are securely configured, actively managed, and monitored. Strong device management reduces the attack surface, supports compliance, and enhances overall cyber resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you maintain a centralised asset register of all devices accessing essential functions
• all devices accessing essential systems are known, tracked, and managed
• you deploy and actively monitor endpoint protection
• you apply secure baseline configurations
• you enforce regular patching
• you use mobile device management (MDM) or equivalent controls
• you restrict or block access from unmanaged or non-compliant devices
• you logged and reviewed device activity (e.g. SOC)
• you integrate device management with wider security and operational processes.
• you have policies for personal (BYOD) and third-party device use, including access restrictions and additional authentication

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable.

• explain how devices are identified, tracked, and managed
• describe the security configurations and update policies in place
• explain how endpoint protection and monitoring tools are used
• explain how access is restricted based on device compliance
• describe policies for BYOD and third-party device access
• describe integration with asset management and security operations
• explain how device activity is monitored and reviewed

“You closely manage privileged user access to network and information systems supporting your essential function(s).”

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• your organisation requires additional validation for privileged users
• you clearly identify individuals with privileged access to the essential function or supporting systems, including third parties
• privileged users are only granted specific permissions, with the minimum level of access required to perform their role
• you routinely review privileged user access and activity

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Authentication

• confirm that your organisation requires multifactor authentication for privileged users
• explain how additional authentication reduces the risk of credentials being intercepted

2. Management 

• explain how privileged users are managed by the organisation, and whether access is managed centrally
• describe how you apply the rule of least privilege to privileged users
• describe how your organisation reviews the requirement for privileged access reviewed, including by whom and at what interval(s)

3. Logging and monitoring 

• describe how you record and review privileged user activity
• describe log retention requirements for privileged user activity

“You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s).”

Identity and Access Management (IdAM) ensures that access to systems supporting essential functions is governed by a structured and secure identity and access management process. This includes verifying user identities, managing access rights, and ensuring that access is appropriate, monitored, and revoked when no longer needed.

IdAM is a critical component of cyber resilience. Organisations must ensure that:

• only authorised individuals can access systems and data
• access is granted based on verified identity and business need
• access rights are regularly reviewed and updated
• authentication mechanisms are strong and appropriate
• access is revoked promptly when no longer required
• IdAM processes are integrated with HR and operational workflows

A mature IdAM capability reduces the risk of unauthorised access and supports accountability.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a structured, centralised IdAM process in place that manages user identities and access rights
• you perform identity verification before access is granted
• you assign access rights based on roles and responsibilities, following least privilege principles
• authentication mechanisms are strong and appropriate to the risk (e.g. MFA)
• you revoke access promptly when it is no longer needed
• IdAM is integrated with HR and operational processes for joiners, movers, and leavers
• access activity is monitored and logged for audit and investigations
• you have automated recertification processes in place

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe your IdAM system and how it manages identities and access
• explain how identity verification is performed before access is granted
• outline authentication methods used (e.g. MFA)
• explain how access rights are assigned, reviewed, and revoked
• outline integration with HR processes (joiners, movers, leavers)
• describe how you monitor and log access activity
• outline any additional controls for privileged or sensitive access

“You have a good understanding of data important to the operation of your essential function(s), where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function(s). This also applies to third parties storing or accessing data important to the operation of your essential function(s).”

Understanding data focuses on ensuring that your organisation has a comprehensive understanding of the data that supports its essential functions. This includes knowing:

• what data is important to operations
• where it is stored and processed
• how it flows across systems and third parties
• the potential impact of data compromise (e.g. unauthorised access, modification, deletion, or unavailability)

Organisations must:

• treat data as a strategic asset
• ensure visibility, accountability, and control over data flows
• embed data understanding into governance and risk processes
• recognise that without a clear picture of data, effective protection is impossible

This contributing outcome is a critical enabler of secure and resilient operations. It underpins effective data protection and risk management by ensuring visibility and control over critical information assets. 

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a complete and current inventory of data assets supporting essential functions
• there is clear ownership and accountability for each data asset or dataset
• data classification is based on sensitivity, criticality, and regulatory requirements
• you have a clear understanding of data-related risks and their potential impact
• data understanding is integrated into risk management and governance processes
• data held outside of the United Kingdom is managed via an appropriate governance procedure and authorisation prior to any offshore data migration
• you review data holdings against a defined timescale and any data no longer needed is deleted

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• summarise data types supporting essential functions (e.g. personal, operational, financial)
• describe the tools and processes used for data discovery and classification
• include an overview of the Information Asset Register and how it is maintained
• share details of data flow mapping, including third-party data handling
• describe impact assessments conducted for data compromise scenarios
• outline governance structures supporting data understanding (e.g. Data Protection Officer, Information Governance Board)
• outline governance structures that support board oversight of cyber risk

“You have protected the transit of data important to the operation of your essential function(s). This includes the transfer of data to third parties.”

Data in transit ensures that data important to the operation of essential functions is protected during transmission. This includes:

• internal transfers across systems and networks
• external transfers to third parties
• protection against interception, tampering, or loss during transit

The goal is to maintain confidentiality, integrity, and availability of data while it is being transmitted.This is critical to maintaining trust, compliance, and operational continuity. Organisations should:

• treat data transmission as a high-risk activity
• implement robust technical controls and governance
• identify all data flows relevant to essential functions
• ensure visibility and accountability across all data flows
• apply appropriate encryption and authentication mechanisms
• ensure network segmentation and secure protocols are used
• monitor and log data transfers for anomalies
• include third-party data transfers in risk assessments
• align with standards such as ISO 27001, NIST SP800-53, and IEC 62443, where applicable 

Organisations must apply protection that is proportionate to the sensitivity and criticality of the data, and recognise that secure transmission is a shared responsibility, internally and with third parties.

Achieving this contributing outcome is essential for safeguarding the integrity and confidentiality of your organisation’s most critical data.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a clear understanding of which data is transmitted, and how
• your organisation has documentation of data flow maps and risk assessments
• you have controls to prevent unauthorised access or modification during transit.
• you have monitoring and alerting mechanisms for data transfer anomalies
• you include third-party data transfers in governance and assurance processes
• you use risk assessments to evaluate threats to data in transit (e.g. interception, spoofing, loss)
• you have secure transmission protocols and encryption controls:
  • use of TLS, VPNs, or IPsec for secure transmission.
  • implementation of end-to-end encryption for sensitive data
  • application of integrity checks (e.g. hashing, digital signatures)
  • management of cryptographic keys including generation, rotation and deletion
• you have access control to ensure only authorised systems and users can initiate or receive data transfers
• you have appropriate third-party assurance to validate that external partners use secure transmission methods

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe data types transmitted and their relevance to essential functions
• share an overview of technical controls used to protect data in transit
• describe data flow mapping and how it is maintained
• explain encryption standards and protocols in use
• describe monitoring tools and how anomalies are handled
• outline assurance processes for third-party data transfers
• reference evidence of policy and governance supporting secure data transmission

“You have protected stored soft and hard copy data important to the operation of your essential function(s).”

This contributing outcome focuses on ensuring that data important to the operation of essential functions is protected while at rest. This includes:

• data stored on servers, databases, endpoints, removable media, and cloud platforms
• protection against unauthorised access, modification, deletion, or loss
• ensuring data remains available, accurate, and secure throughout its lifecycle

The aim is to maintain the confidentiality, integrity, and availability of stored data.

Organisations should:

• identify all locations where essential data is stored
• apply appropriate access controls, encryption, and monitoring
• ensure physical and logical protections are in place
• implement data retention and disposal policies
• include third-party and cloud storage in risk assessments
• align with standards such as ISO 27001, NIST SP800-53, and UK GDPR where applicable

Protection must be proportionate to the sensitivity and criticality of the data.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a clear understanding of where and how data is stored
• you maintain an up-to-date register of all stored data assets
• you classify data based on sensitivity and business impact
• you document data classification, retention, and disposal policies
• you have appropriate technical and physical controls protecting stored data:
  • encryption at rest for sensitive data
  • application of role-based access controls and multi-factor authentication
  • implementation of logging and alerting for access and changes
• you have appropriate physical security measures in place: secure data centres, server rooms, and endpoint devices
• you have appropriate lifecycle management:
  • you define retention periods
  • you ensure secure disposal of obsolete data and media
• you have controls to prevent unauthorised access or modification
• you have appropriate monitoring and alerting mechanisms for data access and integrity
• you include third-party storage in governance and assurance processes
• you have appropriate third-party assurance to validate that external providers meet security requirements

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe sanitisation policies and procedures
• reference evidence of sanitisation activities, including logs and certificates
• explain use of approved sanitisation methods
• explain your approach to asset identification and maintaining inventory of all data-bearing media and equipment
• outline controls to prevent data recovery from disposed or reused assets: 
  • use of certified tools for data wiping and destruction
  • applying cryptographic erasure for encrypted devices
  • physically destroying media where appropriate
• describe how you include third-party disposal in governance and assurance processes
• outline integration of sanitisation into asset management and risk processes

“You have protected data important to the operation of your essential function(s) on mobile devices.”

This contributing outcome ensures that data important to the operation of essential functions is protected when accessed, stored, or processed on mobile devices. This includes:

• smartphones, tablets, laptops, and other portable endpoints
• devices used by staff in remote or field-based roles
• protection against loss, theft, unauthorised access, and compromise

The goal is to maintain the confidentiality, integrity, and availability of essential data when accessed or stored on mobile platforms. Mobile data access introduces unique risks that must be actively managed, and protection is essential for operational resilience and regulatory compliance.

Organisations should:

• identify all mobile devices that access or store essential data
• treat mobile devices as critical endpoints
• apply mobile device management (MDM) solutions
• enforce encryption, authentication, and remote wipe capabilities
• implement usage policies for mobile data access
• include bring your own device (BYOD) scenarios in risk assessments
• ensure compliance with UK GDPR, ISO 27001, and relevant sector-specific standards
• ensure visibility, accountability, and governance over mobile data use

Security controls must be proportionate to the sensitivity of the data and the risk posed by mobile usage.

Achieving this outcome is vital for enabling secure, flexible working while safeguarding essential data.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a clear understanding of which mobile devices access essential data
• you maintain a register of mobile devices accessing essential data
• you have appropriate policy enforcement: 
  • you define acceptable use policies
  • you restrict access to sensitive data based on device compliance
• you have appropriate technical controls in place(e.g. encryption, remote wipe, MDM):
  • you use MDM to enforce encryption, patching, and remote wipe
  • you require multi-factor authentication (MFA)
  • you disable local storage of sensitive data where possible
• you have documented policies and procedures for mobile data use 
• you use controls to prevent unauthorised access or data leakage
• you have monitoring and alerting mechanisms in place for mobile data access:
  • you track device access and data usage
  • you detect and respond to anomalies or unauthorised access
• you include BYOD and third-party devices in governance and assurance processes
• you train staff on secure mobile data handling and promote reporting of lost or compromised devices
• you have third-party assurance processes in place to ensure contractors and partners follow equivalent mobile data protections

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe mobile data usage scenarios relevant to essential functions
• include an overview of device types and platforms in use
• summarise relevant technical controls used (e.g. MDM, encryption, MFA)
• outline mobile data policies, including BYOD
• explain monitoring tools and incident response procedures 
• outline assurance processes for third-party mobile access
• describe staff training and awareness initiatives

“Before reuse and / or disposal you appropriately sanitise devices, equipment and removable media holding data important to the operation of your essential function(s).”

This contributing outcome ensures that media and equipment holding data important to the operation of essential functions are appropriately sanitised before reuse, disposal, or transfer. This includes:

• hard drives, USB devices, mobile phones, laptops, servers, and other data-bearing assets
• ensuring data is irretrievably removed or destroyed
• preventing unauthorised recovery or access to sensitive information

This outcome supports the confidentiality and integrity of data by eliminating residual data risks. Media and equipment sanitisation is a critical control to prevent data leakage and ensure compliance, and failure to sanitise properly can result in serious data breaches.

Organisations should:

• treat sanitisation as a mandatory step in asset lifecycle management
• implement robust, auditable processes for all data-bearing assets
• establish and enforce sanitisation policies for all data-bearing media and equipment
• use approved sanitisation methods (e.g. cryptographic erasure, degaussing, physical destruction)
• maintain records of sanitisation activities
• ensure third-party disposal services meet security requirements
• align with standards such as: 
  • ISO/IEC 27001: Disposal of media, Secure disposal or reuse of equipment
  • NIST SP800-53: Media Sanitization, Media Transport
  • IEC 62443: Procedures for asset disposal and records control.

Sanitisation must be proportionate to the sensitivity of the data and the risk of compromise.

Achieving this outcome is essential for maintaining trust, protecting sensitive data, and meeting regulatory obligations.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you document sanitisation policies and procedures
• you can evidence sanitisation activities, including logs and certificates
• you approve sanitisation methods
• you have asset identification and inventory of all data-bearing media and equipment 
• you have controls to prevent data recovery from disposed or reused assets. This may include: 
  • certified tools for data wiping and destruction
  • applying cryptographic erasure for encrypted devices
  • physically destroying media where appropriate
• you include third-party disposal in governance and assurance processes
• you integrate sanitisation into asset management and risk processes

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline media and equipment types subject to sanitisation 
• provide an overview of sanitisation methods used and their alignment with standards
• summarise policies and procedures governing sanitisation
• include details of record-keeping and verification processes
• explain third-party disposal arrangements and assurance mechanisms
• describe staff training and awareness on sanitisation practices

“You design security into the network and information systems that support the operation of your essential function(s). You minimise their attack surface and ensure that the operation of your essential function(s) should not be impacted by the exploitation of any single vulnerability.”

This contributing outcome ensures that security is embedded into the design and development of network and information systems that support essential functions. The goal is to:

• minimise the attack surface
• ensure resilience against exploitation of vulnerabilities
• prevent a single point of failure from compromising essential operations

This promotes proactive security integration throughout the system lifecycle from architecture to deployment and maintenance.

• adopt security-by-design principles in system architecture and development
• conduct threat modelling and risk assessments during design stages
• implement segmentation, least privilege, and fail-safe mechanisms
• separate development, testing, and production environments
• use secure coding practices, code signing, and integrity checks
• align with standards such as: 
  • ISO/IEC 27001: Information security in project management, network segregation
  • NIST SP800-53: Secure system development lifecycle, boundary protection
  • IEC 62443: Zone boundary protection, malicious code protection

Security must be treated as a core design requirement, not an afterthought. Ensuring that systems are secure by design is foundational to long-term cyber resilience, and system design is a strategic opportunity to embed this resilience. Security experts must be involved from the outset, ensuring that systems can withstand attacks and avoid compromise to essential functions. 

Achieving this outcome is essential for building trustworthy, robust systems that support critical operations.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• security is embedded in system design and development lifecycles
• you document design reviews, threat models, and risk assessments
• you use segmentation, access control, and resilience mechanisms
• you use of secure coding standards and code reviews
• you separate development, test and production environments
• you use controls to prevent exploitation of vulnerabilities
• you automate testing for vulnerabilities and misconfigurations
• you integrate secure development lifecycle (SDLC) practices
• you have assurance practices in place to monitor baselines for system behaviour and data flows to identify unauthorised changes or anomalies

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe systems and services supporting essential functions
• give an overview of design principles and how security is integrated
• summarise architecture controls (e.g. segmentation, fail-safe)
• outline development practices, including secure coding and testing
• explain your approach to environment separation and change control. 
• reference evidence of design governance, including threat modelling and assurance

“You securely configure the network and information systems that support the operation of your essential function(s).”

This contributing outcome ensures that systems supporting essential functions are securely configured to reduce vulnerabilities and prevent exploitation. This includes:

• applying baseline security configurations
• removing unnecessary services, accounts, and software
• ensuring configurations are maintained and monitored over time

The objective is to minimise the attack surface and ensure systems operate in a secure state by default. Configuration management must be treated as a strategic security function. Misconfiguration is a leading cause of breaches and is preventable. Automation and governance are crucial to sustain secure configurations. 

Organisations should:

• ensure systems are deployed and maintained in a hardened state
• define, use, and enforce secure configuration baselines for all systems
• use automated tools to assess and maintain configuration compliance
• regularly review and update configurations in response to evolving threats
• remove or disable default accounts, unused services, and unnecessary software
• ensure logging, monitoring, and alerting are enabled for configuration changes
• align with standards such as: 
  • CIS Benchmarks
  • ISO/IEC 27001: Secure system configuration (A.12.1.2)
  • NIST SP800-53: Configuration Management (CM family)

Secure configuration must be treated as a continuous process, not a one-time activity. This  is a foundational control that directly impacts system resilience, and is essential for reducing risk and maintaining operational integrity.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you document secure configuration baselines for all relevant systems
• you can evidence implementation and enforcement of these baselines
• you use automated tools to detect and remediate configuration drift
• you use controls to prevent unauthorised changes to configurations
• you integrate configuration management into change control and governance 
• you include configuration assurance in risk management processes
• you use auditing and assurance processes to verify compliance and records of configuration status and remediation actions

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the systems and platforms covered by secure configuration
• give an overview of baseline standards and how they are developed 
• summarise tools and processes used to enforce and monitor configurations
• outline change control and audit mechanisms
• explain how configuration management supports essential function resilience
• describe staff roles and responsibilities for configuration assurance

“You manage your organisation’s network and information systems that support the operation of your essential function(s) to enable and maintain security.”

This contributing outcome ensures that the tools, systems, and processes used to manage network and information systems supporting essential functions are themselves secure. This includes administrative interfaces, management platforms, and remote access tools. The aim is to prevent attackers from exploiting management capabilities to compromise systems.

Management systems and interfaces often have elevated privileges and broad access. If compromised, they can be used to disable security controls, exfiltrate data, or disrupt operations. To mitigate this risk, organisations should:

• restrict access to management tools to authorised personnel only
• use strong authentication and dedicated management accounts
• ensure management interfaces are not exposed to the public internet
• monitor and log all management activity
• apply secure configurations and regular updates to management systems
• use encrypted channels for remote management

These practices help maintain the integrity and security of essential systems.

Management systems are high-value targets for attackers. Organisations must ensure these tools are securely configured, access is tightly controlled, and activity is continuously monitored. Protecting management interfaces is essential to maintaining the security and resilience of systems supporting essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• management systems and interfaces are identified and documented
• access is restricted to authorised users using role-based controls and strong authentication (e.g. MFA)
• management interfaces are not publicly accessible
• secure configurations and patching are applied to management tools
• dedicated accounts are used for administrative tasks
• management activity is logged and reviewed
• remote management is conducted over secure, encrypted channels 
• there are controls in place to detect and respond to unauthorised management activity

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable.

• describe the management systems and interfaces in use
• explain how access is restricted and authenticated
• explain whether dedicated accounts are used for management tasks
• describe how management interfaces are protected from external exposure
• outline how secure configurations and updates are applied
• explain how management activity is monitored and logged
• outline the encryption methods used for remote access
• describe any additional controls in place to protect management functions 

“You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s).”

This contributing outcome ensures that known vulnerabilities in network and information systems are identified, assessed, and mitigated to prevent adverse impacts on essential functions. This includes:

• timely detection and remediation of software, hardware, and configuration vulnerabilities
• integration of vulnerability management into operational and security processes
• minimising exposure to known threats through proactive controls

This supports the resilience and security of systems by reducing the likelihood of exploitation. Unpatched vulnerabilities are a leading cause of compromise, and are preventable.  Automation and intelligence should be used to stay ahead of emerging threats. 

Organisations should:

• maintain an up-to-date inventory of assets and associated vulnerabilities
• conduct regular vulnerability scans and penetration testing
• subscribe to threat intelligence feeds and vendor advisories
• prioritise vulnerabilities based on risk and impact to essential functions
• apply patches, configuration changes, or compensating controls
• document and track accepted risks and remediation actions
• align with standards such as:
  • ISO/IEC 27001: Management of technical vulnerabilities
  • NIST SP800-53: Vulnerability Monitoring and Scanning (RA-5)
  • IEC 62443: Vulnerability assessment and denial of service protection

Vulnerability management is a proactive control that directly reduces cyber risk. Organisations must treat vulnerability management as a continuous, risk-driven process, ensuring visibility and accountability across all systems and suppliers. This outcome is essential for maintaining secure, resilient operations and protecting essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have systematic vulnerability management policies and processes in place
• you use automated scanning tools and threat intelligence
• you document vulnerability assessments, remediation actions, and accepted risks
• you assess and prioritise vulnerabilities using CVSS scores and business impact, with prioritisation based on criticality to essential functions
• you integrate vulnerability management into change control and governance
• you assure that third-party systems follow equivalent vulnerability management processes

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe systems and assets covered by vulnerability management
• outline tools and processes used for scanning and assessment
• summarise remediation workflows and prioritisation criteria
• outline governance and reporting mechanisms
• explain how third-party vulnerabilities are managed 
• outline staff roles and responsibilities in vulnerability management

“You are prepared to restore the operation of your essential function(s) following adverse impact.”

This contributing outcome ensures that organisations are prepared to maintain or quickly restore essential functions in the event of a cyber incident. This includes identifying critical systems, planning for disruption, and implementing measures to ensure continuity and recovery. The focus is on proactive preparation to reduce the impact of cyber threats.

Cyber resilience is not just about preventing attacks – it’s about being ready to respond and recover. Effective resilience preparation includes:

• identifying systems and services critical to essential functions
• understanding dependencies and potential failure points
• developing and testing incident response and recovery plans
• ensuring backup and restoration capabilities are in place and regularly validated
• engaging stakeholders in resilience planning and exercises
• embedding resilience into business continuity and risk management processes

Cyber resilience is about readiness. Organisations must proactively prepare for disruption by identifying critical systems, planning for recovery, and regularly testing their capabilities. Strong resilience preparation ensures essential functions can continue or be restored quickly, even in the face of significant cyber incidents.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• essential systems and their dependencies are clearly identified and documented 
• cyber-specific incident response and recovery plans are in place and tested
• backup and restoration processes are reliable and regularly validated
• resilience planning includes input from relevant stakeholders
• exercises and simulations are conducted to test preparedness 
• cyber resilience is embedded in business continuity and risk management 
• lessons learned from incidents or exercises are used to improve resilience

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe essential systems and their dependencies
• outline incident response and recovery plans, including testing frequency
• describe backup and restoration capabilities and how they are validated
• explain how resilience planning is integrated into wider organisational processes 
• share examples of exercises or simulations conducted
• explain how lessons learned are captured and used to improve resilience 
• outline any third-party or supply chain considerations in resilience planning

“You design the network and information systems supporting your essential function(s) to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.”

This contributing outcome ensures that systems supporting essential functions are designed and engineered to be resilient to cyber incidents. This includes:

• minimising single points of failure
• ensuring that systems can continue to operate or recover quickly following disruption
• embedding resilience principles into architecture, design, and implementation

The goal is to ensure that essential functions remain available and trustworthy even under adverse conditions. Resilient design is a cornerstone of cyber resilience and regulatory compliance. Organisations must treat resilience as a strategic design priority and build systems that can withstand and recover from disruption. Resilience must be tested, validated, and continuously improved. 

Organisations should:

• incorporate resilience principles into system design from the outset
• use redundancy, segmentation, and failover mechanisms
• design systems to degrade gracefully and recover quickly
• ensure dependencies are understood and managed
• include resilience testing in development and operational phases
• align with standards such as: 
  • ISO/IEC 27001: Information security continuity
  • NIST SP800-160: Systems Security Engineering
  • IEC 62443: System resilience and recovery

Resilience must be treated as a core design requirement, not a reactive measure.  Designing for resilience is essential to maintaining operational continuity and trust, and achieving this outcome is vital for ensuring that essential functions remain available and secure in the face of cyber threats.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you embed resilience in system design and engineering
• you document resilience objectives, architectural decisions, and testing outcomes 
• you separate test and pre-production environments which undergo the same level of governance as the live service
• you use segmentation, redundancy, and failover mechanisms
• you use controls to ensure continuity of essential functions during disruption 
• you integrate resilience into change management and governance

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe systems and services critical to essential functions
• give an overview of resilience design principles and how they are applied
• summarise architectural features supporting resilience (e.g. segmentation, redundancy)
• outline resilience testing and validation activities
• explain how dependencies and failure modes are managed
• outline governance and continuous improvement processes across all environments (test, pre-production and live)

“You hold accessible and secured current backups of data and information needed to recover operation of your essential function(s).”

This contributing outcome ensures that appropriate backup mechanisms are in place to support the recovery of essential functions following a cyber incident. This includes the creation, protection, and testing of backups for critical data, systems, and configurations. The aim is to ensure that organisations can restore operations quickly and reliably in the event of disruption.

Backups are a critical component of cyber resilience. Effective backup practices include:

• identifying what data, systems, and configurations need to be backed up to support essential functions
• ensuring backups are performed regularly and stored securely
• protecting backups from unauthorised access, tampering, or deletion
• keeping backups separate from live systems to prevent compromise during an incident
• testing backup restoration processes to ensure reliability
• including backup and recovery procedures in incident response and business continuity plans

These measures help ensure continuity and reduce downtime following a cyber event.

Backups are your safety net. Organisations must ensure that critical systems and data are backed up securely, regularly, and in a way that supports rapid recovery. Testing and protecting backups are just as important as creating them. Reliable backups are essential to maintaining continuity and resilience in the face of cyber threats.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• backups are in place for all systems and data supporting essential functions
• backup processes are documented, scheduled, and monitored
• backup data is protected using encryption and access controls
• backups are stored separately from live systems (e.g. offline, cloud, immutable)
• restoration processes are tested regularly, and results are documented
• backup procedures are integrated into incident response and recovery plans 
• there is a clear understanding of backup scope, frequency, and retention

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline which systems, data, and configurations are backed up and why
• describe how often backups are performed and where they are stored
• explain the security measures in place to protect backup data (e.g. encryption, access controls)
• explain how backups are separated from live systems to prevent compromise
• describe how and when restoration processes are tested
• outline how backup procedures support incident response and recovery
• share any lessons learned or improvements made from backup testing or incidents

“You develop and maintain a positive cyber security culture.”

This contributing outcome focuses on embedding a positive and proactive cyber security mindset across the organisation. It ensures that:

• staff at all levels understand their role in maintaining cyber resilience
• security behaviours are encouraged, supported, and reinforced
• the organisation fosters an environment where cyber security is seen as a shared responsibility

A strong cyber security culture reduces human-related risks and enhances the effectiveness of technical and procedural controls. Culture must be treated as a strategic enabler, not a compliance checkbox. Technology alone cannot protect systems – people must be empowered to do their part. 

Organisations should:

• ensure leadership sets the tone and leads by example
• engage staff at all levels in meaningful, role-relevant ways
• promote awareness and understanding of cyber risks and responsibilities
• provide regular training and education tailored to roles and risk exposure
• encourage reporting of incidents, near misses, and suspicious activity
• recognise and reward positive security behaviours
• ensure leadership models good practice and supports a security-first mindset
• align with standards such as: 
  • ISO/IEC 27001: Awareness, education, and training
  • NIST Cybersecurity Framework: Awareness and training
  • NCSC guidance on building a cyber security culture

Cyber security culture is the human foundation of resilience. It must be actively shaped through leadership, communication, and reinforcement. This outcome is essential for creating a resilient, security-conscious workforce that supports and strengthens technical controls.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you take a strategic approach to building cyber security culture
• you offer training programmes and track participation rates and effectiveness 
• you have a ‘Cyber Champion’ or accountable individual at board level
• senior leaders are engaged and model of good behaviours
• you have mechanisms for reporting and responding to incidents
• you integrate culture into risk management and governance 

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the organisation’s cyber security culture strategy
• provide an overview of training and awareness activities, including frequency and scope 
• summarise leadership involvement and communication efforts
• identify which board level role is accountable for cyber security within the organisation
• include details of reporting mechanisms and how staff are encouraged to use them
• explain how positive behaviours are reinforced with examples
• reference evidence of staff engagement, feedback, and continuous improvement

“The people who support the operation of your essential function(s) are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed”.

This contributing outcome ensures that all personnel involved in supporting essential functions receive appropriate and effective cyber security training. This includes:

• awareness of cyber threats and risks
• understanding of individual responsibilities
• capability to respond appropriately to incidents

The goal is to build a workforce that contributes positively to the organisation’s cyber resilience through informed and responsible behaviour.  Human behaviour is often the weakest link but can be the strongest defence. Training must be seen as a strategic investment, not a compliance exercise. Organisations must ensure that staff are empowered and informed to act securely, and embed training into culture, processes, and performance.

Organisations should:

• deliver role-specific cyber security training to all staff, especially those with privileged access or security responsibilities
• provide regular refresher training and updates based on evolving threats
• ensure training covers policies, procedures, incident response, and secure behaviours
• evaluate training effectiveness through testing, feedback, and performance monitoring
• align training with standards such as: 
  • ISO/IEC 27001: Awareness, education and training
  • NIST SP800-50: Building an Information Technology Security Awareness and Training Program
  • NCSC guidance on staff awareness and behaviour

Training must be tailored, continuous, and embedded into organisational culture.

Cyber security training is a critical enabler of resilience. This outcome is crucial for building a security-aware workforce that actively protects essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a documented cyber security training programme
• you can evidence role-specific training for personnel with security responsibilities
• security awareness training is undertaken by all personnel
• mechanisms to evaluate training effectiveness are in place
• training is integrated into HR and operational processes
• you have assurance that staff understand their responsibilities and can act appropriately

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe staff roles and associated cyber security responsibilities
• include an overview of the training programme, including content and delivery methods
• summarise training frequency, evaluation methods, update cycles and tracking completion rates
• include details of incident response training and behavioural expectations
• reference evidence of staff engagement, feedback, and performance monitoring
• explain how training supports the resilience of essential functions

“The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function(s).”

This contributing outcome ensures that appropriate monitoring is in place across network and information systems supporting essential functions. The goal is to detect potential security events, anomalies, and threats in a timely manner. Effective monitoring provides visibility into system activity and supports incident detection, response, and recovery.

Monitoring is a key component of cyber defence. To be effective, it must:

• cover all systems, services, and interfaces supporting essential functions
• include logging of relevant security events and user activity
• be able to detect abnormal behaviour or indicators of compromise
• support real-time or near-real-time alerting and analysis
• be integrated with incident response processes
• be regularly reviewed and updated to reflect changes in the threat landscape and system architecture
• be proportionate to the risk and criticality of the systems being protected

Monitoring provides the visibility needed to detect and respond to cyber threats. Organisations must ensure that all critical systems are covered by effective monitoring, with relevant events logged, alerts generated, and data reviewed. Strong monitoring coverage is essential to maintaining situational awareness and supporting timely incident response.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• monitoring is in place across all systems supporting essential functions
• logs are captured for relevant events (e.g. authentication, access, configuration changes) and retained for a reasonable period of time
• monitoring requirements are considered at the design stage of any new service
• monitoring tools can detect and alert on suspicious activity based on Indicators of Compromise (IoC)
• monitoring data is reviewed and used to support incident detection and response
• monitoring coverage is regularly assessed and updated
• there is a clear link between monitoring outputs and operational security processes 
• monitoring data is protected from tampering and unauthorised access

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the systems and services being monitored
• outline whether there is a dedicated Security Operations Centre (SOC)
• explain the types of events that are logged and why
• outline the retention period for log data
• describe the tools or platforms used for monitoring and alerting
• outline how monitoring data is reviewed and used operationally
• outline how monitoring coverage is assessed and maintained
• describe how monitoring supports incident response and investigation 
• describe any controls in place to protect monitoring data

“You hold log data securely and grant appropriate access only to accounts with a business need. No system or user should ever need to modify or delete master copies of log data within an agreed retention period, after which it should be deleted.”

To meet this outcome, organisations should:

• store logs in a secure environment where they cannot be accessed, altered, or deleted except by authorised personnel
• implement strict role-based access controls for log data within monitoring and security tools (e.g., SIEM, Sentinel)
• ensure all actions involving logs (viewing, exporting, deleting) are traceable to a unique user or system
• ensure original log files remain immutable; analysis should be performed on copies
• apply tamper-resistant mechanisms such as immutable storage or platform safeguards
• define and enforce retention periods for logs in line with organisational policy
• securely delete logs after the retention period to prevent unauthorised recovery
• ensure privileged and sensitive system activities are always logged to support investigations and compliance
• maintain audit trails for all log-related operations to demonstrate accountability and traceability
• regularly review log access permissions and the security of logging tools to confirm ongoing effectiveness

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• log integrity is protected
• security logs have mechanisms, processes and procedures in place that allow them to be protected from threats comparable to those they are used to identify
• master logs remain unaltered and all analysis and normalisation activity is conducted on copies
• log times are synchronised (UTC)
• access is restricted to ‘need to know’
• all activity such as deleting or copying logs can be tracked to an individual user
• legitimate reasons to access logging data are published in policy

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Storage

• outline how are logs harvested and where are they stored
• confirm whether copies are taken and whether the integrity of a ‘single version of the truth’ is maintained
• explain how log data protected at rest and in transit
• explain how the organisation can be sure the date and time of logged occurrences is accurate during log analysis

2. Access

• explain how the IDAM policy is applied to control access to logs
• explain how the ‘need to know’ principle is applied, including use of business cases
• outline how you enforce non-repudiation, ensuring that all access and subsequent actions within harvested logs are tracked and traceable to an individual

“Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.”

This contributing outcome ensures that monitoring systems can generate timely and relevant alerts when potential security events or anomalies are detected. The aim is to enable rapid awareness and response to threats affecting network and information systems that support essential functions.

Organisations should:

• define what constitutes a security-relevant event or anomaly 
• configure monitoring tools to generate alerts for these events 
• ensure alerts are delivered to appropriate personnel or systems (e.g. SOC, SIEM) 
• prioritise alerts based on risk and impact to essential functions
• integrate alerting with incident response and escalation procedures 
• regularly review alerting rules and thresholds to maintain relevance

Alerts are your early warning system. You must ensure that monitoring tools generate timely, relevant, and actionable alerts that support rapid response to threats. Well-configured alerting reduces risk, improves situational awareness, and strengthens cyber resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• alerts are generated for relevant security events across essential systems based on meaningful indicators of compromise or suspicious behaviour
• alerting mechanisms are timely and reliable, enabling swift investigation and response
• alerts are prioritised and actionable based on severity and relevance to essential functions 
• alerts are integrated into operational response processes and workflows
• alerting rules are reviewed and updated regularly to reduce false positives and avoid alert fatigue
• there is a clear process for managing and responding to alerts
• alerting systems are tested and maintained

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline the types of events that trigger alerts and the rationale for this
• outline how alerts are generated and delivered (e.g. SIEM, email, dashboards)
• describe how alerts are prioritised and managed
• outline who receives alerts and how they respond 
• explain how alerting supports incident response and escalation
• explain how alerting rules are reviewed and tuned
• outline any testing or validation of alerting systems

“You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.”

This contributing outcome ensures that security events that could indicate a compromise or breach of systems supporting essential functions are identified and assessed in a timely manner. Organisations need to be able to distinguish between benign activity and genuine security incidents, enabling swift and appropriate responses to threats that could impact critical operations.

Organisations should:

• agree clear definitions of what constitutes a security incident
• have robust detection mechanisms that can identify suspicious or anomalous activity
• implement timely triage and analysis of alerts and events
• integrate with threat intelligence to contextualise and prioritise incidents
• collaborate across teams to validate and escalate incidents appropriately
• ensure that incident identification includes human analysis and contextual understanding

Identifying security incidents is a critical first step in effective incident response. Organisations must ensure they have the tools, processes, and trained personnel to detect and assess threats quickly and accurately. A proactive, intelligence led approach to incident identification significantly enhances cyber resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have documented criteria for what constitutes a security incident
• you define incident types and thresholds for escalation based on risk and impact
• you can evidence detection tools and their configuration to identify relevant threats
• you have an update process for signature-based detection technologies (Evergreen support or manual updates)
• you use threat intelligence from a number of sources (NCSC, NPSA, OGD, vendors) to enrich event data and improve detection accuracy
• you have incident triage workflows showing how alerts are assessed and escalated
• you have examples of past incidents and how they were identified
• staff involved in incident detection and triage are appropriately trained
• metrics such as false positive rates, time to identify, and incident volumes are recorded
• you maintain a central incident register to track identified incidents and their resolution 
• you conduct regular exercises to test incident identification processes and staff readiness

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline definitions and classifications of security incidents used by the department
• describe detection tools and methods in place (e.g., SIEM, anomaly detection)
• outline triage and escalation processes for suspected incidents
• outline roles and responsibilities for incident identification
• include examples of recent incidents and how they were detected 
• explain integration with threat intelligence and other security functions 
• outline plans for improving detection capabilities or addressing known gaps

“Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential function(s) they need to protect.”

The organisation must have the appropriate tools and skilled personnel to carry out effective security monitoring of the networks and systems supporting the essential function. This outcome ensures that both the technological capabilities and human expertise are in place to detect, analyse, and respond to security events in a timely and effective manner.

Organisations should have:

• technical capability: tools that provide visibility into systems, networks, and user activity
• human capability: skilled analysts who can interpret data, identify threats, and take appropriate action
• operational maturity: processes and procedures that ensure consistent, reliable monitoring and response

Organisations should ensure that tools are fit for purpose, properly configured, and regularly updated. Staff must be trained, supported, and resourced to use these tools effectively.

Security monitoring is only as effective as the tools and people behind it. Organisations must ensure they have fit for purpose technologies and skilled personnel who can interpret and act on the data. Regular investment in tooling and training is essential to maintain a resilient monitoring capability.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have defined roles and responsibilities for monitoring and analysis at different levels of experience
• you have a clear inventory of monitoring tools and their coverage
• tools are configured correctly and generate meaningful alerts
• you hold training records and evidence of staff competence
• you have clear processes in place for tool evaluation and improvement
• you can share examples of how tools and skills have been used to detect or respond to incidents
• you collect metrics showing tool performance and analyst effectiveness (e.g., false positive rates, time to detect/respond)

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline monitoring tools in use and their purpose
• describe coverage and integration of tools across systems and environments
• explain the staffing model for monitoring (e.g., internal SOC, outsourced services)
• outline training and development activities for monitoring personnel
• describe processes for tool tuning, maintenance, and review
• share examples of successful detection or response enabled by tools and skills
• outline plans for addressing any gaps in tooling or expertise

“You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.”

Organisations should detect potential attacks on systems supporting essential functions by monitoring for indications of abnormal behaviour or other signs of compromise. This contributing outcome focuses on the ability to identify malicious activity through the detection of deviations from expected system behaviour, enabling early warning and rapid response to cyber threats.

Organisations should:

• understand normal behaviour: establish baselines for system, network, and user activity
• detect deviations: use tools and techniques to identify anomalies that may indicate compromise
• correlate events: combine multiple indicators to improve detection accuracy and reduce false positives
• respond quickly: ensure that abnormal activity triggers investigation and, where necessary, incident response

Detection should not rely solely on known signatures but also include behavioural and heuristic analysis to identify novel or stealthy attacks.

Detecting system abnormalities is essential for identifying sophisticated attacks. Organisations must ensure they have behavioural visibility, automated detection tools, and skilled analysts to interpret and act on signs of compromise. A proactive, intelligence-informed approach enhances early detection and limits potential damage.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you conduct baseline activity monitoring and can evidence how the behavioural baseline has been established
• you use anomaly detection tools 
• you use threat intelligence to inform detection rules and prioritise alerts
• you adapt detection rules to reduce noise and improve fidelity
• you investigate abnormal activity and escalate potential incidents
• you can share examples of detected anomalies and how they were handled
• you collect metrics such as detection rates, false positives, and time to investigate
• you have established continuous improvement practices, including feedback loops from incident response

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the tools and techniques used to detect abnormal behaviour
• outline how anomaly detection tools are configured
• outline the scope of monitoring (e.g., endpoints, servers, cloud environments)
• explain how baselines are established and maintained
• share examples of anomalies detected and actions taken
• describe integration with incident response and threat intelligence
• outline training and awareness for analysts and responders
• outline plans for improving detection capabilities or addressing known limitations

“You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.”

Organisations must take active steps to search for potential compromises or attacks on systems supporting essential functions, even when no specific alerts or indicators of compromise have been detected. This contributing outcome focuses on the organisation’s ability to proactively hunt for threats, rather than relying solely on automated alerts or reactive monitoring. It reflects a mature security posture that anticipates adversary behaviour and seeks to uncover stealthy or novel attacks.

Organisations should:

• implement threat hunting: hypothesis-driven investigation of potential attacker behaviours
• use threat intelligence: apply knowledge of adversary tactics, techniques, and procedures (TTPs) to guide searches
• use advanced analytics: leverage behavioural analysis, anomaly detection, and machine learning to uncover hidden threats
• carry out red teaming and simulations: test defences and detection capabilities through controlled adversarial exercises
• implement continuous improvement: feed findings back into detection and response processes

This capability is especially important for detecting low-and-slow attacks, insider threats, and advanced persistent threats (APTs).

Proactive attack discovery is a hallmark of a mature and resilient cyber defence posture. Organisations must move beyond reactive monitoring and invest in threat-informed, hypothesis-driven hunting to uncover hidden threats and continuously improve their security capabilities.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a proactive threat hunting capability
• you use threat intelligence to inform hunting and discovery by identifying TTPs and indicators of compromise
• you can give examples of discoveries made through proactive efforts
• you integrate with red/blue team activities to test and refine detection capability
• you document findings, and any actions prioritised and assigned
• you make improvements based on findings, such as tuning detection rules 
• you offer training to improve staff skills relevant to threat hunting and proactive discovery

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the proactive discovery activities you carry out (e.g., threat hunting, red teaming)
• outline the methodologies and frameworks used (e.g., MITRE ATT&CK)
• outline tools and techniques used to support these activities
• outline the scope and frequency of threat hunting activity or simulations 
• describe the use of threat intelligence and behavioural analytics
• share examples of findings and how they were addressed
• explain the processes for feeding results into detection and response improvements
• outline plans for maturing the capability, including training and tooling

“You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function(s) and covers a range of incident scenarios.”

Your response plan must enable timely and effective action in the event of a cyber incident. The plan should cover detection, containment, eradication, recovery, and communication, ensuring continuity of critical services.

Organisations should:

• define roles and responsibilities for incident response 
• establish clear procedures for escalation, decision-making, and communication 
• address coordination with external stakeholders, such as regulators, suppliers, and law enforcement
• test and update the response plan regularly to reflect organisational changes
• test and update the response plan regularly to reflect changes in the threat landscape, technology, and business operations
• integrate the response plan with business continuity and disaster recovery plans

Organisations must ensure they have a clear, tested, and integrated response plan that defines roles, escalation paths, and communication strategies. Regular exercises and updates are critical to maintaining readiness and resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a formal, approved response plan that is current and accessible
• there is clarity around roles, responsibilities, and escalation procedures
• you have records of testing and exercising, including outcomes and improvements
• you integrate the response plan with business continuity and disaster recovery frameworks
• you have appropriate communication protocols for internal teams and external stakeholders

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline the response plan; overview, scope, objectives, and key components
• outline roles and responsibilities – who does what during an incident? 
• reference evidence of testing; dates, scenarios, and outcomes of exercises 
• describe communication protocols, including internal and external notification processes 
• explain your approach to continuous improvement and how you respond to lessons identified

“You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function(s). During an incident, you have access to timely information on which to base your response decisions.”

This contributing outcome  is about the organisation’s capability to respond to and recover from incidents affecting the networks and systems supporting essential functions. It ensures that the organisation can contain, mitigate, and recover from cyber incidents in a timely and effective manner, minimising disruption to essential services and reducing the impact on stakeholders.

Organisations need:

• preparedness: well-defined, rehearsed, and documented response and recovery plans
• coordination: clearly established roles, responsibilities, and communication channels
• capability: the tools, resources, and trained personnel to respond effectively
• resilience: systems can be restored to a secure and operational state quickly
• learning: lessons from incidents are captured to improve future response and recovery efforts

Plans should be regularly tested and updated to reflect changes in the threat landscape, technology, and business operations.

Response and recovery capability is about being ready, resourced, and resilient. Organisations must ensure that plans are practical, tested, and continuously improved, with clear ownership and integration into broader organisational resilience strategies. The ability to respond effectively is a cornerstone of operational assurance and public trust.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have documented and approved response and recovery plans
• you conduct regular testing (e.g., tabletop exercises, technical simulations)
• you base testing and exercising on realistic scenarios known to have occurred in organisations with a similar threat posture
• you clearly assign of roles and responsibilities
• you hold incident logs and post-incident reviews demonstrate how incidents were managed
• you record metrics such as time to detect, respond, and recover
• you have continuous improvement in place, including updates to plans and training based on lessons learned
• any remedial actions are assigned, prioritised, tracked and reviewed for effectiveness

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• outline an overview of response and recovery plans and their scope
• describe roles and responsibilities for incident response and recovery
• outline tools and resources available to support response activities
• describe the frequency and outcomes of exercises or real-world incident responses
• include examples of recent incidents and how they were managed and resolved
• outline processes for post-incident review and improvement
• explain integration with wider organisational resilience planning

“Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.”

To meet this outcome, organisations should:

• conduct exercises to validate incident response and recovery plans against realistic scenarios
• base exercise scenarios on:
  • past incidents affecting your organisation or others
  • emerging threat intelligence
  • risks identified in organisational risk assessments
• use a mix of approaches such as:
  • tabletop exercises
  • technical simulations
  • disaster recovery drills
• ensure scenarios are documented, reviewed, and validated before execution
• run exercises at a defined cadence (e.g., annually or more frequently for critical systems)
• capture lessons learned and update response plans, playbooks, and controls accordingly
• validate all stages of incident handling:
  • detection
  • communication and escalation
  • decision-making
  • recovery and restoration of normal service
• maintain records of:
  • exercise reports
  • findings and remediation actions
  • updated plans and configurations
• incorporate current threat trends and adversary tactics into exercise design to ensure relevance

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• exercise scenarios are based on real-time incidents, experiences or accurate threat intelligence
• scenarios are documented, reviewed and validated
• exercises are run regularly 
• exercise findings are documented and used to refine incident response based on lessons learned
• exercises test the full lifecycle of any incident

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Testing regime

• confirm how often Incident Response (IR) Business Continuity (BC) and Disaster Recovery (DR) plans are tested
• confirm that scenarios used during testing are based on real incidents experienced by the organisation or by organisations with a similar threat posture
• explain how threat intelligence is used when considering which exercise scenarios to use

2.   Assurance

• outline how BCPs / DRPs are reviewed and approved by an subject matter expert (this could be a third party specialist or a suitably qualified and experienced person from within the organisation)

3.   Outputs

• outline how the results of any test or exercise of the IRP, BCP or DRP are documented
• explain how the outputs from testing and exercising are validated and stored securely
• explain how agreed remediations are assigned and tracked

“When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.”

Organisations must identify the underlying causes of cyber security incidents affecting the networks and systems supporting essential functions and take appropriate steps to address them.

This outcome ensures that incidents are not only resolved but also understood, so that systemic weaknesses can be addressed and future recurrence prevented.

Root cause analysis (RCA) is a structured process to:

• understand what happened, how, and why
• identify contributing factors, including technical, procedural, and human elements
• determine systemic issues or control failures
• recommend and implement corrective actions to reduce the likelihood or impact of future incidents

RCA should be proportionate to the severity of the incident and embedded into the organisation’s incident management lifecycle. 

Root cause analysis is about understanding why things went wrong and reducing the likelihood of similar incidents happening in future. Organisations must embed RCA into their incident response lifecycle, ensuring that every significant incident becomes an opportunity to strengthen resilience and reduce future risk.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a documented RCA process that is consistently applied
• you assign an accountable member of staff (incident manager) to lead RCA
• you have examples of completed RCAs, showing depth of analysis encompassing examination of: roles; processes; controls; configuration; and vulnerabilities 
• RCA covers technical and non-technical reasons
• you take corrective actions as a result of RCA findings
• you have tracking mechanisms in place to ensure recommendations are implemented
• you integrate RCA with risk and change management processes
• you implement continuous improvement based on RCA outcomes, including updates to controls, policies, and training 

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the RCA process and when it is applied
• explain the methodologies used and rationale for their selection
• outline roles and responsibilities for conducting and reviewing RCAs
• share examples of recent RCAs, including root causes identified and actions taken
• explain how RCA findings are tracked and reviewed over time
• outline integration with broader governance, such as risk registers or audit findings
• outline plans for improving RCA capability, including training or tooling

“Your organisation uses lessons learned from incidents to improve your security measures.”

Organisations must use lessons learned from cyber security incidents to reduce the risk of recurrence and improve the effectiveness of cyber security measures protecting essential functions. This outcome ensures that incidents are not treated as isolated events but as opportunities for learning and continuous improvement, strengthening the organisation’s overall cyber resilience.

Organisations should:

• capture lessons learned from all significant incidents, near misses, and exercises
• analyse trends across incidents to identify recurring issues or systemic weaknesses
• feed insights into governance processes, such as risk management, policy updates, and control enhancements
• track implementation of improvement actions and measure their effectiveness
• promote a learning culture where incident reviews are constructive and focused on improvement rather than blame

This process should be embedded into the organisation’s cyber security lifecycle and aligned with broader business improvement initiatives.

Every incident is an opportunity to get stronger. Organisations must ensure that lessons are captured, shared, and acted upon. Embedding a culture of continuous improvement driven by real world experience is essential to building long term cyber resilience and protecting essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• security incident policies and processes include structured post-incident reviews, root cause analyses and lessons learned activities
• lessons learned encompass both technical and non-technical (people, process and technology)
• you have made improvements as a result of security incidents or exercises
• you have mechanisms for prioritising, implementing tracking and reviewing remediation activity
• you integrate lessons learned with risk management and governance processes
• you have demonstrable evidence of a learning culture, including staff engagement and feedback loops
• lessons learned are incorporated into training, awareness, and testing activities
• you collect metrics showing the impact of improvements (e.g., reduced incident frequency or severity)
• you maintain a central repository of lessons learned and improvement actions
• policies, procedures, and controls are reviewed and updated based on incident / exercise insights
• you report lessons and improvements to governance bodies and senior leadership
• trend analysis is conducted to identify systemic issues or emerging risk 

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe the lessons learned process, including when and how it is triggered
• share examples of incidents or exercises that led to improvements
• explain how lessons are documented, tracked, and reviewed
• explain how lessons learned are integrated with risk, policy, and control management
• outline roles and responsibilities for driving and overseeing improvements
• reference evidence of cultural maturity, such as openness to learning and non-punitive review processes
• outline plans for enhancing the lessons learned process or addressing known gaps