Information Risk Management Guidance

A collection of documents in support of an effective decision making culture where security is properly considered and integrated.

This collection was withdrawn on

This content has been moved to the NCSC website:

The guidance and principles provided here are aimed at those responsible for making decisions about technology and information risks on behalf of the business. It is also a useful starting point for risk and security subject matter experts who are advising organisations on risk management and risk assessment.

You can subscribe to updates for this and all CESG publications to receive alerts by email when documents are changed or replaced.

We welcome feedback to help shape our guidance, please send comments to

Published 4 November 2014
Last updated 8 September 2015 + show all updates
  1. Added guidance on passwords
  2. Refreshed to help make it easier to find security guidance published on GOV.UK.
  3. First published.