Cyber Risk & Information Security Management

This course covers governance, incident response, metrics, frameworks like ISO 31000 and NIST, and the cultural dimensions of cyber risk. Led by our expert trainers — David Tattam (Chief Research & Content Officer), Michael Howell (Head of Risk Research & Knowledge) and Michael Franklin (Cyber Security Lead) — you’ll leave with a complete toolkit ready to embed effective cyber risk practices across your organisation.

Key topics covered:

1. The Need for Cyber Risk Management

• Introductory definitions

• Business, social, dynamic & regulatory drivers

2. Defining Cyber Risk

• Definitions of risk, cyber risk and information security

• Components of risk; bow tie introductions

• How cyber overlaps with privacy, technology and data risks

• Integrating cyber into an enterprise risk taxonomy

3. Defining Cyber Risk Controls

• What are controls?

• Seven treatment methods to manage cyber risk

• Mapping controls to risk components

• Use of cyber-control frameworks and standards

• Compliance vs risk; identifying non-controls

4. Cyber Risk Management Frameworks & Processes

• Applying ISO 31000 steps to cyber risk

• Applying an ERM framework to cyber risk

• Aligning cyber frameworks with enterprise risk management

• Common risk management processes applied to cyber

5. Cyber Risk Appetite

• Setting appetite for objectives and risks

• Risk appetite for cyber and how to use it

6. Cyber Risk Assessment

• Stages of risk assessment; techniques overview

• Scoping assessments (enterprise, process or asset)

• Using bow ties for risk and control understanding

• Inherent risk, residual risk and control effects

• Evaluating against risk appetite; writing risk scenarios

• Aligning cyber-specific methodologies with enterprise risk assessments

7. Measuring Cyber Risk

• Why measure risk?

• Common risk measurement methods

• Qualitative (risk matrices & subjective approaches)

• Semi-quantitative methods (scoring models for risk and controls)

• Quantitative measures (risk as a distribution; challenges; simplified linear approach)

• Data sources: internal and external components of cyber risk

8. Cyber Risk Metrics

• Purpose of risk metrics; types of metrics

• Characteristics of good metrics & pitfalls

• Defining zones & thresholds

• Using metrics for escalation, reporting & response

• Metrics for risk vs information-security capability

9. Cyber Controls Management

• Need for controls assurance; internal vs external assurance

• Governance vs technical controls

• Documenting control information; mapping to frameworks

• Testing vs assessing controls

• Control-testing process: objectives, design and operating effectiveness

• Assessing groups of controls; considering automation

• Applying outcomes of controls-management activities

• Control library and testing template

10. Cyber Incident & Crisis Management

• Defining cyber incidents; enterprise incident-management approach

• Specific distinctions for cyber incident management

11. Issues and Action Management

• Raising issues: how they are identified, ownership, tracking

• Linking to risk-management components

• Action management: tracking, reporting, alignment, dangers when ignored

12. Reporting & Communication

• Purpose of reporting; main types of reports

• What to report; stakeholder considerations

• Collecting data for reports; report examples

13. Integrating with Enterprise Risk Management

• Benefits of integration; integrating cyber processes within the ERM “house”

• Managing shifting cyber exposure during “Risk In Change”

• Cyber compliance; alignment with operational-resilience and third-party-risk management frameworks

14. Responsibilities for Cyber Risk Management

• Everyone as a risk manager

• The Three-Lines Model

• Roles in cyber-risk management; key behaviours supporting a strong risk culture