Practice guide

Cybersecurity risk management

Cybersecurity risk management is how an organisation understands, prioritises and reduces its cyber security risk. It is the discipline underneath every regulation on this site — and the reason NIST risk management frameworks exist.

The basics

Managing cyber security risk

Cyber security best practices, in order

The most useful cyber security best practices are not a long checklist — they are knowing your assets, patching quickly, controlling access, monitoring continuously and rehearsing your response.

Identify and assess

Cybersecurity risk management starts by identifying assets and threats, then assessing the cyber security risk each represents.

Treat and monitor

You then decide how to treat each risk — mitigate, transfer, accept or avoid — and monitor it over time.

Use a framework

NIST risk management frameworks such as the NIST Cybersecurity Framework and RMF give you a proven structure instead of a blank page.

The cybersecurity risk management cycle

Identify

Know your assets, data and the cyber security risk they carry.

Protect

Apply controls and cyber security best practices.

Detect

Monitor continuously to catch incidents early.

Respond & recover

Contain, remediate and learn from incidents.

Where to next

Tool and connect

Compare open-source GRC tooling, and read ISO 27001 and NIS2.

GRC tooling

Run your risk register and controls in one place.

ISO 27001

A certifiable home for cyber risk management.

NIS2

The regulation that makes this mandatory for many.

Cybersecurity risk management FAQs

What is cybersecurity risk management?

The process of identifying, assessing, treating and monitoring cyber security risk across an organisation.

What are NIST risk management frameworks?

Structured approaches from NIST — such as the Cybersecurity Framework and the Risk Management Framework (RMF) — for managing security risk.

What are the key cyber security best practices?

Asset inventory, timely patching, access control, continuous monitoring and rehearsed incident response.

Put cyber security risk on a framework.

Tool your risk program with open-source GRC and sharpen it in a workshop.