Mapping cyber governance code to NIST Cyber Security Framework
Published 8 April 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-governance-mapping/mapping-cyber-governance-code-to-nist-cyber-security-framework
Introduction
This mapping document is for boards, directors and Chief Information Security Officers (or equivalent) and will help understand the Cyber Governance Code of Practice (the Code).
The mapping document illustrates where there are similarities and differences between the Code and the NIST Cyber Security Framework. It can be used by organisations to understand what actions of the Code they may already be implementing through adherence to the NIST Cyber Security Framework.
The mapping document is illustrative and should only be used as a point of reference. It is not intended to be authoritative or be taken as legal advice on compliance with the framework mentioned.
If you have any comments or questions on the Cyber Governance mapping, please contact cybergovernance@dsit.gov.uk
Principle A: Risk management
Action A1: Gain assurance that the technology processes, information and services critical to the organisation’s objectives have been identified, prioritised and agreed.
Alignment with NIST CSF: GV.OC-02, GV.OC-03, GV.OC-04, GV.RM-01, ID.AM-05
Action A2: Agree senior ownership of cyber security risks and gain assurance that they are integrated into the organisation’s wider enterprise risk management and internal controls.
Alignment with NIST CSF: GV.RR.01, GV.RM.03
Action A3: Define and clearly communicate the organisation’s cyber security risk appetite and gain assurance that the organisation has an action plan to meet these risk expectations.
Alignment with NIST CSF: GV.OC.01, GV.RM.02
Action A4: Gain assurance that supplier information is routinely assessed, proportionate to their level of risk and that the organisation is resilient to cyber security risks from its supply chain and business partners.
Alignment with NIST CSF: GV.SC.01, GV.SC.02, GV.SC.03, GV.SC.04, GV.SC.05, GV.SC.06, GV.SC.07, GV.SC.08, GV.SC.09, GV.SC.10, ID.RA.10
Action A5: Gain assurance that risk assessments are conducted regularly and that risk mitigations account for recent, or expected, changes in the organisation, technology, regulations or wider threat landscape.
Alignment with NIST CSF: ID.RA.01, ID.RA.02, ID.RA.03, ID.RA.04, ID.RA.05, ID.RA.06, ID.RA.07, ID.RA.08, ID.RA.09
Principle B: Strategy
Action B1: Gain assurance that the organisation has developed a cyber strategy and this is aligned with, and embedded within, the wider organisational strategy.
Alignment with NIST CSF: GV.RM.04
Action B2: Gain assurance that the cyber strategy aligns with the agreed cyber risk appetite (Action A3), meets relevant regulatory obligations, and accounts for current or expected changes (Action A5).
Alignment with NIST CSF: GV.RM.04
Action B3: Gain assurance that resources are allocated effectively to manage the agreed cyber risks (Action A3 and A5).
Alignment with NIST CSF: GV-RR.03
Action B4: Gain assurance that the cyber strategy is being delivered effectively and is achieving the intended outcomes.
Alignment with NIST CSF: GV.RR.02
Principle C: People
Action C1: Promote a cyber security culture that encourages positive behaviours and accountability across all levels. This should be aligned with the organisation’s strategy (Action B1).
Alignment with NIST CSF: GV.RR.01, GV.RR.04
Action C2: Gain assurance that there are clear policies that support a positive cyber security culture.
Alignment with NIST CSF: GV.PO.01, GV.PO.02
Action C3: Undertake training to improve your own cyber literacy and take responsibility for the security of the data and digital assets that you use.
Alignment with NIST CSF: GV.PO.01, PR.AT.01, PR.AT.02
Action C4: Gain assurance using suitable metrics that the organisation has an effective cyber security training, education and awareness programme.
Alignment with NIST CSF: PR.AT.01, PR.AT.02
Principle D: Incident, planning response and recovery
Action D1: Gain assurance that the organisation has a plan to respond to and recover from a cyber incident impacting business critical technology processes, information and services.
Alignment with NIST CSF: RS.MA.01, RC.RP-01
Action D2: Gain assurance that there is at least annual exercising of the plan involving relevant internal and external stakeholders and that lessons from the exercise are reflected in the incident plan (Action D1) and risk assessments (Action A5).
Alignment with NIST CSF: ID.IM.02
Action D3: In the event of an incident, take responsibility for individual regulatory obligations, such as reporting, and support the organisation in critical decision making and external communications.
Alignment with NIST CSF: GV.OC.03, RS.MA.02
Action D4: Gain assurance that a post incident review process is in place to incorporate lessons learned into future risk assessments (Action A5), response and recovery plans (Action D1) and exercising (Action D2).
Alignment with NIST CSF: RS.AN.03
Principle E: Assurance and oversight
Action E1: Establish a cyber governance structure which is embedded within the wider governance structure of the organisation. This should include clear definition of roles and responsibilities, including ownership of cyber at executive and non-executive director level.
Alignment with NIST CSF: GV.RR.02, GV.PO-02, GV.OV-01, GV.OV-02, GV.OV-03
Action E2: Require formal reporting on at least a quarterly basis, set suitable metrics to track, and agree tolerances for each. These should be aligned to the cyber strategy (Action B1) and based on the agreed cyber risk appetite (Action A3).
Alignment with NIST CSF: GV.RR.02, GV.OC-02, GV.OC-03
Action E3: Establish regular two-way dialogue with relevant senior executives, including but not limited to, the chief information security officer (or equivalent).
Alignment with NIST CSF: GV.RR.01, GV.OC-02, GV.OC-03
Action E4: Gain assurance that cyber security considerations (including the actions in this code) are integrated and consistent with existing internal and external audit and assurance mechanisms.
Alignment with NIST CSF: GV.OC-03
Action E5: Gain assurance that senior executives are aware of relevant regulatory obligations, as well as best practice contained within other Codes of Practice.
Alignment with NIST CSF: GV.OC-03