Course Overview 

Cyber and information security are no longer just technical issues, they are critical business risks that demand enterprise-wide management. This course bridges the gap between cybersecurity frameworks and enterprise risk management, helping you connect your cyber controls, assurance, and governance practices to your broader organisational risk objectives. Whether you’re a cyber leader seeking to align with risk frameworks, or a risk professional expanding into the cyber domain, this course will give you the clarity and confidence to bring the two worlds together. 

Through relatable stories, real-world examples, and practical tools, you’ll learn how to design and implement cyber risk management processes that integrate seamlessly with your enterprise risk management framework. We’ll cover the key components of cyber and information security management—from frameworks and governance, to metrics, incident response, and risk appetite—equipping you to provide meaningful assurance and insight to executives and boards. 

Our trainers David Tattam – Chief Research & Content Officer, Michael Howell – Head of Risk Research & Knowledge, and Michael Franklin – Cyber Security Lead guide you through Protecht’s approach to managing cyber risk within an enterprise context. You’ll finish with a complete, ready-to-use toolkit to embed effective cyber risk management, align with standards such as ISO 31000 and NIST, and drive a culture of informed risk-taking—not risk avoidance—across your organisation. 

Course description 

In this course, you'll learn:

• Introductory definitions
• Business drivers
• Social drivers
• Dynamic drivers
• Regulatory drivers

2. Defining Cyber Risk 

• Definitions of risk
• Definitions of cyber risk and information security
• Components of risk
• Introduction to risk bow ties
• How cyber overlaps with privacy, technology and data risks
• Integrating cyber into an enterprise risk taxonomy 

3. Defining Cyber Risk Controls 

• Definition of controls
• 7 treatment methods to manage cyber risk
• How to map controls to components of risk
• The use of cyber-related control frameworks and standards
• Contrasting compliance and risk, and handling controls that aren’t controls

4. Cyber Risk Management Frameworks & Processes 

• Applying ISO 31000 steps to cyber risk management
• Applying an Enterprise Risk Management Framework to cyber risk management
• Aligning cyber-specific frameworks to Enterprise Risk Management frameworks
• Common risk management processes applied to cyber

5. Cyber Risk Appetite 

• Setting appetite for objectives and risks
• Setting risk appetite for cyber
• How to use risk appetite

6. Cyber Risk Assessment  

• Stages of a risk assessment
• An overview of risk assessment techniques
• Scoping the risk assessment – enterprise, process or asset
• Understanding risk and controls using bow ties
• Considering inherent risk, residual risk, and the effect of controls
• Evaluating risk assessment against risk appetite
• Writing risk scenarios
• Aligning cyber specific methodologies with enterprise risk assessment

7. Measuring Cyber Risk 

• Why we measure risk
• The common measures of risk
• Main types of risk measurement
• Qualitative measurement
  • Risk matrices and subjective approaches
  • Challenges with the risk matrix 
• Semi-quantitative methods
  • Scoring models for risk
  • Scoring models for controls
  • Challenges and assumptions in scoring models 
• Quantitative measures
  • Risk as a distribution
  • Types of quantitative measures
  • Challenges of risk quantification
  • A simplified linear quantification approach 
• Data sources to measure components of cyber risk
  • Internal sources of data
  • External sources of data

8. Cyber Risk Metrics 

• The purpose of risk metrics
• The types of risk metrics 

• Characteristics of good metrics and pitfalls to avoid
• Defining zones and thresholds
• How to use metrics for escalation, reporting and response
• Metrics for risk versus information security capability

9. Cyber Controls Management 

• The need for controls assurance
• Distinction between internal assurance and external assurance
• Difference between governance controls and technical controls
• Documenting controls information
• Mapping control frameworks
  • Mapping controls you apply to external frameworks and standards
  • Challenges and approaches to mapping multiple frameworks 
• Control testing versus controls assessment
• A control testing process
  • Importance of control objectives
  • Assessing design effectiveness
  • Assessing operating effectiveness 
• Controls assessment over a group of controls
• Considering automated controls
• Applying outcomes of controls management activities
• A Control library and testing template 

10. Cyber Incident & Crisis Management 

• Defining cyber incidents
• An enterprise approach to incident management
• Distinctions for cyber incident management 

11. Issues and Action Management 

• Raising issues
  • Common ways that issues arise or are identified
  • Ownership and tracking
  • Linking to other components of risk management 
• Action management
  • Tracking actions and reporting
  • Alignment between systems or reporting mechanisms
  • Dangers when actions are ignored 

12. Reporting & Communication 

• The purpose of reporting
• Main types of reports
• What to report
• Considering stakeholders
• Collecting data for reporting
• Report examples 

13. Integrating with Enterprise Risk Management 

• Benefits of integration
• Integrating cyber risk processes within the ERMF ‘House’
• Managing shifting cyber exposure during Risk In Change
• Cyber Compliance Management
• Alignment with Operational Resilience framework
• Alignment with Third Party Risk Management 

14. Responsibilities for Cyber Risk Management

• Everyone as a risk manager
• The Three Lines Model
• Roles related to cyber risk management
• Key behaviours that support strong risk culture 

Course expectations 

• Watch 14 videos 

• 7 interactive examples 

• Answer 10 quiz questions 

• Access 14 downloadable materials 

Timings 

• 5.5 hours of video content  

• Approximately 6.5 hours for the whole course 

Cost

• USD $600 payable by credit card on registration

Next steps

You can purchase this course on-demand via Protecht Academy by credit card.

Please contact Protecht directly if you would like to discuss packages to implement this training across your organisation. Bulk discounts are available and packages can be invoiced in your local currency.