GovAssure detailed contributing outcome summary guidance

“You have effective organisational security management led at board level and articulated clearly in corresponding policies.”

Cyber resilience starts at the top. Organisations must ensure that their board or executive leadership actively directs and oversees cyber security strategy. This includes setting priorities, allocating resources, and embedding cyber risk into decision-making. Strong board direction is essential to building a culture of accountability and ensuring that cyber security supports the organisation’s mission.

The board should:

• set clear expectations for cyber security outcomes
• ensure cyber risks are considered in strategic planning and decision-making
• allocate appropriate resources to manage cyber risks
• receive regular updates on cyber posture and incidents
• champion a culture of cyber awareness and accountability

Board-level engagement is critical to embedding cyber resilience into the organisation’s core operations.

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• the board has formally endorsed cyber security objectives and priorities
• cyber risk is integrated into strategic planning and governance
• the board receives regular, structured reporting on cyber posture and incidents
• there is a clear link between board decisions and cyber security resource allocation
• board members are informed and engaged in cyber risk discussions
• cyber security responsibilities are clearly defined at the leadership level
• board members have access to cyber expertise or training

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• explain how the board sets and reviews cyber security objectives
• reference evidence of cyber security being discussed at board level (e.g. meeting minutes, agenda items)
• describe how cyber risk is integrated into strategic decision-making
• describe the frequency and format of cyber reporting to the board
• explain how board decisions influence cyber security investment and priorities
• describe any training or awareness provided to board members on cyber issues
• outline relevant governance structures that support board oversight of cyber risk

“Your organisation has established roles and responsibilities for the security of network and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.”

Clear roles and responsibilities are essential for strong governance and resilience. Organisations should define and document security roles, and communicate them clearly and regularly. They should ensure everyone understands responsibilities and risk escalation paths, and review and update roles periodically to maintain clarity and accountability. Processes should be aligned with external partners and suppliers. 

Organisations should:

• define roles for senior leadership, operational teams, and third parties
• document responsibilities for security tasks such as risk management, incident response, and compliance
• communicate effectively through policies, training, and organisational charts
• establish escalation routes for reporting security concerns
• integrate suppliers by embedding responsibilities in contracts and service agreements

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have a clear role matrix mapping responsibilities across the organisation
• you document responsibilities in policies, job descriptions, and SLAs
• there are well-defined and understood escalation channels that are operational
• you communicate roles and responsibilities across the organisation and have appropriate training in place
• suppliers are aligned with contractual obligations and you monitor this

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe how roles are assigned, communicated, and reviewed
• describe the frequency and process for reviewing and updating roles and responsibilities
• reference evidence in the form of a summary table showing roles, responsibilities, and escalation paths
• describe relevant training and awareness activities
• include details of supplier integration and contractual responsibilities

“You have senior-level accountability for the security of network and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of the essential function(s) are considered in the context of other organisational risks.”

Cyber decisions must be informed, accountable, and aligned with organisational priorities, particularly where they affect essential functions. Organisations should ensure that decision-making processes are clear, supported by accurate information, and involve the right people. Strong governance around cyber decisions enhances resilience, reduces risk, and supports strategic outcomes.

Effective cyber decision-making requires:

• clear governance structures that support informed and timely decisions
• defined processes for escalating and approving cyber-related decisionsd
• Access to accurate and timely risk, threat, and operational information.
• Involvement of appropriate stakeholders, including technical experts and business leaders.
• Documentation of decisions and rationale to support accountability and learning.
• Integration of cyber decision-making into broader organisational risk and strategic planning.

Decisions should be made in a way that balances security, operational needs, and business risk appetite.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• your organisation establishes governance frameworks that define how cyber decisions are made and by whom
• you ensure that decision-makers have access to relevant risk, threat, and performance data
• risk and threat information is used to inform decisions
• decisions affecting essential functions are escalated and reviewed appropriately
• you involve cross-functional stakeholders in cyber decision-making processes
• you document decisions thoroughly, including rationale, risks considered, and expected outcomes
• cyber decisions are integrated into wider organisational governance and planning
• you review decision-making processes regularly to ensure they remain effective and responsive
• you ensure cyber decisions are aligned with organisational strategy and risk appetite

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable:

• describe how cyber decisions are made, escalated, and approved
• explain who is involved in decision-making and the governance structures that support this
• describe the information used to inform decisions (e.g. risk assessments, threat intelligence)
• explain how decisions are documented and reviewed.
• describe how cyber decision-making aligns with organisational strategy and risk management
• share any recent examples of decisions affecting essential functions and how they were handled
• explain how decision-making processes are evaluated and improved

“Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential function(s) and communicating associated activities.”

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• risk assessments are informed by an understanding of the vulnerabilities to the essential function
• the output from the security risk management (SRM) process is a clear set of security requirements that will address the identified risks
• key security decision-makers and accountable individuals are informed of significant conclusions drawn from the output of risk assessment activity
• there is a clear shared understanding of what triggers initiation of a risk assessment
• appropriate threat analysis activity is conducted

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable.

1. Policy, standards and processes:

• outline your risk management policy, standards and processes
• explain how these are communicated to the organisation
• describe any reviews undertaken and their frequency

2. Governance

• outline how security risk is communicated to stakeholders at board level
• demonstrate that risk owners are identified and are accountable for ownership of security risks within their area of responsibility
• outline the criteria for escalation of risk reporting and the relevant processes
• explain how staff are made aware of their responsibilities around security risk and outline any training provided

3. Risk assessment

• describe what triggers a risk assessment to be conducted by the organisation
• explain how security risk subject matter experts (SMEs) are involved in risk assessment activity
• outline the risk management documentation for the essential function
• explain how third-party suppliers are captured in the security risk management process

4. Vulnerabilities

• explain how vulnerabilities affecting the essential function are identified and used in the risk assessment process.
• describe how security SMEs are engaged to identify these vulnerabilities

5. Threat analysis

• describe how the organisation uses threat intelligence to inform risk assessments
• outline the sources used to identify threats to the essential function

6. Mitigation

• describe how mitigation plans are agreed and prioritised with input from security subject matter experts
• describe how mitigating controls are tested for effectiveness and re-assessed should they be considered ineffective

“You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to your essential function(s).”

Organisations must have appropriate mechanisms in place to confirm that cyber security controls are effective and operating as intended. This includes internal and external assurance activities that provide confidence to leadership, stakeholders, and regulators that risks to essential functions are being managed appropriately.

Effective assurance practices include:

• regular testing and validation of cyber security controls
• independent reviews or audits of cyber processes and systems
• use of metrics and reporting to track performance and compliance
• engagement with third-party assurance providers where appropriate
• integration of assurance findings into risk management and decision-making
• continuous improvement based on assurance outcomes

Assurance should be proportionate to the organisation’s risk profile and support informed governance.

Structured assurance processes validate control effectiveness, inform decision-making, and drive continuous improvement. Strong assurance practices underpin trust, accountability, and resilience.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• assurance activities are planned, conducted regularly, and documented
• assurance activities encompass security risk management, secure development lifecycle and organisational change process activities, enabling real time assurance at any point of a build, project or change
• you test cyber controls for effectiveness and coverage
• you conduct reviews, audits, and control testing at regular internals
• you use internal assurance to validate controls
• you use external assurance (e.g. penetration testing, certifications) where appropriate
• assurance findings are reported to decision-makers and acted upon
• you track remediation actions and ensure they are followed up appropriately
• you use metrics and KPIs to measure cyber performance
• assurance is integrated with risk management and governance processes.
• you have a cycle of continuous improvement based on assurance outcomes

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe your cyber assurance programme and its scope
• outline the types of assurance activities conducted (e.g. audits, testing, reviews)
• explain how assurance findings are reported and used
• outline the use of external assurance providers or certifications
• explain how assurance supports governance and risk management
• share examples of improvements made based on assurance outcomes
• share any metrics or indicators used to track assurance performance

“Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).”

Asset categories include:

• data (information assets)
• people (roles, responsibilities, skills)
• systems (hardware, software, cloud services)
• supporting infrastructure (e.g., power supply, cooling systems, environmental controls)

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• your organisation identifies, tracks, and manages all relevant assets from acquisition/commissioning through to decommissioning
• you have documented policies and procedures in place to govern asset management are in place
• you assign responsibilities to suitably qualified and experienced personnel (SQEP) with appropriate training
• you have clear accountability structures in place for managing assets throughout their lifecycle

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Definition of an asset

• outline how your organisation defines “assets” (e.g., hardware, software, data, people, supporting infrastructure)
• explain how you communicate this definition internally

2. Asset register

• confirm that an asset register exists
• explain how you actively maintain it and and keep it up-to-date 
• describe the frequency of reviews and updates

3. Roles and responsibilities

• describe your organisation’s process for formally assigning asset managers 
• explain how you identify asset owners for each asset

4. Dependencies and criticality

• describe how you record dependencies (e.g., power, cooling, business continuity measures) in the asset register.
• explain how you assess and record each asset’s criticality to operations or legal obligations (e.g., personal data handling, critical infrastructure).

5. Change and decommissioning

• describe how you involve of cyber security subject matter experts when new assets are created, changed, or retired
• describe how you record decommissioning activities in the asset register

“The organisation understands and manages security risks to network and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third-party services are used.”

The supply chain is part of the attack surface. Organisations must actively manage cyber risks associated with third-party providers by embedding security into procurement, contracts, and ongoing oversight. This includes third-party providers, contractors, and service partners who support or have access to systems underpinning essential functions. 

Supply chain risk management is essential because third parties can be a source of vulnerabilities. Effective practices include:

• identifying suppliers and service providers that support essential functions
• assessing the cyber risks associated with each supplier
• embedding cyber security requirements into contracts and procurement processes
• monitoring supplier compliance with security expectations.
• ensuring suppliers have appropriate incident response and resilience capabilities
• reviewing supply chain risks regularly and updating controls as needed

Cyber security must be considered throughout the lifecycle of supplier relationships from onboarding to offboarding. Strong supply chain governance helps protect essential functions and ensures resilience against external threats.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• you have well-established supplier management processes and policies
• you have identified suppliers supporting essential functions
• you conduct cyber risk assessments for suppliers
• contracts include cyber security clauses and service level agreements (SLAs)
• you require suppliers to meet minimum security standards (e.g. certifications, policies, internal and external security testing)
• you monitor supplier performance and compliance for security requirements
• you have established processes for managing and responding to supplier-related incidents
• you have contractual timeframes for suppliers to report security incidents to the organisation prior to the ICO 72 hours
• supply chain risks are reviewed regularly
• the organisation understands the impact of supplier failure or compromise on essential functions
• you review supply chain risks periodically and adjust controls accordingly
• the right to audit of the subcontractors is contractual

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• describe how you identify and manage suppliers supporting essential functions
• explain how you assess and mitigate cyber risks for key suppliers
• describe the security requirements that are included in contracts and SLAs
• explain how supplier compliance is monitored and reviewed
• describe how supply chain risks are integrated into broader risk management
• outline processes for responding to supplier-related incidents
• share examples of improvements made based on supply chain reviews or incidents

“You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s).”

Policies, processes, and procedures form the foundation of a strong cyber security posture. Effective documentation supports consistency, accountability, and continuous improvement. Policies, processes, and procedures should:

• be aligned with organisational objectives and legal/regulatory requirements
• be tailored to the organisation’s risk profile and operational context
• clearly define expected behaviours, responsibilities, and control requirements
• be accessible to relevant staff and stakeholders
• be reviewed and updated regularly to reflect changes in technology, threats, and business operations

Cyber security policies and procedures are not just paperwork – they are essential tools for guiding secure behaviour and consistent control implementation. Organisations must ensure documentation is clear, current, and embedded into daily operations to support resilience and compliance.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• cyber security policies, processes, and procedures are documented and maintained
• documentation is aligned with organisational objectives and legal requirements
• policies are supported by operational procedures that guide implementation
• staff are aware of and can access relevant documentation
• there is a formal process for reviewing and updating documentation
• documentation is used to support consistent and effective cyber control implementation
• stakeholders are engaged in development and review of policies, processes and procedures
• policies are aligned with wider organisational governance and risk management frameworks

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• summarise the cyber security policies and procedures in place
• explain how these documents support the protection of essential functions
• describe how documentation is developed, reviewed, and maintained
• describe how staff are made aware of and access relevant policies
• explain how procedures support consistent implementation of controls
• describe how policies, processes and procedures are aligned with legal, regulatory, and organisational requirements
• share examples of recent updates or improvements to documentation

“You have successfully implemented your security policies, processes and procedures and can demonstrate the security benefits achieved.”

Organisations must ensure that cyber security policies, processes, and procedures are not only documented but actively implemented and followed across the organisation. This outcome focuses on embedding cyber security into day-to-day operations to support the protection of essential functions. Policies should be practical, enforceable, and tailored to the organisation’s context.

Effective cyber security requires:

• clear, accessible policies and procedures that align with organisational goals and risk appetite
• processes that are embedded into operational workflows
• staff awareness and training to ensure consistent application
• mechanisms to monitor compliance and effectiveness
• regular reviews and updates to reflect changes in technology, threats, and business needs

Cyber security must be lived, not just written. Organisations must ensure that policies and procedures are actively followed, understood, and embedded into everyday operations. Strong implementation builds a culture of security and supports the protection of essential functions.

What reviewers are looking for

Where possible, your contributing outcome summary and evidence should demonstrate that:

• cyber security policies and procedures are actively implemented across the organisation
• staff understand and follow documented processes
• mechanisms are in place to monitor and enforce compliance
• processes are embedded into operational activities (e.g. access control, incident response, patch management)
• policies and procedures are reviewed and updated regularly, including updates based on lessons learned, changes in systems, or threat intelligence
• provide training and guidance to staff on how to follow procedures
• monitor adherence to policies through audits, reviews, or automated tools
• cyber security is embedded into operational workflows, not treated as a separate activity
• ensure leadership supports and enforces policy compliance

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

• summarise key cyber security policies and procedures
• explain how these are implemented in practice across the organisation
• describe how you approach staff awareness and training on cyber security policies and procedures
• describe how compliance is monitored and enforced
• outline how policies are reviewed and updated
• share examples of how cyber processes are embedded into operational workflows
• share examples of improvements made based on feedback or incidents

Content coming soon

Content coming soon

“You closely manage privileged user access to network and information systems supporting your essential function(s).”

What reviewers are looking for

Where possible, your contributing outcome summary should demonstrate that:

• your organisation requires additional validation for privileged users
• you clearly identify individuals with privileged access to the essential function or supporting systems, including third parties
• privileged users are only granted specific permissions, with the minimum level of access required to perform their role
• you routinely review privileged user access and activity

What to include in your contributing outcome summary

What you include will vary depending on your system and organisational context. You should consider the following, where applicable. 

1. Authentication

• confirm that your organisation requires multifactor authentication for privileged users
• explain how additional authentication reduces the risk of credentials being intercepted

2. Management 

• explain how privileged users are managed by the organisation, and whether access is managed centrally
• describe how you apply the rule of least privilege to privileged users
• describe how your organisation reviews the requirement for privileged access reviewed, including by whom and at what interval(s)

3. Logging and monitoring 

• describe how you record and review privileged user activity
• describe log retention requirements for privileged user activity

Content coming soon

Content coming soon

Content coming soon