Cyber Security Governance and Risk Management is the monitoring of compliance with agreed cyber security policies and the assessment and management of relevant risks. 

In an entry level role, there is a broad mixture of duties focused on the practicalities of managing risk: 

• drafting policies 
• carrying out risk assessments 
• verifying compliance with the agreed policies 

Roles with more responsibility ensure compliance and establish and validate governance systems, which will require at least three years of cyber security experience, and the confidence to manage the responsibility. 

For those focused on risk management, there may be two cycles of work:  

1. the periodic carrying out of large-scale assessments/reassessments of cyber security risks to the whole organisation or to particular systems 

1. frequent updates to specific risk assessments as the nature and scale of threats and vulnerabilities change 

When potential risks are identified, there needs to be an understanding of the organisation’s assets and their value, so regular conversations with general managers and other relevant stakeholders across the organisation is key. Knowledge on how the organisation’s data is stored and how it flows between systems is also important. Likewise, when assessing the likelihood and impact of a risk affecting a system or set of information, this involves working closely with other types of cyber security teams, particularly Vulnerability Management and Cyber Threat Intelligence. 

Whether working on policies, monitoring compliance, or using standard tools and techniques to assess risk, much of this work requires a methodical approach on interpreting and applying standards and legislation. Documenting these risks is important, whether it is maintained on a risk register or drafting policies. 

If responsibilities extend beyond identifying and assessing risks to determine the most appropriate approaches to managing them, there needs to be some creativity in using the understanding of the organisation’s business and values, the scale of the risks and the effectiveness of the available risk control options. 

Cyber Security Governance and Risk Management protects the security of an organisation’s information systems and data by setting policies, monitoring compliance and following defined procedures to identify, assess and manage risks from external and internal threats. 

In detail, you might: 

• draft cyber security policies and procedures, taking account of an organisation’s legal, regulatory and operational requirements 
• monitor compliance with policies 
• identify cyber security risks, posed by the combination of vulnerabilities and threats, to the security of an organisation’s information systems and data 

• assess the impact and likelihood of identified cyber security risks 
• depending on the level of responsibility and the severity of specific risks, propose measures - including avoidance, mitigation, sharing and acceptance - to manage risks 
• create and maintain a risk register or include the cyber security risks in the organisation’s overall risk register 

With more experience, you might also: 

• identify the requirement for policies and procedures and monitor their production and updating 

• approve policies and procedures 
• oversee the monitoring of compliance with agreed policies and procedures and report on this to senior management 
• set up and maintain the arrangements for managing cyber security risk, including agreeing organisational structures and formalising lines of authority 
• engage with heads of business departments to demonstrate the cyber risks which the organisation faces through existing processes and to recommend changes to them 
• assess and report on the effectiveness of risk management standards and policies 

• contribute to an organisation’s high-level risk strategy and the definition of its risk appetite 
• manage governance and risk management professionals 

Job Titles 

For Cyber Security Governance and Risk Management roles, titles include: 

• Technology Risk & Controls Analyst 

• Cyber Risk & Compliance Manager 
• Cyber Risk Analyst 
• Cyber Risk Consultant 
• GRC Risk Management Senior Associate 
• Information Security Risk Analyst 

• IT Risk and Compliance Manager 
• IT Security and Risk Manager 
• Information Security Consultant (although these may also be used for generalist roles) 
• Information Security Manager (although these may also be used for generalist roles) 
• GRC officer 

• Technology Risk Oversight Officer 

For more experienced Cyber Security Governance and Risk Management roles, titles include: 

• Senior Governance, Risk and Compliance (GRC) Analyst 
• Governance, Risk and Compliance Manager 
• Head of Cyber Risk and Assurance 

Salaries 

A Cyber Security Governance and Risk Management role could earn between £20,000 and £65,000 a year. The median figure in February 2021 was £52,500. 

A senior Cyber Security Governance and Risk Management role could earn between £60,000 and £100,000. The median figure in February 2021 was £65,000. 

These ranges are calculated from a survey of job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. Both of these sources had small sample sets in the period in which the figures were generated. 

Each of the 16 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Security Governance & Risk Management 

Core knowledge – you will need a very good understanding of these areas 

• Risk Management & Governance 
• Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Related knowledge – you will need a solid understanding of these areas 

• Law & Regulation 
• International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare 

• Human Factors 
• Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours. 
• Cyber-Physical Systems (if there are cyber-physical systems, such as industrial control systems within the scope of the role) 
• Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures. 

Wider knowledge – these areas will help to provide context for your work 

• Security Operations & Incident Management 
• The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Skills 

Personal attributes 

• taking account of multiple complex factors to arrive at logical, repeatable conclusions 
• verbal and written communication, especially in producing formal documents which are comprehensive and without ambiguities 
• presenting logical, objective reasons for all decisions made 

• encouraging and supporting colleagues, including those in other departments, to achieve shared objectives 
• working effectively within organisational policies, procedures, and security and legal constraints 
• being sensitive and constructive when challenging other people’s ideas or decisions 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills  

• using statistical, mathematical or financial techniques to assess the likelihood (taking account of vulnerabilities and threats) and impact of cyber-attack techniques and deliberate or unintentional damaging actions by people within the organisation 
• applying risk management methodologies, such as those in ISO 27001, and sector-specific requirements, such as PCI-DSS 
• interpreting legal and regulatory requirements and integrating them with an organisation’s operational requirements 
• assessing the compliance of procedures and practice with agreed standards 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

A1 – Governance 

Principles: 

• directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements 

A2 – Policy and Standards 

Principles: 

• directs, develops or maintains organisational Cyber and Information Security policies, standards and processes using recognised standards (e.g. the ISO/ IEC 27000 family, the Security Policy Framework) where appropriate 
• applies recognised Cyber and Information Security standards and policies within an organisation, programme, project or operation 

A6 – Legal and Regulatory Environment and Compliance 

Principles: 

• understands the legal and regulatory environment within which the business operates. Ensures that Information Security Governance arrangements are appropriate 

• ensures that the organisation complies with legal and regulatory requirements 

B2 – Risk Assessment 

Principles: 

• identifies and assesses information assets 
• uses this information and relevant threat assessments, business impacts, business benefits and costs to conduct risk assessments and identify and assess potential vulnerabilities 

B3 – Information Risk Management 

Principles: 

• develops Cyber and Information Security risk management strategies and controls, considering business needs and risk assessments, and balancing technical, physical, procedural and personnel controls 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role that develops the abilities to assess complex sets of factors, methodically generate logical conclusions and document these very clearly, could provide a good foundation, with some additional specialist training, for a role in this specialism. 

Examples of such careers and roles include: 

• roles in the emergency services, especially fire and police services, which require substantial risk management 

• operational and staff roles in the Armed Forces 
• business risk management 
• business operations 
• IT system management 
• business continuity 

• financial or internal audit 
• specialist commercial insurance assessment 

Linked Specialisms 

• Cyber Security Management 
• Cyber Security Audit and Assurance 

Moving On 

From this specialism you might, with appropriate technical training, move into a role in: 

• business continuity 
• Cyber Security Audit & Assurance 
• Cyber Threat Intelligence 

Or, you might progress into a more senior role in Governance & Risk Management. In a small organisation you might become the head of cyber security, or possibly a Chief Information Security Officer (CISO) role. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

Christopher Cope is the Head of National Policing Audit, Risk and Compliance for the Police Digital Service. In this recorded webinar, he takes you through the Governance & Risk specialism in more detail, and what a typical day looks like.

If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Cyber Security Governance & Risk Management can be found here