JOIN ISA

Cyber-Risk Oversight Handbook

Download the newest edition of the “Cyber-Risk Oversight Handbook”

ISA, in conjunction with the NACD, is pleased to publish the fourth edition of the Cyber-Risk Oversight Handbook for corporate boards. This fourth version of the handbook (first issued in 2014) builds on the success of the 2020 handbook. It outlines six “guiding principles” to enhance board oversight of cyber risk and includes tools which provide clear guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team, and what to expect from the government.

In 2014, NACD published the first edition of the “Cyber-Risk Handbook” in conjunction with the ISA and AIG.

The Handbook has proven to be one of NACD’s most popular publications and was the first private-sector resource featured on the Department of Homeland Security’s C3 Voluntary Program’s Getting Started for Business website.

We issued a significantly updated version in 2020 that includes the new sixth principle that we call the “ESG principle.” 

This publication has been independently assessed by PricewaterhouseCoopers and shown to dramatically improve enterprise cybersecurity.

“Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. Boards appear to be listening to this advice. This year, we saw a double-digit uptick in board participation in most aspects of information security. Deepening board involvement has improved cybersecurity practices in numerous ways. As more boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals.”

PricewaterhouseCoopers Global State of Information Security Survey 2016 (pdf)

Working together, NACD and ISA have produced a unique and successful program that addresses cybersecurity as a board-level issue – not simply an IT operational issue.

Directors can leverage the handbook in a few ways:

  • Learn foundational principles for board-level cyber-risk oversight that have been vetted and praised by cybersecurity leaders in the public and private sectors
  • Gain insight into issues such as how to allocate cyber-risk oversight responsibilities at the board level; the legal implications and considerations related to cybersecurity; how to set expectations with management about the organization’s cybersecurity processes; and ways to improve the dialogue between directors and management on cyber issues.
  • Use the tools in the nine appendices to improve and enhance boardroom practices.

Cyber-Risk Oversight Handbook

A leader in Cyber Policy, Practice, and Promotion.

Contact
Helpful Links
Subscribe

Enter your email to be added to our email list:

Facebook Linkedin Twitter
Copyright © 2025 Internet Security Alliance, All rights reserved.