Mapping cyber governance code to NCSC Cyber Assessment Framework
Published 8 April 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-governance-mapping/mapping-cyber-governance-code-to-ncsc-cyber-assessment-framework
Introduction
This mapping document is for boards, directors and Chief Information Security Officers (or equivalent) and will help understand the Cyber Governance Code of Practice (the Code).
The mapping document illustrates where there are similarities and differences between the Code and the NCSC Cyber Assessment Framework. It can be used by organisations to understand what actions of the Code they may already be implementing through adherence to the NCSC Cyber Assessment Framework.
The mapping document is illustrative and should only be used as a point of reference. It is not intended to be authoritative or be taken as legal advice on compliance with the framework mentioned.
If you have any comments or questions on the Cyber Governance mapping, please contact cybergovernance@dsit.gov.uk
Principle A: Risk management
Action A1: Gain assurance that the technology processes, information and services critical to the organisation’s objectives have been identified, prioritised and agreed.
Alignment with NCSC CAF: Principle A3 - Asset Management
Action A2: Agree senior ownership of cyber security risks and gain assurance that they are integrated into the organisation’s wider enterprise risk management and internal controls.
Alignment with NCSC CAF: Principle A1 – Governance
Action A3: Define and clearly communicate the organisation’s cyber security risk appetite and gain assurance that the organisation has an action plan to meet these risk expectations.
Alignment with NCSC CAF: Principle A2 - Cyber Risk Management
Action A4: Gain assurance that supplier information is routinely assessed, proportionate to their level of risk and that the organisation is resilient to cyber security risks from its supply chain and business partners.
Alignment with NCSC CAF: Principle A4 - Supply Chain
Action A5: Gain assurance that risk assessments are conducted regularly and that risk mitigations account for recent, or expected, changes in the organisation, technology, regulations or wider threat landscape.
Alignment with NCSC CAF: Principle A2 - Cyber Risk Management
Principle B: Strategy
Action B1: Gain assurance that the organisation has developed a cyber strategy and this is aligned with, and embedded within, the wider organisational strategy.
Alignment with NCSC CAF: Principle A1 – Governance
Action B2: Gain assurance that the cyber strategy aligns with the agreed cyber risk appetite (Action A3), meets relevant regulatory obligations, and accounts for current or expected changes (Action A5).
Alignment with NCSC CAF: Principle A1 – Governance
Action B3: Gain assurance that resources are allocated effectively to manage the agreed cyber risks (Action A3 and A5).
Alignment with NCSC CAF: No comparison
Action B4: Gain assurance that the cyber strategy is being delivered effectively and is achieving the intended outcomes.
Alignment with NCSC CAF: No comparison
Principle C: People
Action C1: Promote a cyber security culture that encourages positive behaviours and accountability across all levels. This should be aligned with the organisation’s strategy (Action B1).
Alignment with NCSC CAF: Principle B6 - Staff awareness and training
Action C2: Gain assurance that there are clear policies that support a positive cyber security culture.
Alignment with NCSC CAF: Principle A1 – Governance, Principle: B1 - Service Protection Policies, Processes and Procedures
Action C3: Undertake training to improve your own cyber literacy and take responsibility for the security of the data and digital assets that you use.
Alignment with NCSC CAF: Principle B6 - Staff awareness and training
Action C4: Gain assurance using suitable metrics that the organisation has an effective cyber security training, education and awareness programme.
Alignment with NCSC CAF: Principle B6 - Staff awareness and training
Principle D: Incident, planning response and recovery
Action D1: Gain assurance that the organisation has a plan to respond to and recover from a cyber incident impacting business critical technology processes, information and services.
Alignment with NCSC CAF: Principle One: Cybersecurity as a Strategic Risk, Tool E: Incident Response
Action D2: Gain assurance that there is at least annual exercising of the plan involving relevant internal and external stakeholders and that lessons from the exercise are reflected in the incident plan (Action D1) and risk assessments (Action A5).
Alignment with NCSC CAF: Principle One: Cybersecurity as a Strategic Risk, Principle Three: Board Oversight Structure and Access to Expertise, Tool E: Incident Response
Action D3: In the event of an incident, take responsibility for individual regulatory obligations, such as reporting, and support the organisation in critical decision making and external communications.
Alignment with NCSC CAF: Tool E: Incident Response, Principle Two: Legal and Disclosure Implications
Action D4: Gain assurance that a post incident review process is in place to incorporate lessons learned into future risk assessments (Action A5), response and recovery plans (Action D1) and exercising (Action D2).
Alignment with NCSC CAF: Tool E: Incident Response, Principle One: Cybersecurity as a Strategic Risk, Principle Two: Legal and Disclosure Implications, Principle Three: Board Oversight Structure and Access to Expertise
Principle E: Assurance and oversight
Action E1: Establish a cyber governance structure which is embedded within the wider governance structure of the organisation. This should include clear definition of roles and responsibilities, including ownership of cyber at executive and non-executive director level.
Alignment with NCSC CAF: Principle Four: An Enterprise Framework for Managing Cyber Risk
Action E2: Require formal reporting on at least a quarterly basis, set suitable metrics to track, and agree tolerances for each. These should be aligned to the cyber strategy (Action B1) and based on the agreed cyber risk appetite (Action A3).
Alignment with NCSC CAF: Principle Five: Cybersecurity Measurement and Reporting
Action E3: Establish regular two-way dialogue with relevant senior executives, including but not limited to, the chief information security officer (or equivalent).
Alignment with NCSC CAF: Principle Three: Board Oversight Structure and Access to Expertise, Tool H: Building a relationship with the CISO
Action E4: Gain assurance that cyber security considerations (including the actions in this code) are integrated and consistent with existing internal and external audit and assurance mechanisms.
Alignment with NCSC CAF: Principle Five: Cybersecurity Measurement and Reporting
Action E5: Gain assurance that senior executives are aware of relevant regulatory obligations, as well as best practice contained within other Codes of Practice.
Alignment with NCSC CAF: Principle Two: Legal and Disclosure Implications