Manage your risk

Continuously manage risk

Your team needs to monitor and respond to security risks, from the design of your capability or service to its retirement.

Know what is happening

You need to be aware of changes and emerging cyber security threats, so that you can respond quickly and effectively.

To help you identify changes and new threats, you can:

  • run vulnerability assessments
  • do threat modelling
  • ask other teams and experts across Defence

You can check GOV.UK guidance on managing observability (opens in a new tab).

Use your framework

The risk management framework you choose will help you monitor and respond to changes.

For example, the National Institute of Standards and Technology's (NIST) cybersecurity framework includes guidance on incident management, reporting and communication.

You can check the NIST cybersecurity framework (opens in a new tab).

Respond to changes and threats

When you make changes or discover a new threat, you need to:

  • assess the impact
  • check your security controls are still appropriate
  • update your risk management strategy

Document any changes you make to your strategy and controls or the reason why no changes where necessary.

Plan how you will manage risks that cannot be fully mitigated. Check that these risks are within your organisation's risk appetite.

Remember to keep your Senior Responsible Owner (SRO) updated. They might need to accept new levels of risk.

Check GOV.UK guidance on assessing the impact of changes (opens in a new tab).

Your assessments

To keep your capability or service secure, you need to do regular assessments.

How often you do assessments depends on your capability or service, but you must do one at least every 3 months. You must also do an assessment when you make changes or discover new threats.

Make sure you track and complete all of the actions you identify in each assessment.

You can check how to do assessments in Defence.

Retire components securely

You should only use systems and components that are necessary for your capability or service.

When you retire systems or components that are no longer used, you need to do it securely. For example, you might need to delete sensitive data, remove access rights or destroy equipment.

When you write your strategy, include how you will retire components securely.

You can check GOV.UK guidance on retiring components (opens in a new tab).

Published August 2024