Policy paper

Mapping cyber governance code to ANSSI

Updated 16 April 2025

Introduction

This mapping document is for boards, directors and Chief Information Security Officers (or equivalent) and will help understand the Cyber Governance Code of Practice (the Code).

The mapping document illustrates where there are similarities and differences between the Code and the French ANSSI – Controlling the Digital Risk – A Trust Advantage framework. It can be used by organisations to understand what actions of the Code they may already be implementing through adherence to the ANSSI digital risk framework.  

The mapping document is illustrative and should only be used as a point of reference. It is not intended to be authoritative or be taken as legal advice on compliance with the framework mentioned. 

If you have any comments or questions on the Cyber Governance mapping, please contact cybergovernance@dsit.gov.uk

Principle A: Risk management

Action A1: Gain assurance that the technology processes, information and services critical to the organisation’s objectives have been identified, prioritised and agreed.

Alignment with ANSSI Controlling the Digital Risk: Step Two: Understanding one’s digital activity

---

Action A2: Agree senior ownership of cyber security risks and gain assurance that they are integrated into the organisation’s wider enterprise risk management and internal controls. 

Alignment with ANSSI Controlling the Digital Risk: Step One: Defining a governance framework for the digital risk

---

Action A3: Define and clearly communicate the organisation’s cyber security risk appetite and gain assurance that the organisation has an action plan to meet these risk expectations. 

Alignment with ANSSI Controlling the Digital Risk: Step Three: Know your risk acceptance threshold

---

Action A4: Gain assurance that supplier information is routinely assessed, proportionate to their level of risk and that the organisation is resilient to cyber security risks from its supply chain and business partners. 

Alignment with ANSSI Controlling the Digital Risk: Step Three: Know your risk acceptance threshold, Step Nine: Building one’s protection

---

Action A5: Gain assurance that risk assessments are conducted regularly and that risk mitigations account for recent, or expected, changes in the organisation, technology, regulations or wider threat landscape.

Alignment with ANSSI Controlling the Digital Risk: Step Fourteen: Agility: continuous improvement and performance

Principle B: Strategy

Action B1: Gain assurance that the organisation has developed a cyber strategy and this is aligned with, and embedded within, the wider organisational strategy.

Alignment with ANSSI Controlling the Digital Risk: Step Four: Building one’s worst risk scenario, Step Five: Defining one’s digital security and promotion strategy

---

Action B2: Gain assurance that the cyber strategy aligns with the agreed cyber risk appetite (Action A3), meets relevant regulatory obligations, and accounts for current or expected changes (Action A5). 

Alignment with ANSSI Controlling the Digital Risk: Step Fourteen: Agility: continuous improvement and performance

---

Action B3: Gain assurance that resources are allocated effectively to manage the agreed cyber risks (Action A3 and A5).

Alignment with ANSSI Controlling the Digital Risk: Step Five: Defining one’s digital security and promotion strategy, Step Thirteen: Commitment: from adhesion to action

---

Action B4: Gain assurance that the cyber strategy is being delivered effectively and is achieving the intended outcomes. 

Alignment with ANSSI Controlling the Digital Risk: Step Fourteen: Agility: continuous improvement and performance

Principle C: People

Action C1: Promote a cyber security culture that encourages positive behaviours and accountability across all levels. This should be aligned with the organisation’s strategy (Action B1).

Alignment with ANSSI Controlling the Digital Risk: Step Seven: Humans at the centre of the game

---

Action C2: Gain assurance that there are clear policies that support a positive cyber security culture.

Alignment with ANSSI Controlling the Digital Risk: Step One: Defining a governance framework for the digital risk, Step Thirteen: Commitment: from adhesion to action

---

Action C3: Undertake training to improve your own cyber literacy and take responsibility for the security of the data and digital assets that you use. 

Alignment with ANSSI Controlling the Digital Risk: Step Seven: Humans at the centre of the game

---

Action C4: Gain assurance using suitable metrics that the organisation has an effective cyber security training, education and awareness programme.

Alignment with ANSSI Controlling the Digital Risk: Step Seven: Humans at the centre of the game

Principle D: Incident, planning response and recovery

Action D1: Gain assurance that the organisation has a plan to respond to and recover from a cyber incident impacting business critical technology processes, information and services.

Alignment with ANSSI Controlling the Digital Risk: Step Ten: Orienting one’s defence and anticipating the reaction thereof

---

Action D2: Gain assurance that there is at least annual exercising of the plan involving relevant internal and external stakeholders and that lessons from the exercise are reflected in the incident plan (Action D1) and risk assessments (Action A5).

Alignment with ANSSI Controlling the Digital Risk: Step Eleven: Showing resilience in the event of a cyberattack, Step Fourteen: Agility: continuous improvement and performance

---

Action D3: In the event of an incident, take responsibility for individual regulatory obligations, such as reporting, and support the organisation in critical decision making and external communications.

Alignment with ANSSI Controlling the Digital Risk: Step Eleven: Showing resilience in the event of a cyberattack

---

Action D4: Gain assurance that a post incident review process is in place to incorporate lessons learned into future risk assessments (Action A5), response and recovery plans (Action D1) and exercising (Action D2).

Alignment with ANSSI Controlling the Digital Risk: Step Eleven: Showing resilience in the event of a cyberattack

Principle E: Assurance and oversight

Action E1: Establish a cyber governance structure which is embedded within the wider governance structure of the organisation. This should include clear definition of roles and responsibilities, including ownership of cyber at executive and non-executive director level. 

Alignment with ANSSI Controlling the Digital Risk: Step One: Defining a governance framework for the digital risk

---

Action E2: Require formal reporting on at least a quarterly basis, set suitable metrics to track, and agree tolerances for each. These should be aligned to the cyber strategy (Action B1) and based on the agreed cyber risk appetite (Action A3).

Alignment with ANSSI Controlling the Digital Risk: Step One: Defining a governance framework for the digital risk

---

Action E3: Establish regular two-way dialogue with relevant senior executives, including but not limited to, the chief information security officer (or equivalent). 

Alignment with ANSSI Controlling the Digital Risk: Step One: Defining a governance framework for the digital risk

---

Action E4: Gain assurance that cyber security considerations (including the actions in this code) are integrated and consistent with existing internal and external audit and assurance mechanisms.

Alignment with ANSSI Controlling the Digital Risk: Step Fourteen: Agility: continuous improvement and performance

---

Action E5: Gain assurance that senior executives are aware of relevant regulatory obligations, as well as best practice contained within other Codes of Practice.

Alignment with ANSSI Controlling the Digital Risk: Step Two: Understanding one’s digital activity, Step Nine: Building one’s protection