The National Cyber Security Centre (NCSC) has developed a Cybersecurity and Resilience Method (CSRM) to help organisations take a more structured approach to these topics and strengthen their overall security.
As digitalisation becomes increasingly prevalent in society and the business world, ensuring cybersecurity and resilience is becoming an ever-greater challenge. Although there are many standards, recommendations and models, organisations often struggle to know where to start or how improve their cybersecurity and resilience sustainably. What is often lacking are concrete, practical guidelines and points of reference.
Against this backdrop, the NCSC is presenting the CSRM, a structured method consisting of five steps. This approach is designed to help organisations of all sizes and sectors strengthen their cybersecurity and resilience in a sustainable way. The method is based on an enhanced baseline security approach and consists of the following steps:
Step 1
The organisation's key activities and business and production processes are analysed.
Step 2
The IT resources that support these activities and processes are identified and grouped into 'IT protection objects'.
Step 3
The required level of protection is determined for each IT protection object. In the simplest case, this is a binary decision as to whether the IT protection object has an increased need for protection or not.
Step 4
A security concept is created for each IT protection object that requires increased protection, outlining how to best address security threats.
Step 5
Finally, the technical and organisational measures (TOMs) defined as baseline measures, along with additional TOMs specified in security plans, are implemented.
Although the CSRM is structured as a five-step method, in practice it can make sense to start with the most important processes and IT protection objects, and work through the rest later. This approach is not ideal, since many IT protection objects are interdependent, and these dependencies should be reflected in security plans. Nevertheless, from a practical point of view, a prioritised approach can be useful.
The CSRM is complemented by an option to assess your security posture and benchmark it against organisations of a similar size and from the same sector. This option will be made available through the NCSC's Cyber Security Hub (CSH).
The CSRM is currently being tested and refined in collaboration with selected partners and stakeholders. A consultation is underway until the end of January, and the NCSC welcomes feedback as part of this process. The CSRM will be made available to the public as a recommendation. Industry associations may adopt the method and recommend it to their members. Regulators can adapt the method to suit their needs, and declare it binding within their areas of responsibility. This can complement or replace the minimum standard for ICT resilience issued by the Federal Office for National Economic Supply (FONES).
Feedback Form
We would like to know your opinion on the content of the CSRM method, so that we can better adapt such products to your needs in the future. Therefore, we would be grateful if you could reply to the following questions (about 2 minutes). You can then send us the form by clicking on the "Submit" button.
Last modification 24.11.2025
